mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 00:47:24 +00:00
10 KiB
10 KiB
Checklist - Local Windows Privilege Escalation
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Best tool to look for Windows local privilege escalation vectors: WinPEAS
System Info
- Obtain System information
- Search for kernel exploits using scripts
- Use Google to search for kernel exploits
- Use searchsploit to search for kernel exploits
- Interesting info in env vars?
- Passwords in PowerShell history?
- Interesting info in Internet settings?
- Drives?
- WSUS exploit?
- AlwaysInstallElevated?
Logging/AV enumeration
- Check Audit and WEF settings
- Check LAPS
- Check if WDigest is active
- LSA Protection?
- Credentials Guard?
- Cached Credentials?
- Check if any AV
- AppLocker Policy?
- UAC
- User Privileges
- Check current user privileges
- Are you member of any privileged group?
- Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
- Users Sessions?
- Check users homes (access?)
- Check Password Policy
- What is inside the Clipboard?
Network
- Check current network information
- Check hidden local services restricted to the outside
Running Processes
- Processes binaries file and folders permissions
- Memory Password mining
- Insecure GUI apps
- Steal credentials with interesting processes via
ProcDump.exe? (firefox, chrome, etc ...)
Services
- Can you modify any service?
- Can you modify the binary that is executed by any service?
- Can you modify the registry of any service?
- Can you take advantage of any unquoted service binary path?
Applications
- Write permissions on installed applications
- Startup Applications
- Vulnerable Drivers
DLL Hijacking
- Can you write in any folder inside PATH?
- Is there any known service binary that tries to load any non-existant DLL?
- Can you write in any binaries folder?
Network
- Enumerate the network (shares, interfaces, routes, neighbours, ...)
- Take a special look at network services listening on localhost (127.0.0.1)
Windows Credentials
- Winlogon credentials
- Windows Vault credentials that you could use?
- Interesting DPAPI credentials?
- Passwords of saved Wifi networks?
- Interesting info in saved RDP Connections?
- Passwords in recently run commands?
- Remote Desktop Credentials Manager passwords?
- AppCmd.exe exists? Credentials?
- SCClient.exe? DLL Side Loading?
Files and Registry (Credentials)
- Putty: Creds and SSH host keys
- SSH keys in registry?
- Passwords in unattended files?
- Any SAM & SYSTEM backup?
- Cloud credentials?
- McAfee SiteList.xml file?
- Cached GPP Password?
- Password in IIS Web config file?
- Interesting info in web logs?
- Do you want to ask for credentials to the user?
- Interesting files inside the Recycle Bin?
- Other registry containing credentials?
- Inside Browser data (dbs, history, bookmarks, ...)?
- Generic password search in files and registry
- Tools to automatically search for passwords
Leaked Handlers
- Have you access to any handler of a process run by administrator?
Pipe Client Impersonation
- Check if you can abuse it
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.