OSCP
Search…
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits

Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS

    Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )
    Use Google to search for kernel exploits
    Use searchsploit to search for kernel exploits

Network

Vulnerable Software or Processes?

    Is any unknown software running?
    Is any software with more privileges that it should have running?
    Search for exploits for running processes (specially if running of versions)
    Can you read some interesting process memory (where passwords could be saved)?
    Have write permissions over the binaries executed by the processes?
    Have write permissions over the folder of a binary being executed to perform a DLL Hijacking?
    What is running on startup of is scheduled? Can you modify the binary?
    Can you dump the memory of any process to extract passwords?

Services

    Can you write in any folder inside PATH?
    Is there any known service binary that tries to load any non-existant DLL?
    Can you write in some binaries folder?
    Is this enabled?
    Is it vulnerable?
    Are you able to write files that could grant you more privileges?
    There are several ways to bypass the UAC
Last modified 1yr ago