OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page
  • Checklist - Local Windows Privilege Escalation
  • Best tool to look for Windows local privilege escalation vectors: WinPEAS​
  • ​Vulnerable Kernel?​
  • ​Logging/AV enumeration​
  • ​User Privileges​
  • ​Network​
  • Vulnerable Software or Processes?
  • ​Services​
  • ​DLL Hijacking​
  • ​Credentials​
  • ​AlwaysInstallElevated​
  • ​Is vulnerable WSUS?​
  • ​Write Permissions​
  • ​UAC Bypass​

Was this helpful?

  1. Priv Escalation
  2. Windows Priv Escalation

Checklist - Local Windows Privilege Escalation

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits

PreviousPrivilege Escalation - WindowsNextPost Exploitation

Last updated 5 years ago

Was this helpful?

Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: ​

​​

  • Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )

  • Use Google to search for kernel exploits

  • Use searchsploit to search for kernel exploits

  • Any ?

​​

  • Check for credentials in​

  • Check ​

  • Check and settings

  • Check if any ​

​​

  • Check ​

  • Check if you have : SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?

  • What is ?

  • Check hidden local services restricted to the outside

  • Is any unknown software running?

  • Is any software with more privileges that it should have running?

  • Search for exploits for running processes (specially if running of versions)

  • Can you read some interesting process memory (where passwords could be saved)?

  • Have write permissions over the binaries executed by the processes?

  • Have write permissions over the folder of a binary being executed to perform a DLL Hijacking?

  • Can you write in any folder inside PATH?

  • Is there any known service binary that tries to load any non-existant DLL?

  • Can you write in some binaries folder?

  • Is this enabled?

  • Is it vulnerable?

  • Are you able to write files that could grant you more privileges?

  • There are several ways to bypass the UAC

​

​​

Check current ​

Vulnerable or ?

What is? Can you modify the binary?

Can you of any process to extract passwords?

​​

​​

​​

​​

​​

​​

​​

​ credentials that you could use?

Interesting ?

​?

​? Inside the Recycle Bin? In home?

​?

Inside (dbs, history, bookmarks....)?

​? Credentials?

​? DLL Side Loading?

​?

​​

​​

​​

​​

WinPEAS
Vulnerable Kernel?
vulnerable Driver
Logging/AV enumeration
environment variables
LAPS
Audit
WEF
AV
User Privileges
current user privileges
any of these token enable
inside the Clipboard
Network
network information
Software
Processes
running on startup of is scheduled
dump the memory
Services
Can you modify any service?
Can you modify the binary that is executed by any service?
Can you modify the registry of any service?
Can you take advantage of some unquoted service binary path?
DLL Hijacking
Credentials
Windows Vault
DPAPI credentials
Wifi netoworks
Credentials inside "known files"
Registry with credentials
Browser data
AppCmd.exe exists
SCClient.exe
Cloud credentials
AlwaysInstallElevated
Is vulnerable WSUS?
Write Permissions
UAC Bypass