Overview

Guides

• Windows Privilege Escalation Guide

• PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

• GitHub - frizb/Windows-Privilege-Escalation: Windows Privilege Escalation Techniques and Scripts

• Windows elevation of privileges

• GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合

• GitHub - WindowsExploits/Exploits: Windows Exploits

Related

• LOLBAS

• GitHub - hfiref0x/UACME: Defeating Windows User Account Control

• PowerSploit

• JAWS

• Juicy Potato, Rotten Potato (NG)

• Mimikatz

• SILENTTRINITY

• Empire

Manual

Current users privs

whoami /priv

Current user details (all)

whoami /all

List users

net user

User details

net user <username>

List other logged in users

qwinsta
query session

List user groups

net localgroup

Group details

net localgroup <groupname>

Add user (interactive, requires user interaction)

net user <username> <password> /add

Add user (non-interactive)

net user <username> /add
net user <username> <password>

Add user to group (e.g. administrators)

net localgroup administrators <username> /add

Change password

net user <username> <password>

System info

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname

Patch level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Network connections

netstat -ano

Scheduled tasks

schtasks
schtasks /query /fo LIST /v

Driver

driverquery

Installed software (slow)

wmic product get name,version,vendor

Alternative

wmic service list brief

Services

sc query
sc start <service>
sc stop <service>
sc config <service> <options>

Antivirus

sc query windefend
sc queryex type=service

Searching files

findstr /si <term> <ext>
findstr /si password *.txt

DLL hijacking

Find a program with a missing dll, or make use for search path order, to execute your own dll.

Unquoted service path

Finding unqoated service paths

wmic service get name,displayname,pathname,startmode

sc qc <service>

Check if we have write permission in a suitable path.

.\accesschk64.exe /accepteula -uwdq <path>

PowerShell

SMB

Mount smb share

New-PSDrive -Name "<share-name>" -PSProvider "FileSystem" -Root "\\<ip>\<smb-share>"

Access with

cd <share-name>:

Automated

Exploit Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. GitHub - AonCyberLabs/Windows-Exploit-Suggester Windows Exploit Suggester - Next Generation (WES-NG)

windows-exploit-suggester.py –update
windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo sysinfo_output.txt

winPEAS

winPEAS

winpeas.exe > <output-file>

PowerSploit

PowerSploit

JAWS

JAWS

Watson

Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities GitHub - rasta-mouse/Watson

Watson.exe

Seatbelt

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. GitHub - GhostPack/Seatbelt

Seatbelt.exe -group=all -outputfile=<path>

Sherlock

Deprecated. Have a look at Watson instead.

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. GitHub - rasta-mouse/Sherlock

Sherlock.ps1
FindAllVulns

Misc

File inside a file

dir /r
powershell (Get-Content hm.txt -Stream root.txt)

Run as

runas /netonly /user:<user> cmd

Weak services

Replace files/programs running with SYSTEM permissions with exploited ones -> Check permissions icacls <file>