d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Guides
  • Related
  • Manual
  • DLL hijacking
  • Unquoted service path
  • PowerShell
  • SMB
  • Automated
  • Exploit Suggester
  • winPEAS
  • PowerSploit
  • JAWS
  • Watson
  • Seatbelt
  • Sherlock
  • Misc
  • File inside a file
  • Run as
  • Weak services
Edit on GitHub
  1. Privilege escalation
  2. Windows

Overview

PreviousWindowsNextMimikatz

Last updated 3 years ago

Guides

Related

Manual

Current users privs

whoami /priv

Current user details (all)

whoami /all

List users

net user

User details

net user <username>

List other logged in users

qwinsta
query session

List user groups

net localgroup

Group details

net localgroup <groupname>

Add user (interactive, requires user interaction)

net user <username> <password> /add

Add user (non-interactive)

net user <username> /add
net user <username> <password>

Add user to group (e.g. administrators)

net localgroup administrators <username> /add

Change password

net user <username> <password>

System info

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname

Patch level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Network connections

netstat -ano

Scheduled tasks

schtasks
schtasks /query /fo LIST /v

Driver

driverquery

Installed software (slow)

wmic product get name,version,vendor

Alternative

wmic service list brief

Services

sc query
sc start <service>
sc stop <service>
sc config <service> <options>

Antivirus

sc query windefend
sc queryex type=service

Searching files

findstr /si <term> <ext>
findstr /si password *.txt

DLL hijacking

Find a program with a missing dll, or make use for search path order, to execute your own dll.

Unquoted service path

Finding unqoated service paths

wmic service get name,displayname,pathname,startmode
sc qc <service>

Check if we have write permission in a suitable path.

.\accesschk64.exe /accepteula -uwdq <path>

PowerShell

SMB

Mount smb share

New-PSDrive -Name "<share-name>" -PSProvider "FileSystem" -Root "\\<ip>\<smb-share>"

Access with

cd <share-name>:

Automated

Exploit Suggester

windows-exploit-suggester.py –update
windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo sysinfo_output.txt

winPEAS

winpeas.exe > <output-file>

PowerSploit

JAWS

Watson

Watson.exe

Seatbelt

Seatbelt.exe -group=all -outputfile=<path>

Sherlock

Sherlock.ps1
FindAllVulns

Misc

File inside a file

dir /r
powershell (Get-Content hm.txt -Stream root.txt)

Run as

runas /netonly /user:<user> cmd

Weak services

Replace files/programs running with SYSTEM permissions with exploited ones -> Check permissions icacls <file>

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

Deprecated. Have a look at instead.

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Windows Privilege Escalation Guide
PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
GitHub - frizb/Windows-Privilege-Escalation: Windows Privilege Escalation Techniques and Scripts
Windows elevation of privileges
GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
GitHub - WindowsExploits/Exploits: Windows Exploits
LOLBAS
GitHub - hfiref0x/UACME: Defeating Windows User Account Control
PowerSploit
JAWS
Juicy Potato, Rotten Potato (NG)
Mimikatz
SILENTTRINITY
Empire
GitHub - AonCyberLabs/Windows-Exploit-Suggester
Windows Exploit Suggester - Next Generation (WES-NG)
winPEAS
PowerSploit
JAWS
GitHub - rasta-mouse/Watson
GitHub - GhostPack/Seatbelt
Watson
GitHub - rasta-mouse/Sherlock