Privilege Escalation
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Local Privilege Escalation
PowerUp Misconfiguration Abuse
BeRoot General Privilege Escalation Enumeration Tool
Privesc General Privilege Escalation Enumeration Tool
FullPowers Restore a service account's privileges
Juicy Potato Abuse
SeImpersonate
orSeAssignPrimaryToken
Privileges for System Impersonation⚠️ Works only until Windows Server 2016 and Windows 10 until patch 1803
Lovely Potato Automated Juicy Potato
⚠️ Works only until Windows Server 2016 and Windows 10 until patch 1803
PrintSpoofer Exploit the PrinterBug for System Impersonation
🙏 Works for Windows Server 2019 and Windows 10
RoguePotato Upgraded Juicy Potato
🙏 Works for Windows Server 2019 and Windows 10
Domain Privilege Escalation
Kerberoast
All standard domain users can request a copy of all service accounts along with their correlating password hashes, so we can ask a TGS for any SPN that is bound to a "user" account, extract the encrypted blob that was encrypted using the user's password and bruteforce it offline.
Using PowerView:
Using PowerShell AD Module:
Using Impacket:
Using Rubeus:
ASREPRoast
If a domain user account do not require kerberos preauthentication, we can request a valid TGT for this account without even having domain credentials, extract the encrypted blob and bruteforce it offline.
PowerView:
Get-DomainUser -PreauthNotRequired -Verbose
AD Module:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
Forcefully Disable Kerberos Preauth on an account I have Write permissions or more! Check for interesting permissions on accounts:
We add a filter (e.g. RDPUsers) to get "User Accounts" not Machine Accounts, because Machine Account hashes are not crackable!
Using PowerView:
And finally execute the attack using the ASREPRoast tool.
Using Rubeus:
Using Impacket:
Password Spray Attack
If we have harvest some passwords by compromising a user account, we can use this method to try and exploit password reuse on other domain accounts.
Tools:
Force Set SPN
If we have enough permissions -> GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its blob and brute force it.
Using PowerView:
Using PowerShell AD Module:
Finally use any tool from before to grab the hash and Kerberoast it!
Abusing Shadow Copies
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Domain Escalation.
You can dump the backed-up SAM database and harvest credentials.
Look for DPAPI stored creds and decrypt them.
Access backed-up sensitive files.
List and Decrypt Stored Credentials using Mimikatz
Usually encrypted credentials are stored in:
%appdata%\Microsoft\Credentials
%localappdata%\Microsoft\Credentials
Detailed Article: DPAPI all the things
Unconstrained Delegation
If we have Administrative access on a machine that has Unconstrained Delegation enabled, we can wait for a high value target or DA to connect to it, steal his TGT then ptt and impersonate him!
Using PowerView:
Note: We can also use Rubeus!
Constrained Delegation
Using PowerView and Kekeo:
After enumeration, request the TGT using kekeo
ALTERNATIVE: Using Rubeus:
Now we can access the service as the impersonated user!
🚩 What if we have delegation rights for only a specific SPN? (e.g TIME):
In this case we can still abuse a feature of Kerberos called "alternative service". This allows us to request TGS tickets for other "alternative" services and not only for the one we have rights for. That gives us the leverage to request valid tickets for any service we want that the host supports, giving us full access over the target machine.
Resource Based Constrained Delegation
If we have GenericALL/GenericWrite privileges on a machine account object of a domain, we can abuse it and impersonate ourselves as any user of the domain to it. For example we can impersonate Domain Administrator and have complete access.
Tools we are going to use:
First we need to enter the security context of the user/machine account that has the privileges over the object. If it is a user account we can use Pass the Hash, RDP, PSCredentials etc.
Exploitation Example:
After that we need to get the RC4 hash of the new machine account's password using Rubeus
Detailed Articles:
❗ In Constrain and Resource-Based Constrained Delegation if we don't have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick "tgt::deleg" from kekeo or "tgtdeleg" from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.
Detailed Article: Rubeus – Now With More Kekeo
DNSAdmins Abuse
If a user is a member of the DNSAdmins group, he can possibly load an arbitary DLL with the privileges of dns.exe that runs as SYSTEM. In case the DC serves a DNS, the user can escalate his privileges to DA. This exploitation process needs privileges to restart the DNS service to work.
Enumerate the members of the DNSAdmins group:
PowerView:
Get-NetGroupMember -GroupName "DNSAdmins"
AD Module:
Get-ADGroupMember -Identiny DNSAdmins
Once we found a member of this group we need to compromise it (There are many ways).
Then by serving a malicious DLL on a SMB share and configuring the dll usage,we can escalate our privileges:
Abusing Active Directory-Integrated DNS
Abusing Backup Operators Group
If we manage to compromise a user account that is member of the Backup Operators group, we can then abuse it's SeBackupPrivilege to create a shadow copy of the current state of the DC, extract the ntds.dit database file, dump the hashes and escalate our privileges to DA.
Once we have access on an account that has the SeBackupPrivilege we can access the DC and create a shadow copy using the signed binary diskshadow:
Create a .txt file that will contain the shadow copy process script
2. Next, Execute diskshadow with our script as a parameter
3. Next, you need to access the shadow copy. even if you have the SeBackupPrivilege
you cannot simply copy ntds.dit
. You will need to mimic backup software and use Win32 API calls to copy it on an accessible folder. For this we are going to build a malicious dll from this amazing repo and use it to abuse SeBackupPrivilege
.
4. Using smbclient.py
from impacket or some other tool copy ntds.dit
and the SYSTEM hive to your local machine.
5. Use secretsdump.py
from impacket and dump the hashes.
6. Use psexec
or another tool of your choice to pass-the-hash and get Domain Admin access.
Abusing Exchange
PrivExchange Exchange your privileges for Domain Admin privs by abusing Exchange
Weaponizing Printer Bug
Abusing ACLs
Abusing IPv6 with mitm6
SID History Abuse
If we manage to compromise a child domain of a forest and SID filtering isn't enabled (most of the times is not), we can abuse it to privilege escalate to Domain Administrator of the root domain of the forest. This is possible because of the SID History field on a kerberos TGT ticket, that defines the "extra" security groups and privileges.
Exploitation example:
Detailed Articles:
Exploiting SharePoint
CVE-2019-0604 RCE Exploitation PoC
CVE-2019-1257 Code execution through BDC deserialization
CVE-2020-0932 RCE using typeconverters PoC
Zerologon Exploit
Zerologon: Unauthenticated domain controller compromise: White paper of the vulnerability.
SharpZeroLogon: C# implementation of the Zerologon exploit.
Invoke-ZeroLogon: Powershell implementation of the Zerologon exploit.
Zer0Dump: Python implementation of the Zerologon exploit using the impacket library.
Mimikatz
If mimikatz fails to dump credentials because of LSA Protection controls, there are two workarounds:
LSA as a Protected Process
LSA is running as virtualized process (LSAISO) by Credential Guard
First, check if a process called lsaiso.exe
is running.
If lsaiso.exe is running there isn't a way to dump lsass, as we will only get encrypted data. However, you can still use keyloggers or clipboard dumpers to capture data. For example, you can use the malicious Security Support Provider provided by mimikatz.
Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
Last updated