Privilege escalation is one of the primary objectives in any exploit. It allows the attacker to gain control, access/change sensitive files, and leave permanent backdoors. During a pen test, you will rarely get administrative access to a target system on your first attempt. You'll need to find a way to elevate your access to administrator, and then (hopefully) SYSTEM level.

In addition to kernel-specific exploits, there are other types of exploits that can elevate privilege. They take advantage of services, drivers, and applications running in SYSTEM or administrator privilege. Like the kernel exploits, most are run locally after you have gained access to the target. Here are a few examples.

Vulnerability/Technique

Description

Exploit

SAM file

Dump the contents of the SAM file to get cleartext or hashed passwords. Or, copy the SAM file using Volume Shadow Service or by booting into another OS to crack passwords offline.

  • gsecdump
  • fgdump
  • pwdump
  • Metasploit Meterpreter
  • hobocopy
(See previous discussion, "Password Cracking Tools.")

User application compromise

Compromise applications such as Internet Explorer, Adobe Reader, or VNC to gain access to a workstation. From there you can use Windows User Account Control (UAC) bypass techniques to escalate privilege. These attacks typically require a victim to open a file or web page through social engineering.

  • Metasploit modules:
  • exploit/windows/vnc/realvnc_client
  • exploit/windows/browser/ms10_002_aurora
  • exploit/windows/fileformat/adobe_pdf_embedded_exe

Local UAC bypass

Bypass local UAC. Example: use process injection to leverage a trusted publisher certificate.

  • Metasploit modules:
  • post/windows/gather/win_privs
  • exploit/windows/local/bypassuac
  • Meterpreter getsystem

Weak process permissions

Find processes with weak controls and see if you can inject malicious code into those processes.

  • Metasploit modules:
  • post/multi/recon/local_exploit_suggester
  • post/multi/manage/shell_to_meterpreter
  • Meterpreter migrate and getsystemcommands
  • Tarasco Process Injector

Shared folders

Search for sensitive information in shared folders, as it is common for them to have few or no restrictions.

Metasploit module auxiliary/scanner/smb/smb_enumshares

DLL hijacking

Elevate privileges by exploiting weak folder permissions, unquoted service paths, or applications that run from network shares. Replace legitimate DLLs with malicious ones.

Writable services

Edit the startup parameters of a service, including its executable path and account. You could also use unquoted service paths to inject a malicious app that the service will run as it starts up.

  • AccessChk.exe
  • Metasploit module exploit/windows/local/service_permissions

WebDAV

Microsoft WebDAV clients could elevate privilege with specially crafted requests. Affects Windows Server 2008, Vista, 7. CVE-2016-0051, MS16-016.

Ancillary Function Driver

Ancillary Function Driver (AFD) does not properly validate input before passing it from user mode to the kernel. This could grant a local attacker elevation of privilege. Affects Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012. CVE-2014-1767, MS14-040.

Task Scheduler 2.0

Task Scheduler 2.0 does not properly determine the security context of its scheduled tasks. This could allow an attacker to escalate privilege. Affects Windows Vista SP1/SP2, Windows Server 2008 Gold, SP2/R2, Windows 7. CVE-2010-3338, MS10-092.

Missing patches and misconfigurations

Search for missing patches or common misconfigurations that can lead to privilege escalation.

Note: For more information on bypassing UAC for privilege escalation, see www.hackingarticles.in/7-ways-to-privilege-escalation-of-windows-7-pc-bypass-uac

Note: To search Metasploit for local exploits that escalate privilege, at the msf console, enter search exploit/windows/local -S Escalation.

Note: For more information on services that are writable or have weak permissions, see https://pentestlab.blog/2017/03/30/weak-service-permissions, www.greyhathacker.net/?p=738, https://hackingandsecurity.blogspot.com/2016/08/common-windows-privilege-escalation.html