Windows Privesc

Question 1

What is the command for systeminfo?

Answer 1

systeminfo

Question 2

What is the command for the hostname?

Answer 2

hostname

Question 3

What is the command for the user context?

Answer 3

whoami

Question 4

What is the command for the user context and privs (potato exploits)?

Answer 4

whoami /priv

Question 5

Once we have the username, what command produces more information?

Answer 5

net user “username”

Question 6

How do we discover other users on the system?

Answer 6

net user

Question 7

How do we enumerate the operating systems architecture?

Answer 7

systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”

Question 8

How do we enumerate running services and processes?

Answer 8

tasklist /SVC

Question 9

How do we enumerate Networking Information?

Answer 9

ipconfig /all

Question 10

How do we enumerate routing tables?

Answer 10

route print

Question 11

How do we enumerate active network connections?

Answer 11

netstat -ano

Question 12

How do we enumerate active firewall status?

Answer 12

netsh advfirewall show currentprofile

Question 13

How do we enumerate active firewall rules?

Answer 13

netsh advfirewall firewall show rule name=all

Question 14

How do we enumerate scheduled tasks?

Answer 14

schtasks /query /fo LIST /v

Question 15

How do we enumerate installed applications?

Answer 15

wmic product get name, version, vendor

Question 16

How do we enumerate system wide updates?

Answer 16

wmic qfe get Caption, Description, HotFixID, InstalledOn

Question 17

How do we enumerate files with readable and writable permissions?

Answer 17

accesschk.exe -uws “Everyone” “C:\Program Files” (The path is an example, this can be changed).

Question 18

How do we enumerate unmounted disks?

Answer 18

mountvol

Question 19

What are the two commands that enumerate binaries that autoelevate? Why is this important?

Answer 19

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

This is important because if either of these settings are set to 1, any user can run Windows Installer Packages with elevated privileges (0x1).

Question 20

If we have permission to run Windows Installer Packages what file would we create?

Answer 20

An MSI file

Question 21

What are access tokens?

Answer 21

When a Windows User is authenticated, they are given a token. This token describes their current security context including their privileges.

Question 22

What is an SID?

Answer 22

A Security Identifier. This is a unique object given to each security object, including tokens, and includes users and group accounts.

Question 23

Who generates SIDs?

Answer 23

Windows Local Security Authority.

Question 24

Describe what the integrity mechanism is.

Answer 24

It prescribes integrity levels application processes and securable objects. It describes the level of trust Windows places in those processes. These also dictate readable and writable permissions.

Question 25

Name the four integrity processes and the respective rights associated with them.

Answer 25

System Integrity Process: SYSTEM Rights.
High Integrity Process: Administrative Rights.
Medium Integrity Process: Standard User Rights.
Low Integrity Process: Very restricted rights. Often used in sandboxed processes.

Question 26

Describe and explain User Account Control (UAC).

Answer 26

UAC forces applications and tasks to run in the context of a non-administrative account
until an administrator authorizes elevated access.

It will block installers and unauthorized applications from running without the permissions of an administrative account and also blocks changes to system settings.

In general, the effect of UAC is that any application that wishes to perform an operation with a potential system-wide impact, cannot do so silently. At least in theory.

Question 27

Describe the two different modes of UAC.

Answer 27

Credential Prompt and Consent Prompt.

Credential Prompt is used when a standard user tries to do an adminstrative action - such as installing a program. It will prompt for an administrators password.

Consent Prompt occurs when an administrative user wishes to do similar, however they are simply asked to consent since they have administrative rights.

Even while logged in as an administrative user, the account will have two security tokens, one
running at a medium integrity level and the other at high integrity level. UAC acts as the separation
mechanism between those two integrity levels.