Windows Privilege Escalation: A Guide to Initial Enumeration

How to Perform Initial Enumeration for Windows Privilege Escalation

This article provides a comprehensive guide on network enumeration and system information retrieval using various command-line tools in Windows.

It covers retrieving network interfaces, ARP entries, and routing tables.

It also includes checking Windows Defender status, listing and testing AppLocker policies, and gathering detailed system information such as running tasks, environment variables, patches, updates, installed software, and active network connections.

Additionally, it details methods to obtain user and group information, including current logged-in users, user privileges, and password policies.

Network Enumeration

Interfaces

C:\htb> ipconfig /all

ARP Entries

C:\htb> arp -a

Routes

C:\htb> route print

Enumerating Protections

Check Windows Defender Status

PS C:\htb> Get-MpComputerStatus

List AppLocker Rules

PS C:\htb> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

PS C:\htb> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

System Information

Tasklist

C:\htb> tasklist /svc

Display All Environment Variables

C:\htb> set
C:\htb> systeminfo

Patches and Updates

C:\htb> wmic qfe
PS C:\htb> Get-HotFix | ft -AutoSize
C:\htb> wmic product get name

Name
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127
Java 8 Update 231 (64-bit)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
VMware Tools
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
Java Auto Updater

<SNIP>
PS C:\htb> Get-WmiObject -Class Win32_Product |  select Name, Version
PS C:\htb> netstat -ano

User & Group Information

Logged-In Users

C:\htb> query user

 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>administrator         rdp-tcp#2           1  Active          .  3/25/2021 9:27 AM

Current User

C:\htb> echo %USERNAME%

Current User Privileges

C:\htb> whoami /priv

Current User Group Information

C:\htb> whoami /groups

Get All Users

C:\htb> net user

Get All Groups

C:\htb> net localgroup

Details About a Group

C:\htb> net localgroup administrators

Get Password Policy & Other Account Information

C:\htb> net accounts

Display Active Network Connections

C:\htb> netstat -ano

We can use the tool PipeList from the Sysinternals Suite to enumerate instances of named pipes.

Listing Named Pipes with Pipelist

C:\htb> pipelist.exe /accepteula

PipeList v1.02 - Lists open named pipes
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Pipe Name                                    Instances       Max Instances
---------                                    ---------       -------------
InitShutdown                                      3               -1
lsass                                             4               -1
ntsvcs                                            3               -1
scerpc                                            3               -1
Winsock2\CatalogChangeListener-340-0              1                1
Winsock2\CatalogChangeListener-414-0              1                1
epmapper                                          3               -1
Winsock2\CatalogChangeListener-3ec-0              1                1
Winsock2\CatalogChangeListener-44c-0              1                1
LSM_API_service                                   3               -1
atsvc                                             3               -1
Winsock2\CatalogChangeListener-5e0-0              1                1
eventlog                                          3               -1
Winsock2\CatalogChangeListener-6a8-0              1                1
spoolss                                           3               -1
Winsock2\CatalogChangeListener-ec0-0              1                1
wkssvc                                            4               -1
trkwks                                            3               -1
vmware-usbarbpipe                                 5               -1
srvsvc                                            4               -1
ROUTER                                            3               -1
vmware-authdpipe                                  1                1

<SNIP>

Listing Named Pipes with PowerShell

PS C:\htb>  gci \\.\pipe\

Reviewing LSASS Named Pipe Permissions

C:\htb> accesschk.exe /accepteula \\.\Pipe\lsass -v

Named Pipes Attack Example

C:\htb> accesschk.exe -accepteula -w \pipe\WindscribeService -v