HackTricks

HT Training HT Cloud HT Tools Sponsor Linkedin X

≡

HT Training Cloud HT HT Tools Sponsor Linkedin X

Translations ▾

Afrikaans Chinese English French German Greek Hindi Italian Japanese Korean Polish Portuguese Serbian Spanish Swahili Turkish Ukrainian

📚

☀

☾

<<

Checklist - Local Windows Privilege Escalation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

Angalia subscription plans!

Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.

Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

Zana bora zaidi la kutafuta vectors za Windows local privilege escalation: WinPEAS

System Info

Pata System information
Tafuta exploits za kernel ukitumia scripts
Tumia Google kutafuta exploits za kernel
Tumia searchsploit kutafuta exploits za kernel
Kuna info ya kuvutia katika env vars?
Passwords katika PowerShell history?
Kuna info ya kuvutia katika Internet settings?
Drives?
WSUS exploit?
Third-party agent auto-updaters / IPC abuse
AlwaysInstallElevated?

Logging/AV enumeration

Angalia mipangilio ya Audit na WEF
Angalia LAPS
Angalia kama WDigest iko active
LSA Protection?
Credentials Guard?
Cached Credentials?
Angalia kama kuna AV yoyote
AppLocker Policy?
UAC
Admin Protection / UIAccess silent elevation?
Secure Desktop accessibility registry propagation (RegPwn)?
User Privileges
Angalia current user privileges
Je, wewe ni member of any privileged group?
Angalia kama una tokens hizi zozote enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
Angalia kama una SeManageVolumePrivilege ili kusoma raw volumes na kupita file ACLs
Users Sessions?
Angalia users homes (access?)
Angalia Password Policy
Ni nini ndani ya Clipboard?

Network

Angalia network information ya current
Angalia hidden local services zilizozuiliwa kutoka nje

Running Processes

Binaries za processes: file and folders permissions
Memory Password mining
Insecure GUI apps
Chukua credentials kwa kutumia interesting processes kupitia ProcDump.exe ? (firefox, chrome, etc …)

Services

Je, unaweza modify any service?](windows-local-privilege-escalation/index.html#permissions)
Je, unaweza modify binary inayotekelezwa na service yoyote?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
Je, unaweza modify registry ya service yoyote?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
Je, unaweza kunufaika na unquoted service binary path yoyote?](windows-local-privilege-escalation/index.html#unquoted-service-paths)
Service Triggers: enumerate and trigger privileged services

Applications

Write permissions on installed applications
Startup Applications
Drivers zenye vulnerable

DLL Hijacking

Unaweza write katika folder yoyote ndani ya PATH?
Je, kuna service binary inayojulikana ambayo inajaribu kupakia DLL ambayo haipo?
Unaweza write katika folder yoyote ya binaries?

Network

Enumerate network (shares, interfaces, routes, neighbours, …)
Angalia kwa umakini network services zinazosikiliza kwenye localhost (127.0.0.1)

Windows Credentials

Winlogon credentials
Windows Vault credentials ambazo unaweza kutumia?
Kuna DPAPI credentials za kuvutia?
Passwords za Wifi networks zilizohifadhiwa?
Kuna info ya kuvutia katika saved RDP Connections?
Passwords katika recently run commands?
Passwords za Remote Desktop Credentials Manager?
AppCmd.exe ipo? Credentials?
SCClient.exe? DLL Side Loading?

Files and Registry (Credentials)

Putty: Creds na SSH host keys
SSH keys in registry?
Passwords katika unattended files?
Backup yoyote ya SAM & SYSTEM?
Ikiwa SeManageVolumePrivilege ipo, jaribu raw-volume reads kwa SAM, SYSTEM, DPAPI material, na MachineKeys
Cloud credentials?
Faili ya McAfee SiteList.xml?
Cached GPP Password?
Password katika IIS Web config file?
Kuna info ya kuvutia katika web logs?
Je, unataka ask for credentials kutoka kwa user?
files ndani ya Recycle Bin za kuvutia?
Nyingine registry containing credentials?
Ndani ya Browser data (dbs, history, bookmarks, …)?
Generic password search katika files na registry
Tools za kutafuta passwords kiotomatiki

Leaked Handlers

Je, una access kwa handler yoyote ya process inayoendeshwa na administrator?

Pipe Client Impersonation

Angalia kama unaweza kuitumia vibaya

References

Project Zero - Bypassing Administrator Protection by Abusing UI Access
MDSec - RIP RegPwn

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

Angalia subscription plans!

Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.

Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.