🫨Windows Privilege Escalation
The general goal of Windows privilege escalation is to further our access to a given system to a member of the Local Administrators
group or the NT AUTHORITY\SYSTEM
LocalSystem account
we may need to escalate privileges for one of the following reasons:
1. | When testing a client's gold image Windows workstation and server build for flaws |
2. | To escalate privileges locally to gain access to some local resource such as a database |
3. | To gain NT AUTHORITY\System level access on a domain-joined machine to gain a foothold into the client's Active Directory environment |
4. | To obtain credentials to move laterally or escalate privileges within the client's network |
some of the ways that we can escalate privileges are:
Abusing Windows group privileges | Abusing Windows user privileges |
Bypassing User Account Control | Abusing weak service/file permissions |
Leveraging unpatched kernel exploits | Credential theft |
Traffic Capture | and more. |
is a list of useful binaries and scripts ->
Tool | Description |
---|---|
C# project for performing a wide variety of local privilege escalation checks | |
WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. All of the checks are explained here | |
PowerShell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found | |
C# version of PowerUp | |
PowerShell script for enumerating privilege escalation vectors written in PowerShell 2.0 | |
SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information | |
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities. | |
Tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more | |
WES-NG is a tool based on the output of Windows' | |
We can also find pre-compiled binaries of Seatbelt
and SharpUp
here, and standalone binaries of LaZagne
here.
When we don't find writeable directories, It is always a safe bet to upload tools to C:\Windows\Temp
because the BUILTIN\Users
group has write access.
Last updated