Tag Archives: PrivEsc

PrivEsc: Group Policy Preference Passwords

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials). GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.

This essentially means that a share exists on the domain controller which any domain user can access which contains other user account credentials, possible including a┬álocal administrator password which is reused across the network. This can mean that privilege escalation from a domain user to domain administrator becomes incredibly easy, as I’ve described before.

Continue reading: PrivEsc: Group Policy Preference Passwords

PrivEsc: Stealing Windows Access Tokens – Incognito

If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.

Continue reading: PrivEsc: Stealing Windows Access Tokens – Incognito

PrivEsc: Dumping Passwords in Plaintext – Mimikatz

A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.

Continue reading: PrivEsc: Dumping Passwords in Plaintext – Mimikatz