I have obtained a standard user account on Windows. Now what?
This is a common question I see people inquire about frequently on the Discord/Slack/Mattermost servers I hang out on. This includes people working on CTF exercises (Hack the Box), OSCP/PWK studies, and just pentesting in general. The answer, of course, is that you need to enumerate the system and find a way to become Admin.
The methodology for how you actually do this depends on a lot, all depending on your specific environment and circumstances.
Windows Privilege Escalation to the Rescue
Here are some useful resources on what to do next in your given situation, after you have succesfully exploited your way onto a Windows box, but before you have the system administrator role. I collected these links, snippets, and exploits during my OSCP studies, saving them in this massive OneNote notebook. Rather than letting them sit there where no one but me can access them, I thought I’d share.
Some of these get pretty detailed, and some of them have links to yet even more resources on this topic.
Have fun…this rabbit hole runs deep!
Privesc Resources
Updated 11.11.18: A new resource I came across that looks pretty awesome:
Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Elevating privileges by exploiting weak folder permissions
http://www.greyhathacker.net/?p=738/
Encyclopedia of Windows Privesc (video)
https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be
Windows Privesc Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html
Windows Privesc Cheatsheet
https://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
Windows Privesc Check
A script that automates the checking of common vulnerabilities that can be exploited to escalate your privileges:
http://pentestmonkey.net/tools/windows-privesc-check
Common Windows Privesc Vectors
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
Windows Post-Exploitation Command List
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
WCE and Mimikatz in Memory over Meterpreter
https://justinelze.wordpress.com/2013/03/25/wce-and-mimikatz-in-memory-over-meterpreter/
Windows Privesc – includes tips and more resource links, on Github
https://github.com/togie6/Windows-Privesc
Do you have any Windows Privesc resources you think should go here? Comment below and I will add them.
Be First to Comment