OSCP
Search…
OSCP
All About OSCP
OSCP- One Page Repository
About the Author
Basic Linux & Windows Commands
Recon (Scanning & Enumeration)
Web Application
Brute Force
Shells
Transferring files
Priv Escalation
Linux Priv Escalation
Windows Priv Escalation
Fuzzysecurity window priv escalation
Privilege Escalation - Windows
Checklist - Local Windows Privilege Escalation
Post Exploitation
Pivoting
Buffer Overflow
Main Tools
MISC
CheatSheet (Short)
OSCP/ Vulnhub Practice learning
Powered By
GitBook
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
Checklist - Local Windows Privilege Escalation
Best tool to look for Windows local privilege escalation vectors:
WinPEAS
Vulnerable Kernel?
Search for kernel
exploits using scripts
(
post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson
)
Use
Google to search
for kernel
exploits
Use
searchsploit to search
for kernel
exploits
Any
vulnerable Driver
?
Logging/AV enumeration
Check for
credentials
in
environment variables
Check
LAPS
Check
Audit
and
WEF
settings
Check if any
AV
User Privileges
Check
current
user
privileges
Check if you have
any of these token enable
:
SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege
?
What is
inside the Clipboard
?
Network
Check
current
network
information
Check
hidden local services
restricted to the outside
Vulnerable
Software
or
Processes
?
Is any
unknown software running
?
Is any software with
more privileges that it should have running
?
Search for
exploits for running processes
(specially if running of versions)
Can you
read
some interesting
process memory
(where passwords could be saved)?
Have
write permissions
over the
binaries
executed by the
processes
?
Have
write permissions
over the
folder
of a binary being executed to perform a
DLL Hijacking
?
What is
running
on
startup
of is
scheduled
? Can you
modify
the binary?
Can you
dump
the
memory
of any
process
to extract
passwords
?
Services
Can you
modify any service
?
Can you
modify
the
binary
that is
executed
by any
service
?
Can you
modify
the
registry
of any
service
?
Can you take advantage of some
unquoted service
binary
path
?
DLL Hijacking
Can you
write in any folder inside PATH
?
Is there any known service binary that
tries to load any non-existant DLL
?
Can you
write
in some
binaries folder
?
Credentials
Windows Vault
credentials that you could use?
Interesting
DPAPI credentials
?
Wifi netoworks
?
Credentials inside "known files"
? Inside the Recycle Bin? In home?
Registry with credentials
?
Inside
Browser data
(dbs, history, bookmarks....)?
AppCmd.exe
exists
? Credentials?
SCClient.exe
? DLL Side Loading?
Cloud credentials
?
AlwaysInstallElevated
Is this
enabled
?
Is vulnerable WSUS?
Is it
vulnerable
?
Write Permissions
Are you able to
write files that could grant you more privileges
?
UAC Bypass
There are several ways to bypass the UAC
Previous
Privilege Escalation - Windows
Next
Post Exploitation
Last modified
1yr ago
Copy link
Contents
Checklist - Local Windows Privilege Escalation
Best tool to look for Windows local privilege escalation vectors: WinPEAS
Vulnerable Kernel?
Logging/AV enumeration
User Privileges
Network
Vulnerable Software or Processes?
Services
DLL Hijacking
Credentials
AlwaysInstallElevated
Is vulnerable WSUS?
Write Permissions
UAC Bypass