OSCP
Search…
OSCP
All About OSCP
OSCP- One Page Repository
About the Author
Basic Linux & Windows Commands
Recon (Scanning & Enumeration)
Web Application
Brute Force
Shells
Transferring files
Priv Escalation
Linux Priv Escalation
Windows Priv Escalation
Fuzzysecurity window priv escalation
Privilege Escalation - Windows
Checklist - Local Windows Privilege Escalation
Post Exploitation
Pivoting
Buffer Overflow
Main Tools
MISC
CheatSheet (Short)
OSCP/ Vulnhub Practice learning
Powered By
GitBook
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
Checklist - Local Windows Privilege Escalation
Best tool to look for Windows local privilege escalation vectors:
WinPEAS
​
​
Vulnerable Kernel?
​
Search for kernel
exploits using scripts
(
post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson
)
Use
Google to search
for kernel
exploits
Use
searchsploit to search
for kernel
exploits
Any
vulnerable Driver
?
​
Logging/AV enumeration
​
Check for
credentials
in
environment variables
​
Check
LAPS
​
Check
Audit
and
WEF
settings
Check if any
AV
​
​
User Privileges
​
Check
current
user
privileges
​
Check if you have
any of these token enable
:
SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege
?
What is
inside the Clipboard
?
​
Network
​
Check
current
network
information
​
Check
hidden local services
restricted to the outside
Vulnerable
Software
or
Processes
?
Is any
unknown software running
?
Is any software with
more privileges that it should have running
?
Search for
exploits for running processes
(specially if running of versions)
Can you
read
some interesting
process memory
(where passwords could be saved)?
Have
write permissions
over the
binaries
executed by the
processes
?
Have
write permissions
over the
folder
of a binary being executed to perform a
DLL Hijacking
?
What is
running
on
startup
of is
scheduled
? Can you
modify
the binary?
Can you
dump
the
memory
of any
process
to extract
passwords
?
​
Services
​
​
Can you
modify any service
?
​
​
Can you
modify
the
binary
that is
executed
by any
service
?
​
​
Can you
modify
the
registry
of any
service
?
​
​
Can you take advantage of some
unquoted service
binary
path
?
​
​
DLL Hijacking
​
Can you
write in any folder inside PATH
?
Is there any known service binary that
tries to load any non-existant DLL
?
Can you
write
in some
binaries folder
?
​
Credentials
​
​
Windows Vault
credentials that you could use?
Interesting
DPAPI credentials
?
​
Wifi netoworks
?
​
Credentials inside "known files"
? Inside the Recycle Bin? In home?
​
Registry with credentials
?
Inside
Browser data
(dbs, history, bookmarks....)?
​
AppCmd.exe
exists
? Credentials?
​
SCClient.exe
? DLL Side Loading?
​
Cloud credentials
?
​
AlwaysInstallElevated
​
Is this
enabled
?
​
Is vulnerable WSUS?
​
Is it
vulnerable
?
​
Write Permissions
​
Are you able to
write files that could grant you more privileges
?
​
UAC Bypass
​
There are several ways to bypass the UAC
​
Previous
Privilege Escalation - Windows
Next
Post Exploitation
Last modified
2yr ago
Copy link
On this page
Checklist - Local Windows Privilege Escalation
Best tool to look for Windows local privilege escalation vectors: WinPEAS​
​Vulnerable Kernel?​
​Logging/AV enumeration​
​User Privileges​
​Network​
Vulnerable Software or Processes?
​Services​
​DLL Hijacking​
​Credentials​
​AlwaysInstallElevated​
​Is vulnerable WSUS?​
​Write Permissions​
​UAC Bypass​