Managing Privileges

Privileges in Windows are applied through access tokens, which is generated during authentication. Each access token contains a SID (security identifier) which uniquely identifies the user / group etc that has the privilege.

Integrity Mechanism

Each process and securable object in Windows has an assigned integrity level. Processes with higher integrity levels can access more privileged actions and resources.

Quoting OSCP:

  • System integrity process: SYSTEM rights
  • High integrity process: administrative rights
  • Medium integrity process: standard user rights
  • Low integrity process: restricted rights, e.g. sandboxed processes

Use whoami /groups to check current shell process’s integrity level. A Mandatory Label\Medium Mandatory Level indicates a medium integrity process.

User Account Control (UAC)

UAC prompts the user when a program tries to elevate privileges. Microsoft admits that UAC is not a security guarantee (sometimes called security boundary). See this Stack Exchange question for more details. What it does is that it asks for user confirmation before a process request privileges. The process remains unprivileged (running with medium integrity) until a privileged user confirms or enters admin password if the user is unprivileged (then runs with high integrity).

Windows Registry

Check what registry keys the program reads/writes using SysInternals Process Monitor (procmon.exe). If the value falls under HKCU (HKEY_CURRENT_USER) then it may be exploitable since current user can modify the value.

Windows Password Attacks

See: common password attacks Windows stores hashed passwords in the Security Accounts Manager (SAM). Windows introduced SYSKEY, which partially encrypts the SAM file.

Mimikatz

Use mimikatz to dump Windows password hashes. Launch from admin shell.

  • privilege::debug (try to enable SeDebugPrivilege; needed for elevation)
  • token:elevate (try to elevate from high integrity to SYSTEM)
  • lsadump::sam (dump cached NTLM hashes from LSASS)

Pass the Hash using pth-winexe

See pass-the-hash

John The Ripper cracks NTLM hash

echo 'user1:ntlm_hash1' > hashes.txt
echo 'user2:ntlm_hash2' >> hashes.txt
sudo john hashes.txt --format=NT --wordlist=<wl>