Windows Privilege Escalation

Finding and exploiting Windows vulnerabilities and misconfigurations to gain an administrator shell.

Last updated 2022-01-10 | 4.8

- Multiple methods for escalating privileges on a Windows system.
- In depth explanations of why and how these methods work.
- Tools which can help identify potential privilege escalation vulnerabilities on a Windows system.

What you'll learn

Multiple methods for escalating privileges on a Windows system.
In depth explanations of why and how these methods work.
Tools which can help identify potential privilege escalation vulnerabilities on a Windows system.
A setup script you can run on a (free) trial version of Windows 10
creating an intentionally vulnerable VM to practice privilege escalation on.

* Requirements

* A basic understanding of Windows systems
* A familiarity with hacking tools such as Kali Linux and metasploit / msfvenom

Description

This course teaches privilege escalation in Windows, from basics such as how permissions work, to in-depth coverage and demonstrations of actual privilege escalation techniques. The course comes with a full set of slides (150+), and a script which can be used by students to create an intentionally vulnerable Windows 10 configuration to practice their own privilege escalation skills on. This is a 100% privilege escalation course, with absolutely no filler!


Please note that this course is aimed at students currently taking, or planning to take the OSCP, and thus covers more common forms of privilege escalation. Some extra methods are included, and more methods may be added in the future, however this course was not designed to cover every possible (or obscure) method.

Who this course is for:

  • Beginner and intermediate ethical hackers.
  • Students currently taking or planning to take the PWK/OSCP course.

Course content

3 sections • 19 lectures

Introduction Preview 04:15

An introduction to your lecturer and what the course covers, as well as some basic information about how to read commands in the slides. The slides contain all the information from the video lectures, as well as step-by-step instructions for performing the privilege escalations, and are attached as a downloadable resource to this video, along with the tools.zip archive which will be useful for upcoming demos.

Disclaimer: Several files within the tools.zip archive attached to this lecture may trigger your AntiVirus software. Please note that none of the files contained within the archive are viruses, spyware, or other malware. Rather, some of the files (e.g. cve-2018-8120-x64.exe, potato.exe, juicypotato.zip, JuicyPotato.exe, RoguePotato.exe, and PrintSpoofer.exe) are exploits which are used on the course to perform some kind of privilege escalation. As known exploits, they tend to trigger AntiVirus software in order to try and prevent their use.

Lab Setup Preview 05:54

A guide on how to set up the lab for this course. You should have a copy of Kali Linux (or your preferred pentesting distribution) ready. The lecture involves copying across the setup script from Kali to a Windows 10 VM and running that script in order to (intentionally) misconfigure Windows.

Privilege Escalation in Windows Preview 03:33

A short overview of permissions and access control in Windows, which is necessary to understand how privilege escalation is possible.

Spawning Administrator Shells Preview 01:42

This lecture explains how to spawn shells running as the Administrator or SYSTEM user. Note that the reverse.exe binary generated in this lecture is used multiple times in the upcoming demos, so it is recommended that you generate a version suited to your IP address at this point!

Privilege Escalation Tools Preview 05:50

An overview of 5 privilege escalation tools: PowerUp, SharpUp, Seatbelt, winPEAS, and accesschk.exe.

Kernel Exploits Preview 04:10

An overview of Kernel exploits, and a demo of the CVE-2018-8120 kernel exploit being used to spawn a SYSTEM shell on Windows 7.

Service Exploits Preview 16:07

This lecture explains what services are, and then demonstrates 5 types of privilege escalation which services can have: Insecure Service Properties, Unquoted Service Paths, Weak Registry Permissions, Insecure Service Executables, and DLL Hijacking.

Registry Exploits Preview 05:12

Demonstrating two privilege escalation methods that relate directly to misconfigurations of the Windows Registry.

Passwords Preview 11:34

Sometimes privilege escalation is as easy as finding the administrator's password, and this lecture will show you some common locations and methods to search for passwords on a Windows system.

Scheduled Tasks Preview 02:16

Scheduled tasks are hard to find, but if you find a script or program being run as part of a scheduled task, you may be able to escalate privileges.

Insecure GUI Apps Preview 02:04

Some GUI apps can be configured to run with admin privileges, and this can almost always lead to popping a shell running as with admin privileges too.

Startup Apps Preview 02:29

Unlikely to occur on an exam or a CTF, the ability to create startup apps for administrator users can still be useful if you know that an admin will log in at some point.

Installed Apps Preview 02:36

Using everything you've learned so far in the course, it should be no problem identifying exploits with currently installed applications and using their exploit-db entry to escalate your privileges.

Hot Potato Preview 02:26

This spoofing attack works on older versions of Windows, but it is still worth knowing and seeing in action.

Token Impersonation Preview 10:56

This lecture discusses Token Impersonation, a common method for escalating privileges when you have a shell running as a service account. This section covers the original Rotten Potato exploit, and demos the more recent Juicy Potato, Rogue Potato, and PrintSpoofer exploits.

Port Forwarding Preview 04:07

Learn how to access internal Windows ports from your Kali VM using this plink.exe trick!

Privilege Escalation Strategy Preview 03:07

As a way of summarizing the course, this video suggests some useful strategies to follow when performing privilege escalation in a time-limited setting, such as an exam.

getsystem (Named Pipes & Token Duplication) Preview 07:12

A look into Meterpreter's "getsystem" command, with explanations of Access Tokens, Named Pipes, and Token Duplication.

User Privileges Preview 03:03

Explaining the concept of "Privileges" in Windows and how some assigned Privileges can be abused to escalate to an admin or SYSTEM user.