yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page
  • Labs
  • Tools and Checklists
  • WinPEAS
  • UACME
  • PowerUp
  • PrivescCheck

Was this helpful?

  1. Active Directory

Privilege Escalation

Windows Privilege Escalation Checks

Privilege escalation checks on Windows involve examining various aspects of the system and its configuration to identify potential vulnerabilities or misconfigurations that could be exploited to elevate privileges.

Labs

  • THM: Windows PrivEsc Arena

  • THM: Windows PrivEsc

  • THM: Bypassing UAC

Tools and Checklists

Here are some common tools and checks used for privilege escalation on Windows systems:

WinPEAS

Windows Privilege Escalation Awesome Scripts

  • https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

  • Invoke-WinPEAS

UACME

UAC Bypass

  • https://github.com/yuyudhn/UACME-bin

  • https://github.com/hfiref0x/UACME

PowerUp

PowerUp.ps1 is a program that enables a user to perform quick checks against a Windows machine for any privilege escalation opportunities. It is not a comprehensive check against all known privilege escalation techniques, but it is often a good place to start when you are attempting to escalate local privileges.

  • PowerUp.ps1

  • Advanced PowerUp.ps1 Usage

  • HackTricks: PowerUp

powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks

PrivescCheck

This script aims to identify Local Privilege Escalation (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.

  • https://github.com/itm4n/PrivescCheck

# Basic checks
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Risky"
# Extended checks
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"
# All checks
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

Note: This page is incomplete and will be regularly updated. If you have any ideas or resources that need to be added, please contact me at yuyudhn@gmail.com.

PreviousMSSQLNextUnquoted Service Path

Last updated 9 months ago

Was this helpful?

🪟