OSCP
Search…
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
Checklist - Local Windows Privilege Escalation
- Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )
- Use Google to search for kernel exploits
- Use searchsploit to search for kernel exploits
- Check if you have any of these token enable: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
- Check hidden local services restricted to the outside
- Is any unknown software running?
- Is any software with more privileges that it should have running?
- Search for exploits for running processes (specially if running of versions)
- Can you read some interesting process memory (where passwords could be saved)?
- Have write permissions over the binaries executed by the processes?
- Have write permissions over the folder of a binary being executed to perform a DLL Hijacking?
- Can you write in any folder inside PATH?
- Is there any known service binary that tries to load any non-existant DLL?
- Can you write in some binaries folder?
- Is this enabled?
- Is it vulnerable?
- Are you able to write files that could grant you more privileges?
- There are several ways to bypass the UAC
​
Last modified 2yr ago
Copy link
Contents
Checklist - Local Windows Privilege Escalation
Best tool to look for Windows local privilege escalation vectors: WinPEAS​
​Vulnerable Kernel?​
​Logging/AV enumeration​
​User Privileges​
​Network​
Vulnerable Software or Processes?
​Services​
​DLL Hijacking​
​Credentials​
​AlwaysInstallElevated​
​Is vulnerable WSUS?​
​Write Permissions​
​UAC Bypass​