OWASP Delhi, profile picture
Uploaded byOWASP Delhi
PPTX, PDF2,397 views

Windows privilege escalation by Dhruv Shah

The document discusses various techniques for privilege escalation in Windows systems, including methods like abusing scheduled tasks and unquoted service paths. It outlines two main types of escalation: admin to system and user to system, highlighting the more complex nature of user to system escalations. The presentation also indicates various vulnerabilities and misconfigurations that can be exploited to gain higher privileges on Windows systems.

Internet
In this document
Powered by AI

Introduction to the concept of Windows privilege escalation, emphasizing the need for gaining system-level access.

A personal disclaimer clarifying that the opinions expressed are those of the speaker, Dhruv Shah.

Introduction of the presenter, Dhruv Shah, with his Twitter handle and website.

Discussion on scenarios for privilege escalation including design flaws, system updates, and permissions.

Identifying the Windows operating systems that will be covered: Windows XP, 7, and 2003.

Explaining two types of privilege escalation: from Admin to System and User to System, emphasizing the latter's complexity.

Introduction to simple methods for escalating from Admin to System, highlighting tools like 'at' command and 'psexec'.

A demo showcasing methods of achieving system privileges using the discussed techniques.

Demonstration of achieving System privilege using the 'at' command.

Discussion on acquiring user hashes, with a note on the complexity of cracking secure passwords.

Description of how scheduled tasks can be exploited if the executing file is accessible to all users.

A demonstration of exploiting scheduled tasks for privilege escalation.

Overview of potential locations for sensitive credentials in user files and registries.

Discussion on the risks associated with weak directory permissions.

A demo related to weaknesses in directory permissions.

Overview of attack vectors related to service misconfigurations with emphasis on unquoted service paths.

Detailed explanation of unquoted service paths and the security implications thereof.

Demonstration of exploiting unquoted service paths.

Discussion on service binaries, how to exploit them, and a specific case of upnphost service.

Conclusion of the presentation and opening the floor for questions.

Embed presentation

Downloaded 65 times
Windows Privilege Escalation Because gaining shell to the system is just not enough
C:> type disclaimer.txt • The opinions expressed in this presentation are mine and not those of my employer.
• Dhruv Shah • @snypter • http://security-geek.in
What are we here for ? • Different scenarios leading to privilege escalation • Design issues , implementation flaws, untimely system updates , permission issues etc • We ain’t talking about overflows here , just logics and techniques 
Flavours are we looking at ? • Windows XP • Windows 7 • Windows 2003
Two Types of Escalation • Admin to System – Easy , not much effort needed • User to System – Here is where the real deal lies in 
Admin to System ( Piece of Cake ) • The famous “at” command • “psexec” anyone ?
Demo
System Privilege using “at”
Pass the Hash • Managed to get the user hash • Password is complex will take long time to crack via rainbowtables • Boom Boom Pow.
Abusing Scheduled Tasks • Admin creates a scheduler task with System privileges
Abusing Scheduled Tasks • Sadly the file to be executed is accessible by everyone
Demo
Creds in Files • C:usersvictimDesktoppassword.xls • C:>dir /b /s web.config • C:>dir /b /s unattend.xml • C:>dir /b /s sysprep.inf • C:>dir /b /s sysprep.xml • C:>dir /b /s *pass* • Registries are also a good place to have a look at
Weak Directory Permissions Lets have some fun
Demo
Abusing Service misconfigurations • Possible attack vectors ? – Editing the service config – Editing the binary path Todays Discusssion – Unquoted Service path Vulnerability
Unquoted Service Path
Unquoted Service Path • c:program*filessub*dirprogram*name • c:program.exe filessub dirprogram name • c:program filessub.exe dirprogram name • c:program filessub dirprogram.exe name
Unquoted Service Path
Unquoted Service Path
Demo
Editing Service Binaries • What are service binaries ? • How do we exploit them ? • Lets exploit upnphost of the Windows system a default servcice that runs
Editing Service Binaries
Editing Service Binaries
Editing Service Binaries
Demo
Thank you • Questions ?

