Managing Privileges
Privileges in Windows are applied through access tokens, which is generated during authentication. Each access token contains a SID (security identifier) which uniquely identifies the user / group etc that has the privilege.
Integrity Mechanism
Each process and securable object in Windows has an assigned integrity level. Processes with higher integrity levels can access more privileged actions and resources.
Quoting OSCP:
- System integrity process: SYSTEM rights
- High integrity process: administrative rights
- Medium integrity process: standard user rights
- Low integrity process: restricted rights, e.g. sandboxed processes
Use whoami /groups
to check current shell process’s integrity level. A Mandatory Label\Medium Mandatory Level
indicates a medium integrity process.
User Account Control (UAC)
UAC prompts the user when a program tries to elevate privileges. Microsoft admits that UAC is not a security guarantee (sometimes called security boundary). See this Stack Exchange question for more details. What it does is that it asks for user confirmation before a process request privileges. The process remains unprivileged (running with medium integrity) until a privileged user confirms or enters admin password if the user is unprivileged (then runs with high integrity).
Windows Registry
Check what registry keys the program reads/writes using SysInternals Process Monitor (procmon.exe). If the value falls under HKCU (HKEY_CURRENT_USER) then it may be exploitable since current user can modify the value.
Windows Password Attacks
See: common password attacks Windows stores hashed passwords in the Security Accounts Manager (SAM). Windows introduced SYSKEY, which partially encrypts the SAM file.
Mimikatz
Use mimikatz to dump Windows password hashes. Launch from admin shell.
privilege::debug
(try to enable SeDebugPrivilege; needed for elevation)token:elevate
(try to elevate from high integrity to SYSTEM)lsadump::sam
(dump cached NTLM hashes from LSASS)
Pass the Hash using pth-winexe
See pass-the-hash