Windows Privesc Flashcards
What is the command for systeminfo?
systeminfo
What is the command for the hostname?
hostname
What is the command for the user context?
whoami
What is the command for the user context and privs (potato exploits)?
whoami /priv
Once we have the username, what command produces more information?
net user “username”
How do we discover other users on the system?
net user
How do we enumerate the operating systems architecture?
systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
How do we enumerate running services and processes?
tasklist /SVC
How do we enumerate Networking Information?
ipconfig /all
How do we enumerate routing tables?
route print
How do we enumerate active network connections?
netstat -ano
How do we enumerate active firewall status?
netsh advfirewall show currentprofile
How do we enumerate active firewall rules?
netsh advfirewall firewall show rule name=all
How do we enumerate scheduled tasks?
schtasks /query /fo LIST /v
How do we enumerate installed applications?
wmic product get name, version, vendor
How do we enumerate system wide updates?
wmic qfe get Caption, Description, HotFixID, InstalledOn
How do we enumerate files with readable and writable permissions?
accesschk.exe -uws “Everyone” “C:\Program Files” (The path is an example, this can be changed).
How do we enumerate unmounted disks?
mountvol
What are the two commands that enumerate binaries that autoelevate? Why is this important?
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
This is important because if either of these settings are set to 1, any user can run Windows Installer Packages with elevated privileges (0x1).
If we have permission to run Windows Installer Packages what file would we create?
An MSI file
What are access tokens?
When a Windows User is authenticated, they are given a token. This token describes their current security context including their privileges.
What is an SID?
A Security Identifier. This is a unique object given to each security object, including tokens, and includes users and group accounts.
Who generates SIDs?
Windows Local Security Authority.
Describe what the integrity mechanism is.
It prescribes integrity levels application processes and securable objects. It describes the level of trust Windows places in those processes. These also dictate readable and writable permissions.
Name the four integrity processes and the respective rights associated with them.
System Integrity Process: SYSTEM Rights.
High Integrity Process: Administrative Rights.
Medium Integrity Process: Standard User Rights.
Low Integrity Process: Very restricted rights. Often used in sandboxed processes.
Describe and explain User Account Control (UAC).
UAC forces applications and tasks to run in the context of a non-administrative account
until an administrator authorizes elevated access.
It will block installers and unauthorized applications from running without the permissions of an administrative account and also blocks changes to system settings.
In general, the effect of UAC is that any application that wishes to perform an operation with a potential system-wide impact, cannot do so silently. At least in theory.
Describe the two different modes of UAC.
Credential Prompt and Consent Prompt.
Credential Prompt is used when a standard user tries to do an adminstrative action - such as installing a program. It will prompt for an administrators password.
Consent Prompt occurs when an administrative user wishes to do similar, however they are simply asked to consent since they have administrative rights.
Even while logged in as an administrative user, the account will have two security tokens, one
running at a medium integrity level and the other at high integrity level. UAC acts as the separation
mechanism between those two integrity levels.
