Comment on page

Overview

Guides
​Windows Privilege Escalation Guide​
​PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub​
​GitHub - frizb/Windows-Privilege-Escalation: Windows Privilege Escalation Techniques and Scripts​
​Windows elevation of privileges​
​GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合​
​GitHub - WindowsExploits/Exploits: Windows Exploits​
Related
​LOLBAS​
​GitHub - hfiref0x/UACME: Defeating Windows User Account Control​
​PowerSploit​
​JAWS​
​Juicy Potato, Rotten Potato (NG)​
​Mimikatz​
​SILENTTRINITY​
​Empire​
Manual
Current users privs
whoami /priv
Current user details (all)
whoami /all
List users
net user
User details
net user <username>
List other logged in users
qwinsta
query session
List user groups
net localgroup
Group details
net localgroup <groupname>
Add user (interactive, requires user interaction)
net user <username> <password> /add
Add user (non-interactive)
net user <username> /add
net user <username> <password>
Add user to group (e.g. administrators)
net localgroup administrators <username> /add
Change password
net user <username> <password>
System info
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
Patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn
Network connections
netstat -ano
Scheduled tasks
schtasks
schtasks /query /fo LIST /v
Driver
driverquery
Installed software (slow)
wmic product get name,version,vendor
Alternative
wmic service list brief
Services
sc query
sc start <service>
sc stop <service>
sc config <service> <options>
Antivirus
sc query windefend
sc queryex type=service
Searching files
findstr /si <term> <ext>
findstr /si password *.txt
DLL hijacking
Find a program with a missing dll, or make use for search path order, to execute your own dll.
Unquoted service path
Finding unqoated service paths
wmic service get name,displayname,pathname,startmode
sc qc <service>
Check if we have write permission in a suitable path.
.\accesschk64.exe /accepteula -uwdq <path>
PowerShell
SMB
Mount smb share
New-PSDrive -Name "<share-name>" -PSProvider "FileSystem" -Root "\\<ip>\<smb-share>"
Access with
cd <share-name>:
Automated
Exploit Suggester
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
GitHub - AonCyberLabs/Windows-Exploit-Suggester Windows Exploit Suggester - Next Generation (WES-NG)​
windows-exploit-suggester.py –update
windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo sysinfo_output.txt
winPEAS
​winPEAS​
winpeas.exe > <output-file>
PowerSploit
​PowerSploit​
JAWS
​JAWS​
Watson
Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
GitHub - rasta-mouse/Watson​
Watson.exe
Seatbelt
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
GitHub - GhostPack/Seatbelt​
Seatbelt.exe -group=all -outputfile=<path>
Sherlock
Deprecated. Have a look at Watson instead.
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
GitHub - rasta-mouse/Sherlock​
Sherlock.ps1
FindAllVulns
Misc
File inside a file
dir /r
powershell (Get-Content hm.txt -Stream root.txt)
Run as
runas /netonly /user:<user> cmd
Weak services
Replace files/programs running with SYSTEM permissions with exploited ones
-> Check permissions icacls <file>

Privilege escalation - Previous

Windows

Mimikatz

Last modified 1yr ago