Local Privilege Escalation

The CRTP exam consists of 5 target servers in addition to a foothold student machine. The goal is to OS level command execution on all 5 targets not matter what the privileges of the user.

Vectors

There are various ways of locally escalating privileges on Windows box:

Missing patches – Automated deployment and AutoLogon passwords in clear text
AlwaysInstallElevated (Any user can run MSI as SYSTEM)
Misconfigured Services – DLL Hijacking and more
NTLM Relaying a.k.a. Won't Fix

This guide offer a sufficiently comprehensive overview of the course material for local privilege escalation

CRTP-Notes/2-Local-Priv-Esc/1-Local-PrivEsc.md at main · 0xStarlight/CRTP-NotesGitHub

Tools

Automated checks

# PowerUp
Invoke-AllChecks

# winPEAS
winPEASx64.exe 

# Privesc
Invoke-PrivEsc

Services

Find vulnerable service configuration

# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify
Get-ModifiableService -Verbose

Add domain user to the local Administrators group

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose

Last updated 1 year ago

hashtag

hashtagVectors

hashtagThere are various ways of locally escalating privileges on Windows box:

hashtagTools

hashtagPowerUp

hashtagWinPEAS

hashtagPrivesc

hashtagAutomated checks

hashtagServices

Vectors

There are various ways of locally escalating privileges on Windows box:

Tools

PowerUp

WinPEAS

Privesc

Automated checks

Services