More Related Content

PPT
Secure code practices
byHina Rawal
 
PDF
Level Up! - Practical Windows Privilege Escalation
byjakx_
 
PDF
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PPTX
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
Secure code practices
byHina Rawal
 
Level Up! - Practical Windows Privilege Escalation
byjakx_
 
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
Windows Threat Hunting
byGIBIN JOHN
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 

What's hot

PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PDF
Threat Hunting
bySplunk
 
PPTX
CyberSecurity Best Practices for the IIoT
byCreekside Marketing Group, LLC
 
PPTX
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PPT
Computer Forensics & Windows Registry
byaradhanalaw
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Super Easy Memory Forensics
byIIJ
 
PDF
Forensics of a Windows System
byConferencias FIST
 
PDF
Access Control: Principles and Practice
byNabeel Yoosuf
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PPTX
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
PPTX
Windows 10 CredentialGuard vs Mimikatz - SEC599
byErik Van Buggenhout
 
PDF
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
PPTX
Vulnerable_and_outdated_components_suman.pptx
bySuman Astani
 
PDF
Sigma and YARA Rules
byLionel Faleiro
 
PPTX
Demo of security tool nessus - Network vulnerablity scanner
byAjit Dadresa
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Threat Hunting
bySplunk
 
CyberSecurity Best Practices for the IIoT
byCreekside Marketing Group, LLC
 
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
I hunt sys admins 2.0
byWill Schroeder
 
ReCertifying Active Directory
byWill Schroeder
 
Computer Forensics & Windows Registry
byaradhanalaw
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Super Easy Memory Forensics
byIIJ
 
Forensics of a Windows System
byConferencias FIST
 
Access Control: Principles and Practice
byNabeel Yoosuf
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
byErik Van Buggenhout
 
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
Vulnerable_and_outdated_components_suman.pptx
bySuman Astani
 
Sigma and YARA Rules
byLionel Faleiro
 
Demo of security tool nessus - Network vulnerablity scanner
byAjit Dadresa
 

Viewers also liked

PPTX
Fundamentals of Linux Privilege Escalation
bynullthreat
 
PPTX
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
byOWASP Delhi
 
PPT
Privilege Escalation And Misconfigurations Part2
byCaleb Sima
 
PPTX
How to own the world, one desktop at a time
bySaumil Shah
 
PDF
The Mysteries Of JavaScript-Fu (@media Europe Edition)
bydanwrong
 
PPTX
Raspberry pi
byDhruv Shah
 
PPTX
An Introduction to Sysinternals
byRiyaz Walikar
 
ODP
Hostile Subdomain Takeover by Ankit Prateek
byOWASP Delhi
 
PPTX
Hot potato Privilege Escalation
bySunny Neo
 
PPTX
Attack on Sony
byNick Bilogorskiy
 
PDF
From zero to SYSTEM on full disk encrypted windows system
byNabeel Ahmed
 
PDF
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
byOWASP Delhi
 
PDF
Hack.LU - The Infosec Crossroads
bySaumil Shah
 
PPTX
Intro To Privilege Elevation
byMichael Shalyt
 
PDF
Prepare Yourself to Become Infosec Professional
byM.Syarifudin, ST, OSCP, OSWP
 
PPTX
Quadrant holdings issa asad
byissa asad
 
PDF
Técnicas de redimension
byLUISALAMADRID
 
PPTX
GDES 5341 Presentation - App.Ly
byRachit Gupta
 
PPTX
How To Stop Smoking
byNewSourceMarket
 
PPTX
Voicing our elasticity
byUmar Basim
 
Fundamentals of Linux Privilege Escalation
bynullthreat
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
byOWASP Delhi
 
Privilege Escalation And Misconfigurations Part2
byCaleb Sima
 
How to own the world, one desktop at a time
bySaumil Shah
 
The Mysteries Of JavaScript-Fu (@media Europe Edition)
bydanwrong
 
Raspberry pi
byDhruv Shah
 
An Introduction to Sysinternals
byRiyaz Walikar
 
Hostile Subdomain Takeover by Ankit Prateek
byOWASP Delhi
 
Hot potato Privilege Escalation
bySunny Neo
 
Attack on Sony
byNick Bilogorskiy
 
From zero to SYSTEM on full disk encrypted windows system
byNabeel Ahmed
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
byOWASP Delhi
 
Hack.LU - The Infosec Crossroads
bySaumil Shah
 
Intro To Privilege Elevation
byMichael Shalyt
 
Prepare Yourself to Become Infosec Professional
byM.Syarifudin, ST, OSCP, OSWP
 
Quadrant holdings issa asad
byissa asad
 
Técnicas de redimension
byLUISALAMADRID
 
GDES 5341 Presentation - App.Ly
byRachit Gupta
 
How To Stop Smoking
byNewSourceMarket
 
Voicing our elasticity
byUmar Basim
 

Similar to Windows privilege escalation by Dhruv Shah

PPTX
Windows Privilege Escalation
byRiyaz Walikar
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Windows Attacks AT is the new black
byRob Fuller
 
PDF
Windows attacks - AT is the new black
byChris Gates
 
PPTX
Windows Client Privilege Escalation-Shared.pptx
byOddvar Moe
 
PPTX
Privilege Escalation in Ethical Hacking.pptx
byGuna Dhondwad
 
PDF
1000 to 0
bySunny Neo
 
PDF
Well, that escalated quickly! - a penetration tester's approach to privilege ...
byDefCamp
 
