Windows Privilege Escalation
Automated Enumeration
git clone https://github.com/pentestmonkey/windows-privesc-check.git
windows-privesc-check2.exe -h
windows-privesc-check2.exe --dump -G
Information Gathering
What's the OS? What version? What architecture?
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Who are we? Where are we?
whoami
net user <username>
dir
Who uses the box? What users? (And which ones have a valid shell)
whoami /groups
net user
What's currently running on the box? What active network services are there?
tasklist /SVC
ipconfig /all
route print
netstat -ano
What's installed? What kernel is being used?
dir "C:\Program Files"
dir "C:\Program Files (x86)"
wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn
Check Scheduled Tasks
schtasks /query /fo LIST /v
Readable/Writable Files and Directories
accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Check Users Privilege
net localgroup administrators
Add Local Admin User
net user /add pentest Pass
net localgroup administrators pentest /add
Run CMD as Admin
powershell.exe Start-Process cmd.exe -Verb runAs
Binaries That AutoElevate
reg query HKLM /f pass /t REG_SZ /s
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Device Drivers and Kernel Modules
powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
Last updated
Was this helpful?