Windows 10 privilege escalation research by infosec noob

[LetsWindows10]

I figured it's time to start poking at security in Win10.   Working with local only standard accounts vs admin accounts.

Full disclosure: This is a hobby, I don't claim bug bounties, I don't want credit for anything, I value my privacy, however, the infosec community I've found recently is very inclusive and shares, so here's my noob evaluation.

 

The Administrator account is hidden by default, but a user with admin priveliges can activate it from an elevated command prompt with 

net user administrator /active:yes

The default password is blank.

 

A user with standard access has basically read-only access to the registry, critical folders, and command prompt.

 

(my favorite find on Win7 machines was appending an executable to the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit")

 

This key still exists, but it's read only to standard users.

 

However, the task manager does have some limited access which carries over to services.

Checking services that are set to "Automatic (delayed start)" yields a handful that grant "Start" access to the standard account  The majority are invoked by svchost.exe so we're gonna ignore them assuming they're locked down.  

 

The one that's interesting is sppsvc. It's got an AES key embedded and tracing DLL calls may yield a more  simple attack vector.  

 

Finding an executable-on-boot path (via weak folder permissions) and replacing the service call could be fun!

 

This can only work on say a Staples demo PC or high school PC with a lacking security policy, but if anyone has any feedback, or can take the money & run, go for it.

 

Edit: all testing done on latest fast track build 10586 and Windows was happy to install week-old updates under standard account

 

Edit #2: best post I've found so far on Windows Privilege Escalation.

http://fuzzysecurity.com/tutorials/16.html 

Edited November 11, 2015 by LetsWindows10