Privilege Escalation — Windows/Windows Post-Exploitation Enumeration
Windows Post-Exploitation Enumeration
Systematic enumeration is the key to effective privilege escalation on Windows. Before exploiting anything, you must map the environment.
User and System Context
bash
You type
# Current user
$whoami
whoami /all # Privileges, groups, SID
# System information
$systeminfo
$systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix"
# Architecture
$echo %PROCESSOR_ARCHITECTURE%
# Environment variables
$set
$echo %PATH%
Current Account Privileges
bash
You type
# List all privileges (look for SeImpersonate, SeDebug, etc.)
$whoami /priv
# Interesting privileges:
# SeImpersonatePrivilege → Potato attacks
# SeDebugPrivilege → Read memory of privileged processes
# SeBackupPrivilege → Read any file
# SeRestorePrivilege → Write anywhere
# SeTakeOwnershipPrivilege → Take ownership of files
# SeLoadDriverPrivilege → Load kernel drivers
Users and Groups
bash
You type
# Local users
$net user
$net user administrator
$net localgroup
# Members of the Administrators group
$net localgroup Administrators
$net localgroup "Remote Desktop Users"
# Logged-in users
$query user
$query session
Services and Processes
bash
You type
# Running services
$sc query
$sc query type= all
# Services with execution paths (check for unquoted paths)
$sc qc ServiceName
$wmic service get name,pathname,startmode,startname
# Running processes (look for those running as SYSTEM)
$tasklist
tasklist /v # With associated user
# Via PowerShell
$Get-Service
$Get-Process | Select-Object Name, Id, @{N='User';E={$\_.GetOwner().User}}
Registry — Sensitive Keys
bash
You type
# AlwaysInstallElevated
$reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Credentials stored in the registry
$reg query HKLM /f password /t REG_SZ /s
$reg query HKCU /f password /t REG_SZ /s
# AutoLogon credentials
$reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
Sensitive Files
bash
You type
# Search for files containing 'password' in their name
$dir /s /b C:*password* 2>nul
$dir /s /b C:*credential* 2>nul
$dir /s /b C:*unattend* 2>nul
# Common configuration files
$type C:\Windows\Panther\Unattend.xml
$type C:\Windows\Panther\Unattended.xml
$type C:\inetpub\wwwroot\web.config
# SAM databases (local credentials)
$dir /s /b SAM
# C:\Windows\System32\config\SAM
# C:\Windows\System32\config\SYSTEM
Network and Connections
bash
You type
# Network interfaces
$ipconfig /all
# Active connections and open ports
$netstat -ano
# ARP table (other hosts on the network)
$arp -a
# Routes
$route print
Automated Enumeration Tools
| Tool | Description | Command |
|---|---|---|
| WinPEAS | Comprehensive colored enumeration (Windows equivalent of LinPEAS) | .\winPEAS.exe |
| Seatbelt | Targeted security enumeration | .\Seatbelt.exe all |
| PowerUp | PowerShell privesc automation | Import-Module PowerUp.ps1; Invoke-AllChecks |
| SharpUp | C# version of PowerUp | .\SharpUp.exe audit |
Flashcards
Flashcards
Flashcard
Which Windows privileges are the most exploitable for privilege escalation?
Flashcard
What is the Unattend.xml file and why can it contain credentials?
Exercises
Exercise 1 — Build a Windows privesc checklist
- On a Windows VM, run
whoami /alland identify enabled privileges - Check for
SeImpersonatePrivilege(often present on IIS service accounts) - Run WinPEAS:
.\winPEAS.exeand review highlighted sections - Search for credentials in the registry:
reg query HKLM /f password /t REG_SZ /s - Check for Unattend.xml files:
dir /s /b C:\*unattend* 2>nul
Open Questions
Question 1 — Why is enumeration the key in Windows privesc?
Next Lesson
With enumeration complete, the next lesson exploits the most common Windows privilege escalation vector: Unquoted Service Paths.
Next: Unquoted Service Paths