Best tool to look for Windows local privilege escalation vectors: WinPEAS****
- Obtain System information****
- Search for kernel exploits using scripts****
- Use Google to search for kernel exploits
- Use searchsploit to search for kernel exploits
- Interesting info in env vars?
- Passwords in PowerShell history?
- Interesting info in Internet settings?
- Drives?
- ****WSUS exploit?
- ****AlwaysInstallElevated?
- Check Audit and WEF settings
- Check LAPS****
- Check if WDigest is active
- LSA Protection?
- ****Credentials Guard?
- Cached Credentials?
- Check if any AV****
- ****AppLocker Policy?
- UAC?
****User Privileges
- Check current user privileges****
- Are you member of any privileged group?
- Check if you have any of these tokens enabled: SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege ?
- Users Sessions?
- Check users homes (access?)
- Check Password Policy****
- What is inside the Clipboard?
- Check current network information****
- Check hidden local services restricted to the outside
- Processes binaries file and folders permissions****
- ****Memory Password mining****
- ****Insecure GUI apps****
- Can you modify any service?
- Can you modify the binary that is executed by any service?
- Can you modify the registry of any service?
- Can you take advantage of any unquoted service binary path?
****Applications****
- Write permissions on installed applications****
- ****Startup Applications****
- Vulnerable Drivers****
- Can you write in any folder inside PATH?
- Is there any known service binary that tries to load any non-existant DLL?
- Can you write in any binaries folder?
- Enumerate the network(shares, interfaces, routes, neighbours...)
- Take a special look to network services listing on local (127.0.0.1)
- ****Winlogon credentials
- Windows Vault credentials that you could use?
- Interesting DPAPI credentials?
- Passwords of saved Wifi networks?
- Interesting info in ****saved RDP Connections?
- Passwords in recently run commands?
- Remote Desktop Credentials Manager passwords?
- AppCmd.exe exists? Credentials?
- SCClient.exe? DLL Side Loading?
- Putty: Creds and SSH host keys****
- ****SSH keys in registry?
- Passwords in unattended files?
- Any SAM & SYSTEM backup?
- Cloud credentials?
- ****McAfee SiteList.xml file?
- ****Cached GPP Password?
- Password in IIS Web config file?
- Interesting info in web logs?
- Do you want to ask for credentials to the user?
- Interesting files inside the Recycle Bin?
- Other registry containing credentials?
- Inside Browser data (dbs, history, bookmarks....)?
- ****Generic password search in files and registry
- ****Tools to automatically search for passwords
- Have you access to any handler of a process run by administrator?
- Check if you can abuse it
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.
Buy me a coffee here****