Post

Windows Privilege Escalation

Posted Updated
By Habeeb Kareem 1 min read

Windows

Manual Checks

A list of useful commands to perform manual privilege escalation on Windows operating system.

Windows Version and Configuration

Get system info

1

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

List all env variables

1

set

1

Get-ChildItem Env: | ft Key,Value

List all drives

1

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

User Enumeration

Get current username

1

echo %USERNAME% || whoami

1

$env:username

List user privilege

1

whoami /priv

1

whoami /groups

List all users

1

net user

1

whoami /all

1

Get-LocalUser | ft Name,Enabled,LastLogon

1

Get-ChildItem C:\Users -Force | select Name

Get details about a specific user i.e administrator

1

net <user-name>

List all local groups

1

net localgroup

1

Get-LocalGroup | ft Name

Get details about a group i.e. administrators

1

net localgroup administrators

1

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Get Domain Controller

1

nltest /DCLIST:<Domain-Name>

1

nltest /DCNAME:<Domain-Name>

Network Enumeration

List all network interfaces, IP, and DNS

1

ipconfig /all

1

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

1

Get-DnsClientServerAddress -AddressFamily IPv4 | ft

List current routing table

1

route print

1

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

List ARP table

1

arp -A

1

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

List all current connections

1

netstat -ano

List all network shares

1

net share

EoP - Processes Enumeration and Tasks

Windows OS

What processes are running ?

1

tasklist /v

1

net start

1

sc query

1

Get-Service

1

Get-Process

1

Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

Processes running as “system”

1

tasklist /v /fi "username eq system"

Know if powershell is available

1

REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion

List installed programs

1

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime

1

Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

Enumerate scheduled tasks

1

schtasks /query /fo LIST 2>nul | findstr TaskName

1

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

IIS Web config

1

Get-Childitem Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

WiFi Passwords

Find Access Point (AP) SSID

1

netsh wlan show profile

Get Cleartext Pass

1

netsh wlan show profile <SSID> key=clear
Notes, Windows, Privilege Escalation
windows privilege escalation manual checks enumeration
This post is licensed under CC BY 4.0 by the author.