🫨Windows Privilege Escalation

The general goal of Windows privilege escalation is to further our access to a given system to a member of the Local Administrators group or the NT AUTHORITY\SYSTEM LocalSystem account

we may need to escalate privileges for one of the following reasons:

1.	When testing a client's gold image Windows workstation and server build for flaws
2.	To escalate privileges locally to gain access to some local resource such as a database
3.	To gain NT AUTHORITY\System level access on a domain-joined machine to gain a foothold into the client's Active Directory environment
4.	To obtain credentials to move laterally or escalate privileges within the client's network

some of the ways that we can escalate privileges are:

Abusing Windows group privileges	Abusing Windows user privileges
Bypassing User Account Control	Abusing weak service/file permissions
Leveraging unpatched kernel exploits	Credential theft
Traffic Capture	and more.

is a list of useful binaries and scripts ->

Tool	Description
Seatbelt	C# project for performing a wide variety of local privilege escalation checks
winPEAS	WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. All of the checks are explained here
PowerUp	PowerShell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found
SharpUp	C# version of PowerUp
JAWS	PowerShell script for enumerating privilege escalation vectors written in PowerShell 2.0
SessionGopher	SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information
Watson	Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
LaZagne	Tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more
Windows Exploit Suggester - Next Generation	WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported
Sysinternals Suite	We will use several tools from Sysinternals in our enumeration including AccessChk, PipeList, and PsService

We can also find pre-compiled binaries of Seatbelt and SharpUp here, and standalone binaries of LaZagne here.

When we don't find writeable directories, It is always a safe bet to upload tools to C:\Windows\Temp because the BUILTIN\Users group has write access.