🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Basic Enumeration
  • Windows Services Exploitations
  • Service Binary Hijacking
  • Service DLL Hijacking
  • Unquoted Service Paths
  • Scheduled Tasks
  • Token impersonation
  • References
  1. Windows

Local Privilege Escalation

PreviousNTLM HashesNextService Binary Hijacking

Last updated 7 months ago

Basic Enumeration

Windows Services Exploitations

Service Binary Hijacking

This attack involves replacing the service binary with a malicious version and restart the service.

Service DLL Hijacking

This attack is similar to the "Service Binary Hijacking" but Instead of replacing the binary, it involves overwriting a the binary uses.

Another method is to hijack the DLL search order.

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.

Unquoted Service Paths

This attack relies on windows find an executable path when it's Unquoted.

Scheduled Tasks

Windows Task Scheduler can execute automated tasks. This tasks can execute binary files and also scripts. Also, The scheduled tasks is running behalf on user.

Token impersonation

Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.

References

Local Enumeration
Service Binary Hijacking
DLL
Service DLL Hijacking
Unquoted Service Paths
Scheduled Tasks
Token impersonation
Windows Local Privilege EscalationHackTricks
Hacktricks - Windows Local Privilege Escalation
Logo