Awesome
Windows Local Privilege Escalation Cookbook
<p align="center"> <img width="500" height="350" src="/Pictures/Windows-OS-Funny-2.jpg.png"><br /><br > <img alt="Static Badge" src="https://img.shields.io/badge/Version-2.0-blue?link=https%3A%2F%2Fgithub.com%2Fnickvourd%2FWindows-Local-Privilege-Escalation-Cookbook%2Freleases"> <img alt="Static Badge" src="https://img.shields.io/badge/License-MIT-orange?link=https%3A%2F%2Fgithub.com%2Fnickvourd%2FWindows-Local-Privilege-Escalation-Cookbook%2Fblob%2Fmaster%2FLICENSE"><br /><br /> <img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/nickvourd/Windows-Local-Privilege-Escalation-Cookbook?logoColor=yellow"> <img alt="GitHub forks" src="https://img.shields.io/github/forks/nickvourd/Windows-Local-Privilege-Escalation-Cookbook?logoColor=red"> <img alt="GitHub watchers" src="https://img.shields.io/github/watchers/nickvourd/Windows-Local-Privilege-Escalation-Cookbook?logoColor=green"> </p>Table of Contents
Disclaimer
This repository, "Windows Local Privilege Escalation Cookbook" is intended for educational purposes only. The author bears no responsibility for any illegal use of the information provided herein. Users are urged to use this knowledge ethically and lawfully. By accessing this repository, you agree to use its contents responsibly and in accordance with all applicable laws.
Description (Keynote)
This Cookbook was created with the main purpose of helping people understand local privilege escalation techniques on Windows environments. Moreover, it can be used for both attacking and defensive purposes.
:information_source: This Cookbook focuses only on misconfiguration vulnerabilities on Windows workstations/servers/machines.
:warning: Evasion techniques to bypass security protections, endpoints, or antivirus are not included in this cookbook. I created this PowerShell script, TurnOffAV.ps1, which permanently disables Windows Defender. Run this with local Administrator privileges.
The main structure of this Cookbook includes the following sections for any vulnerability:
- Description
- Lab Setup
- Enumeration
- Exploitation
- Mitigation
- (Useful) References
I hope to find this CookBook useful and learn new stuff 😉.
If you find any bugs, don’t hesitate to report them. Your feedback is valuable in improving the quality of this project!
Definition
Local Privilege Escalation, also known as LPE, refers to the process of elevating user privileges on a computing system or network beyond what is intended, granting unauthorized access to resources or capabilities typically restricted to higher privilege levels. This process occurs when attackers exploit weaknesses, vulnerabilities, or misconfigurations within the operating system, applications, or device drivers. By exploiting these flaws, attackers can bypass security controls and escalate their privileges, potentially gaining control over the system and accessing sensitive data.
Useful Tools
In the following table, some popular and useful tools for Windows local privilege escalation are presented:
Name | Language | Author | Description |
---|---|---|---|
SharpUp | C# | @harmj0y | SharpUp is a C# port of various PowerUp functionality |
PowerUp | PowerShell | @harmj0y | PowerUp aims to be a clearinghouse of common Windows privilege escalation |
BeRoot | Python | AlessandroZ | BeRoot(s) is a post exploitation tool to check common Windows misconfigurations to find a way to escalate our privilege |
Privesc | PowerShell | enjoiz | Windows PowerShell script that finds misconfiguration issues which can lead to privilege escalation |
Winpeas | C# | @hacktricks_live | Windows local Privilege Escalation Awesome Script |
PrivescCheck | PowerShell | @itm4n | Privilege Escalation Enumeration Script for Windows |
PrivKit | C (Applicable for Cobalt Strike) | @merterpreter | PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS |
Vulnerabilities
This Cookbook presents the following Windows vulnerabilities:
- AlwaysInstallElevated
- Answer files (Unattend files)
- Logon Autostart Execution (Registry Run Keys)
- Logon Autostart Execution (Startup Folder)
- Leaked Credentials (GitHub Repository)
- Leaked Credentials (Hardcoded Credentials)
- Leaked Credentials (PowerShell History)
- SeBackupPrivilege
- SeImpersonatePrivilege
- Stored Credentials (Runas)
- UAC Bypass
- Unquoted Service Path
- Weak Service Binary Permissions
- Weak Service Permissions
- Weak Registry Permissions
References
- Privilege Escalation Wikipedia
- SharpCollection GitHub by Flangvik
- Metasploit Official Website
- CrackMapExec GitHub by byt3bl33d3r
- NetExec GitHub by Pennyw0rth
- Evil-WinRM GitHub by Hackplayers
- Windows Privilege Escalation Youtube Playlist by Conda
- Windows Privilege Escalation by Bordergate
- Seatbelt GitHub by GhostPack
- Sysinternals Suite Microsoft
- Impacket GitHub by Forta
- dnSpy GitHub by dnSpyEx
- Java Decompiler Official Website
- CS-Situational-Awareness-BOF GitHub by TrustedSec
- HavocFramework GitHub by C5pider
- LPE Cookbook AutomatedLab Build Template