Category: Windows Privilege Escalation

Hello, aspiring ethical hackers. In this blogpost, you will learn about Windows privilege escalation. Windows privilege escalation comes after Windows hacking and is part of Post-exploitation of Windows.

What is Windows privilege escalation?

Windows privilege escalation is the process of elevating privileges on a Windows system after successfully gaining access to a Windows system.

Why is it important?

According to StatCounter Global Stats, over 72.52% of people worldwide use Windows as their Desktop. That is the reason why Windows privilege escalation is one of the most important topics of ethical hacking.

Windows privilege escalation techniques

There are multiple ways by which hackers can elevate privileges on a Windows systems. They are,

1. Exposed credentials
2. Bypassing UAC
3. Exploiting services running with administrator privileges.
4. Windows kernel vulnerabilities.
5. Misconfigured services.
6. Windows Registry.
7. Scheduled Tasks.

1. Exposed credentials:

Sometimes, the credentials of user accounts with administrator privileges on a Windows system are exposed. Most people still store Windows credentials on Desktop for easy access (you may not believe this but this is true). So, attackers can login as user with high privileges using these exposed credentials.

2. Bypassing UAC:

User Account Control (UAC) is a Windows security feature that was designed to protect the operating system. Introduced with Windows Vista, it is a mandatory access control enforcement feature. It works by limiting application software to standard user privileges until a user with administrator privileges authorizes an elevation in privileges.

This allows only applications that are trusted by users to be assigned administrator privileges. However, vulnerabilities in this UAC sometimes allows hackers to bypass UAC and get administration privileges on the target system.

3. Exploiting services running with administration privileges:

Some applications installed on Windows by users need administrative privileged on the system to run. If attackers exploit any vulnerabilities in these applications, they can easily elevate their privileges on the Windows system.

4. Windows kernel vulnerabilities:

Windows kernel in Windows (or for that matter any operating system) has the highest privileges assigned to it. If attackers exploit any vulnerabilities in the Windows kernel, they can elevate their privileges on the Windows system.

5. Misconfigured services:

Misconfigurations in services on Windows can also be exploited to escalate privileges on Windows system.

6. Windows Registry:

Windows registry is a hierarchical database that stores all low level; settings of Microsoft Windows. Weak permissions in the Windows registry can also be exploited to elevate privileges.

7. Scheduled Tasks:

Windows Task Scheduler (formerly known as Scheduled Tasks) is used to automate jobs and tasks in Windows just like cron jobs in Linux. Weak file permission setting in Task scheduler can be exploited to elevate privileges on a Windows system.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about various techniques used for Windows privilege escalation. In this blogpost, you will learn about UAC bypass, one of the techniques used for privilege escalation in Windows. To understand UAC bypass, you need to first understand what is UAC.

What is UAC?

User Account Control (UAC) is a mandatory access control feature of Windows operating system that helps in improving the security of the operating system. It was introduced in Window Vista and Windows Server 2008 and has ben improved since then. User Account Control works by limiting a software or program to run with standard user privileges (low privileges) until and unless a user with administrator privileges authorizes it by giving permission. This way, only applications trusted by the user can be run on the system. This helps to prevent malware infection as malware and virus need administrator privileges to infect the system wholly.

How can UAC be bypassed?

Now, you have a question. How can UAC be bypassed. There are various UAC bypass methods. They are,

1. Registry key manipulation:

This technique works by hijacking the normal execution flow of an auto elevated application. What are auto-elevated applications? In Microsoft windows, if a binary is trusted (i.e. it has been signed with a MS certificate or the binary is in a trusted directory), the UAC prompt will not be presented. This can be exploited using a registry key.

The fodhelper privilege escalation method is an example of this. Fodhelper.exe is a trusted binary in Windows operating systems that is used to manage features in Windows settings. We can exploit this binary by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched.

Once the UAC flag is turned off, we will spawn a second shell with SYSTEM privileges. Metasploit has a module for this. Let’s see it practically using Metasploit. Imagine we have a scenario where we have gained access to a Windows system using any Windows hacking technique.

To use the fodhelper module to elevate privileges, we need to background the current session.

Search for fodhelper module using the search command.

Load the module and set the session ID as shown below.

Run the module as shown below.

As you can see, we successfully got a meterpreter session. When I check privileges, its still user privileges but when I run “getsystem” command, I get system privileges on the target Windows system.

2. DLL hijacking:

In this method, the execution of an elevated program is hijacked using DLL Search order hijacking, DLL loading, redirection or other DLL vulnerability.

3. Elevated COM interface method:

COM stands for Component Object Model. It acts as a binary interface between various processes of different programming languages. In Windows, is is the basis for several other Microsoft technologies like OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, Windows shell, DirectX and Windows runtime. In this method, the COM handler is bypassed while it references registry when a high integrity process is being loaded. These DLLs contain the payloads that result in elevated sessions.

Let’s demonstrate this using Metasploit. As for every privilege escalation exploit, we need to already have a meterpreter session on target. This can be achieved using one of the Windows hacking techniques. Once we have it, search for the bypassuac_comhijack module as shown below.

Load the bypassuac_comhijack module and check its options by using the “show options” command as shown below.

Set the session id and execute the exploit using “run” command as shown below. If everything went right, we will have another meterpreter session as shown below.

Check the privileges using the “getuid” command. If you still don’t have system privileges, run command “getsystem” and even if it results in an error, check your privileges once again using command “getuid“. You should definitely have system privileges by now.