PPTX
Windows Privilege Escalation Techniques.pptx
bypentest716
 
PPTX
Windows advanced
byyarden hanan
 
PPTX
RACE - Minimal Rights and ACE for Active Directory Dominance
byNikhil Mittal
 
PPTX
Escalate Privileges in Windows: Addressing a Critical Security Vulnerability
byBert Blevins
 
PPTX
Unquoted service path exploitation
byDhruv Sharma
 
PPTX
Defending Your "Gold"
byWill Schroeder
 
PPTX
File windows local
byyarden hanan
 
PPTX
File windows local
byyarden hanan
 
PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PDF
Windows Security Internals: A Deep Dive into Windows Authentication, Authoriz...
bymodhaofentibo
 
PDF
Windows Security Internals 1 / converted Edition James Forshaw
bysoskoxtamkego
 
PPTX
Not a Security Boundary: Bypassing User Account Control
byenigma0x3
 
Windows Privilege Escalation
byRiyaz Walikar
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Windows Attacks AT is the new black
byRob Fuller
 
Windows attacks - AT is the new black
byChris Gates
 
Windows Client Privilege Escalation-Shared.pptx
byOddvar Moe
 
Privilege Escalation in Ethical Hacking.pptx
byGuna Dhondwad
 
1000 to 0
bySunny Neo
 
Well, that escalated quickly! - a penetration tester's approach to privilege ...
byDefCamp
 
Windows Privilege Escalation Techniques.pptx
bypentest716
 
Windows advanced
byyarden hanan
 
RACE - Minimal Rights and ACE for Active Directory Dominance
byNikhil Mittal
 
Escalate Privileges in Windows: Addressing a Critical Security Vulnerability
byBert Blevins
 
Unquoted service path exploitation
byDhruv Sharma
 
Defending Your "Gold"
byWill Schroeder
 
File windows local
byyarden hanan
 
File windows local
byyarden hanan
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
Windows Security Internals: A Deep Dive into Windows Authentication, Authoriz...
bymodhaofentibo
 
Windows Security Internals 1 / converted Edition James Forshaw
bysoskoxtamkego
 
Not a Security Boundary: Bypassing User Account Control
byenigma0x3
 

More from OWASP Delhi

PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PDF
Securing dns records from subdomain takeover
byOWASP Delhi
 
PDF
Effective Cyber Security Report Writing
byOWASP Delhi
 
PPTX
Data sniffing over Air Gap
byOWASP Delhi
 
PPTX
UDP Hunter
byOWASP Delhi
 
PDF
Demystifying Container Escapes
byOWASP Delhi
 
PPTX
Automating WAF using Terraform
byOWASP Delhi
 
PPTX
Actionable Threat Intelligence
byOWASP Delhi
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
Recon with Nmap
byOWASP Delhi
 
PPTX
Securing AWS environments by Ankit Giri
byOWASP Delhi
 
PDF
DMARC Overview
byOWASP Delhi
 
PDF
Cloud assessments by :- Aakash Goel
byOWASP Delhi
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
ODP
Wireless security beyond password cracking by Mohit Ranjan
byOWASP Delhi
 
PDF
IETF's Role and Mandate in Internet Governance by Mohit Batra
byOWASP Delhi
 
PDF
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
byOWASP Delhi
 
PPTX
ICS Security 101 by Sandeep Singh
byOWASP Delhi
 
PDF
DFIR using Docker Containers by Deep Shankar Yadav
byOWASP Delhi
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
Securing dns records from subdomain takeover
byOWASP Delhi
 
Effective Cyber Security Report Writing
byOWASP Delhi
 
Data sniffing over Air Gap
byOWASP Delhi
 
UDP Hunter
byOWASP Delhi
 
Demystifying Container Escapes
byOWASP Delhi
 
Automating WAF using Terraform
byOWASP Delhi
 
Actionable Threat Intelligence
byOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Recon with Nmap
byOWASP Delhi
 
Securing AWS environments by Ankit Giri
byOWASP Delhi
 
DMARC Overview
byOWASP Delhi
 
Cloud assessments by :- Aakash Goel
byOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
byOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
byOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
byOWASP Delhi
 
ICS Security 101 by Sandeep Singh
byOWASP Delhi
 
DFIR using Docker Containers by Deep Shankar Yadav
byOWASP Delhi
 

Recently uploaded

PDF
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
PPTX
Presentation4.pptx space it's exploration
byvarung3424
 
PDF
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
PDF
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
PDF
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
PPTX
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
PDF
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
PDF
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
PPTX
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
PDF
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
PDF
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
PDF
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
PDF
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
PDF
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
Presentation4.pptx space it's exploration
byvarung3424
 
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 

Windows privilege escalation by Dhruv Shah