# Windows Privilege Escalation

## Identifying Windows Privilege Escalation Vulnerabilities

* In order to elevate your privileges on Windows, you must first, identify privilege escalation vulnerabilities that exist on the target system.
* This process will differ greatly based on the type of target you gain access to. Privilege escalation on Windows can be performed through a plethora of techniques based on the version of Windows and the system’s unique configuration.
* This process can be quite tedious and time consuming and as a result, it is recommended to automate the processes of identifying privilege escalation vulnerabilities. This can be done through the use of various automation scripts.

#### **PrivescCheck**

* [**`PrivescCheck`**](https://github.com/itm4n/PrivescCheck) - This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

#### **MSFconsole Commands:**

* **`exploit/multi/script/web_delivery`** – Generate a web-based payload for exploitation.
* **`post/multi/manage/shell_to_meterpreter`** – Convert a shell session to a Meterpreter session.

#### **PrivescCheck Usage:**

* Execute the following PowerShell command to use PrivescCheck: `powershell -ep bypass -c ". .\\PrivescCheck.ps1; Invoke-PrivescCheck"` This PowerShell command executes the PrivescCheck script to perform privilege escalation checks.

## Windows Privilege Escalation

**Utilizing Found Windows Passwords for System Login:**

If you discover Windows passwords during privilege escalation, you can use them to log in to the system using the following methods:

1. **`psexec.py administrator@<target_ip>`**: This command allows you to use [psexec.py](http://psexec.py) to establish a remote connection to the target system with the provided administrator's credentials.
2. **`use /exploit/windows/smb/psexec`**: Utilize the specified Metasploit module to execute a payload on a remote Windows system, enabling authentication and execution of commands using discovered credentials.

***

***

***

**`Hacker's Mantra:`**`Hackers: rewriting the code of the world.`