Skip to content

Instantly share code, notes, and snippets.

@sharpicx

sharpicx/WinPrivEsc.md

Forked from dumpmycode/WinPrivEsc.md
Created April 10, 2022 18:56
Show Gist options
  • Save sharpicx/56cbbb3fe9df026dd94d3f703ec6ba1d to your computer and use it in GitHub Desktop.
Save sharpicx/56cbbb3fe9df026dd94d3f703ec6ba1d to your computer and use it in GitHub Desktop.
Download ZIP
Windows Privilege Escalation notes
Raw
WinPrivEsc.md

First, get more info on system.

  • systeminfo, whoami /priv*, set or echo %username%

    • check for Hotfixes, OS name, version, arch, environment variables & system (vm). Then look for vulns respective of system.

  • reg query HKLM /f password /t REG_SZ /s, wmic or sc query

    • check for PS version, see if we can run reg query, wmic or sc commands for further info on system.

*Privilege escalation by abusing token privilege (foxglovesecurity blog). Required permission to escalate:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

Items to explore:

  • deleting advanced command line loggin in windows
  • port redirection
  • ways to exfil data in windows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment