OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • 1. Network & System Information
  • 2. User & Privilege Enumeration
  • 3. Security Tools & Configuration
  • 4. Named Pipes & Permission Enumeration
  • 5. Environment Variables & Other Useful Commands

Was this helpful?

Edit on GitHub
  1. Windows Privilege Escalation

Gathering Information of the System

1. Network & System Information

  • Network Configuration:

    • ipconfig /all → View detailed network interface configurations (IP, DNS, etc.).

    • arp -a → Display ARP cache (shows local network devices).

    • route print → View the system's routing table.

  • Service Information:

    • tasklist /svc → List all running processes along with their services.

    • netstat -ano → Display active TCP/UDP connections and listening ports with process IDs.

  • System Info:

    • systeminfo → Get a comprehensive overview of the system (OS version, architecture, hotfixes, etc.).

    • wmic product get name → List installed software via the command line.

      • Get-WmiObject -Class Win32_Product | select Name, Version → List installed software via PowerShell.

2. User & Privilege Enumeration

  • Current User & Privileges:

    • whoami /priv → List current user privileges.

    • whoami /groups → List group memberships for the current user.

    • net user → Get a list of all user accounts.

    • query user → Display logged-in users on the system.

  • Groups & Password Policies:

    • net localgroup → List all local groups.

    • net localgroup "Backup Operators" → List users in the Backup Operators group.

    • net accounts → View password policies and other account-related configurations.

3. Security Tools & Configuration

  • Windows Defender:

    • Get-MpComputerStatus → Check the status of Windows Defender (active, signatures, etc.).

  • AppLocker:

    • Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections → List effective AppLocker rules.

    • Test-AppLockerPolicy -Path C:\Windows\System32\cmd.exe -User Everyone → Test if a specific executable (cmd.exe) can be run for a specific user.

4. Named Pipes & Permission Enumeration

  • Listing Named Pipes:

    • pipelist.exe /accepteula → List all named pipes on the system.

  • Access Rights to Named Pipes:

    • accesschk.exe /accepteula \\.\Pipe\lsass -v → Check permissions for a specific named pipe (e.g., LSASS pipe).

    • accesschk.exe /accepteula -w \\.\Pipe\SQLLocal\SQLEXPRESS01 -v → Check write access for a SQL pipe.

5. Environment Variables & Other Useful Commands

  • View Environment Variables:

    • set → Display environment variables for the current session.

PreviousWindows Privilege EscalationNextUser Privileges

Last updated 7 months ago

Was this helpful?