Windows Privilege Escalation
This room covers Windows privilege escalation from the ground up. Starting as an unprivileged user, you'll learn Windows privilege architecture (users, groups, SYSTEM vs Administrator), then work through 6 exploitation sections: harvesting passwords from common locations (PS history, web.config, Windows Credentials, registry), abusing scheduled tasks, exploiting service misconfigurations (insecure permissions, unquoted paths, insecure DACL), abusing dangerous token privileges (SeBackup, SeRestore, SeTakeOwnership), and DLL hijacking. Each section has its own flag on the Administrator's or specific user's desktop.
Skills You Will Learn
Prerequisites
- thm-introtoshells
- thm-windowsfundamentals1xbx
- windows-basics
- powershell-basics
Walkthrough Phases
Windows Privilege Model
Understand the Windows privilege hierarchy before exploiting it
Password Harvesting
Find cleartext credentials stored in common Windows locations
Scheduled Tasks Abuse
Exploit misconfigured scheduled task scripts to run code as SYSTEM or Admin
Service Misconfigurations
Exploit three types of Windows service misconfiguration to escalate privileges
Dangerous Token Privileges
Abuse special token privileges to read/write privileged files and escalate to Admin
DLL Hijacking
Place a malicious DLL in a location loaded by a privileged process
Additional Techniques & Further Learning
Overview of advanced Windows privesc topics for continued development