Overview

This post will outline a few of the more common ways to escalate privileges from an low privilege shell on a Windows box.

Missing security patch

We can check if the system is missing a security patch and see if any exploits are available which abuses it.

SeTokenImpersonation and Juicy Potato

If your user has the SeTokenImpersonation token, you can potentially use the JuicyPotato exploit to escalate to SYSTEM.

Unquoted Service Paths

#Requirements

  • Service runs an executable path which is unquoted and has a space
  • Any of the paths resolved from the unquoted path are writable

Exploit

Generate a payload through msfvenom which we can place in the target path.

Modifiable Services

If a service is modifiable, we can have a crafted binary payload run potentially under the context of the SYSTEM account.

Exploit

  1. Generate a payload through msfvenom
  2. Modify service path to point to our payload

Run process as different user

Requirements

  • Credentials or hash for different user available