This post will outline a few of the more common ways to escalate privileges from an low privilege shell on a Windows box.
Missing security patch
We can check if the system is missing a security patch and see if any exploits are available which abuses it.
SeTokenImpersonation and Juicy Potato
If your user has the SeTokenImpersonation token, you can potentially use the JuicyPotato exploit to escalate to SYSTEM.
Unquoted Service Paths
- Service runs an executable path which is unquoted and has a space
- Any of the paths resolved from the unquoted path are writable
Generate a payload through msfvenom which we can place in the target path.
If a service is modifiable, we can have a crafted binary payload run potentially under the context of the SYSTEM account.
- Generate a payload through msfvenom
- Modify service path to point to our payload
Run process as different user
- Credentials or hash for different user available