Windows Privilege Escalation using sudo su?
If you have ever used linux, then probably you are aware of sudo command.This command basically let us run a command as different user,mostly as the root user.On certain linux distros, by using su command we can login as the root user. However this command is very dangerous, hence it is disabled by default in most of the linux distros such as Ubuntu.
So the question is what about windows?
Well, unfortunately most users are logged into windows as Administrator user.
Which is nothing but same as root user in Linux.
However, Microsoft has tried to lessen the risk of being logged in as an Administrator user by enabling User Account Control(UAC). So that the Administrators will not by default inherit the privileges of NT authority/System user unless it is manually authorized by the System user.
So while Linux users have the sudo command to switch user account or run commands as super user, what does Windows users have?
Is there a sudo command for Windows too?
Okay… Not really though.
But we have below alternatives to that.
- Runas command
- Powershell script for switching user
So now we know there exist something similar to sudo su in windows, but when can we use this?
Not a big deal, suppose we have hacked into a windows system through any of the vulnerabilities of network or web application and have low privileged user shell.
And also we have got some Administrator credentials through hacking any other system in the domain by hashdump, wce.exe, fgdump.exe or any other tool.
Suppose credentials are b33f:b33fpassword
And this admin user also exist on the newly hacked windows system.That is where we can use windows switch user functionality and escalate our privileges.
So the point to be noted here is — There maybe times when we know the credentials of admin user, but will have a low privileged shell as some other user, Also remote desktop will not be enabled to login as other user. Unlike Linux, we cannot sudo on windows machines, hence we use switch user functionality.
Lets learn how do we do that.
Suppose we have the low privileged shell of alice.And b33f user also uses the same system.
So the first thing we always check after getting low privileged shell on windows system is whoami?
The next thing we will check is what privileges i have?
Then the next thing would be to check all the user accounts and the privileges given to each of them.
As we can see b33f user has administrator privileges.And we already have credentials of b33f user from some other machine in the domain.
So let’s switch user to b33f and escalate privileges.
We can use runas command to switch user, however sometimes with low privileged user shell, it will not prompt for password input.
So in that case our runas command will fail, so there we can use our powershell script to gain high level privileges.
Runas is a very useful command on Windows OS. This command enables one to run a command in the context of another user account.
Command: runas /user:username program
If above command ask password, well and good.We can enter the password and get privilege escalated, else if it does not ask for password input then we will have to try our powershell script.
Create below 2 files and transfer them to low privileged shell along with nc.exe
After transferring files with meterpreter upload or any other means such as ftp,tftp,vbscript,powershell script etc to the local shell. We can start a listener on our kali machine and execute the powershell script as shown below on the local shell and gain access to the admin user i.e. b33f in our case through reverse shell.
References -
