Escalating Windows --help

[impelse]

Guys

For the last week I got shell in three machines and stuck escalating windows, I tried to use MS11-080 AND PwDump7.exe to get the hashes, etc, etc....

I can upload files to the server and connect with netcat but the user is very limited.

Do you have any site where I can check how to escalate privilege in Windows, I am not asking how to do it (otherwise I will not learn how to do it), I am asking websiteS with some ideas, I've been looking for and trying HARDER, LOL

Thanks.

[shadowzero]

Try these links:

http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/

http://obscuresecurity.blogspot.ca/2011/11/old-privilege-escalation-techniques.html

http://www.room362.com/blog/2012/8/25/post-exploitation-command-lists-request-to-edit.html

[Jamie.R]

may also want try this tool

http://pentestmonkey.net/tools/windows-privesc-check

[impelse]

Thanks guys, I just read two articles of the links and I got a bunch of ideas, good, this is what I was looking for.

[cd1zz]

There are several ways. This is a nice new shiny local priv exploit for Windows Server x64:
http://www.exploit-db.com/exploits/20861/

There are other ways too. I just released a local priv exploit for a third party software:
http://www.exploit-db.com/exploits/20915

Point is, look for installed third party apps that have local priv exploits if the box is totally patched.

[impelse]

Point is, look for installed third party apps that have local priv exploits if the box is totally patched.

I agree, this is the part I am working right now, look for weak services and their applications installed.

I know I could find a remote exploit or use meterpreter, but not, I want to do it manually, I got shell with netcat using a asp shell. I need to master it, I think is more difficult to escalate that to get shell.

Also something that mess up a lot is that sometimes when I type the wrong command or wrong way I loose connection, lol..... TRY HARDER and write down how you got shell ASAP

[cd1zz]

Oh sorry, now I know what you're doing. If you can transfer files to the server with your aspshell, you can upload your own exe and execute the file. Usually the problem you'll run into there is the non-interactive shell but you can get around that...

[impelse]

I got some kind of interactive shell but sometimes with some errors stop, anyway I come in
 10 second later, lol