Windows Privilege Escalation

whoami /priv

Cleartext Passwords

There are often cleartext passwords found in the registry. The following is a registry query for the auto-login settings which often contain a cleartext password.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Scheduled Tasks and Services

A system may have misconfigured tasks that can be queried using the following command.

schtasks /query /fo list /v

To display running services along with their process identification, use the following command.

tasklist /svc
wmic qfe get Caption,Description,HotFixID,InstalledOn

Microsoft Installer

To abuse the Microsoft Installer, query the registry for the key ‘AlwaysInstallElevated’ with a dword value of ‘1’ in both entries below. Then use msitools

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
apt-get install msitools nodejs npm
npm install -g msi-packager
sc qc upnphost