This is the Windows privilege escalation tutorial that uses the Sagi Shahar’s (@s4gi_) lpeworkshop. This is the most common and often referenced guide to Windows privilege escalation. There are as many mentions of it as there are for the community-voted best Windows enumeration techniques.
In fact it is one of the few that are available. Many of the existing guides are really more of cheatsheets a combination of techniques without any real explanation as to why they work or don’t work.
The tutorial and its batch script rely on a Windows 7 64 bit host, but who has one of those? So that leaves the free Windows 10 images. The batch script that installs and setups up common Windows privilege escalation vulnerabilities will not work on Windows 10. I found that a small fix in the script makes it work as intended for Windows 7 hosts.
Table of Contents
Here’s What You Need
- Kali Linux VM – VirtualBox
- Sagishahar/lpeworkshop
- Windows 10 VM – VirtualBox
- Bridged Network Adapter
Why It Won’t Work Out of the Box on Windows 10
The batch script that installs and setups up common Windows privilege escalation vulnerabilities will not work on Windows 10. There is a note of this on the Github repo page.
“The script was developed and tested on a Windows 7 (SP1) x64 Build 7601 English-US host. It might work on other OS instances, but it is not guaranteed. Pay attention to the script’s output. Some exercises are skipped (e.g. Kernel, etc.) as it depends on the patchlevel of the VM.”
The reason why it doesn’t work for Windows 10 is the way that calculates the MD5 hash for the file the script creates and then compares it to a predetermined hash. These will not ever match.
certutil -hashfile %file% MD5Here is What Works
That means that anywhere you see these two lines you must remove them and the hashing function or there is an even simpler solution.
call :calculate_md5 dllhijackservice.exe, ret_md5_val
call :confirm_md5_hash "fa 6e 05 03 21 f4 33 af 0e 48 6a cf 88 ee fe 32", "%ret_md5_val%" || goto :eofInstead of deleting the routines that do the hashing you can remove the spaces in the MD5 hash it doesn’t trigger a mismatch and screw the whole thing up.
call :calculate_md5 dllhijackservice.exe, ret_md5_val
call :confirm_md5_hash "fa6e050321f433af0e486acf88eefe32", "%ret_md5_val%" || goto :eofCheck for yourself by looking in C:\Program Files and see the new folders and files within them.
Do the Tutorial Learn Windows Privilege Escalation
From there you can get experience with every Windows privilege escalation technique you can imagine. Do these steps to get started.
- Fix the lpe-workshop-setup.bat script.
- Run the script as admin.
- Boot the Windows 10 VM on a bridged network adapter.
- Run through the tutorial and learn Windows privilege escalation.