Windows Privilege Escalation for Pentesters

Mastering Windows privilege escalation is the critical bridge between gaining an initial foothold on a system and achieving complete administrative control. For penetration testers and red teamers, it transforms a limited user account into a powerful asset, allowing you to access sensitive data, move laterally, and demonstrate the full impact of a breach. This process involves systematically hunting for misconfigurations, weak permissions, and design flaws that developers and administrators often overlook, turning trusted Windows mechanisms against themselves.

Foundational Enumeration: Knowing What to Look For

Before you can exploit anything, you must know what exists on the target system. Blind exploitation is inefficient. Your first step is always thorough enumeration using purpose-built scripts that automate the discovery of common privilege escalation vectors. Two tools are indispensable in a pentester's arsenal for this phase.

PowerUp is a PowerShell script that is part of the PowerSploit framework. It takes a "privesc checklist" approach, checking for a comprehensive set of vulnerabilities local to the Windows machine. When you run it, it examines service binaries, service permissions, registry paths, scheduled tasks, and configuration files, outputting clear findings on potential weaknesses. Its major advantage is that it can often suggest and even execute immediate exploits for identified issues.

WinPEAS (Windows Privilege Escalation Awesome Script) is a more modern, feature-rich enumeration tool available in batch, PowerShell, and C# versions. It goes beyond software misconfigurations to also enumerate system information, network statistics, credential storage, and interesting files. WinPEAS provides color-coded output, highlighting findings based on their potential exploitability (yellow for interesting, red for likely exploitable). It is constantly updated with new checks and is designed to avoid detection by some antivirus solutions. You should run both tools, as one may catch what the other misses.

Service-Based Exploitation Vectors

Windows services run with specific user privileges, often at a high level. Misconfigurations in how these services are configured and executed are prime targets for elevation.

Unquoted Service Paths are a classic vulnerability. When a service path (e.g., C:\Program Files\Vulnerable App\service.exe) is unquoted and contains spaces, the Windows Service Control Manager (SCM) tries to execute the path in a specific way. It will sequentially attempt to run C:\Program.exe, then C:\Program Files\Vulnerable.exe, and finally the correct C:\Program Files\Vulnerable App\service.exe. If you have write permissions to a directory earlier in this path (like C:\ or C:\Program Files\), you can place a malicious executable with the anticipated name (e.g., Vulnerable.exe) and restart the service. The SCM will then run your binary with the service's privileges, which are often SYSTEM.

Weak Service Permissions involve the security settings of the service itself. Using tools like sc.exe or AccessChk from Sysinternals, you might discover that your user account has excessive permissions to modify a service, such as SERVICE_CHANGE_CONFIG. This allows you to change the binpath of the service to point to a command of your choice (e.g., cmd.exe or a reverse shell payload) and then restart it. The service will then execute your specified binary with its privileged context. Always check who can start, stop, and configure services.

Hijacking Execution: DLLs and Tokens

These attacks subvert the normal process of how applications and the operating system load resources and manage security contexts.

DLL Hijacking exploits the Windows DLL search order. When an application loads a Dynamic Link Library (DLL) without specifying an absolute path, Windows searches a list of directories to find it. If an application running with elevated privileges (like an administrator) looks for a DLL in a location where you have write access (e.g., the current directory, C:\Windows\Temp), you can place a malicious DLL with the same name. When the application is launched, it will load your DLL, and its code will execute within the high-privilege process. Finding these opportunities requires checking application manifests, using procmon from Sysinternals to trace DLL loads, or relying on enumeration scripts.

Token Impersonation with Potato Attacks is a more advanced technique targeting Windows features for intra-system communication. The SeImpersonatePrivilege is a powerful privilege often granted to service accounts (like IIS or SQL Server). It allows a process to impersonate any token available to it, including those of higher-privileged users. The infamous "Potato" family of exploits (Hot Potato, Juicy Potato, Sweet Potato, Rogue Potato) tricks the Windows authentication system into creating a privileged Network logon session for the local SYSTEM account and then captures that token for impersonation. If your compromised user has SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege (check with whoami /priv), you can use a tool like Juicy Potato to spawn a process (e.g., a reverse shell) as the NT AUTHORITY\SYSTEM user, achieving the highest possible privilege level.

Registry and Configuration Exploits

The Windows Registry is a database of settings, and certain keys control critical security policies.

AlwaysInstallElevated is a pair of registry settings that, when both are enabled, allow any user on the system to install Microsoft Windows Installer packages (.msi files) with elevated (SYSTEM) privileges. These policies are defined in two locations: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. If both are set to 1 (enabled), it represents a severe misconfiguration. You can create a malicious .msi file using msfvenom or a tool like WinPEAS can generate one for you. When executed, the .msi installer runs with SYSTEM privileges, granting you a full privileged shell. This is a straightforward but highly effective vector when present.

Registry-based Escalation can also occur through other writable registry paths associated with services or auto-run applications. For example, if a service's ImagePath is stored in a registry key (HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>) where your user has write permissions, you can modify it just like changing the binpath via sc.exe. Similarly, writable paths in HKCU\Software\Microsoft\Windows\CurrentVersion\Run can lead to persistence and potential elevation if the user account is an administrator.

Common Pitfalls

Overlooking Subtle Misconfigurations: Relying solely on automated tools without manual verification is a mistake. A script might flag a writable directory, but you must confirm what can be written there (executables?) and if a privileged process uses it. Always follow up automated findings with manual checks using built-in commands like icacls, accesschk.exe, and sc.exe.

Failing to Understand Context and Impact: Not all "SYSTEM" access is equal. Exploiting a service might give you SYSTEM, but within a non-interactive session. You need to know how to translate that into an interactive shell (e.g., using psexec or creating a new service). Furthermore, crashing a critical production service during an assessment is unprofessional. Understand the service's function before restarting it, and test exploits in a controlled manner.

Ignoring Detection and Logging: While the goal is escalation, a skilled blue team will be watching for the signs. Tools like WinPEAS have "stealth" options, but actions like modifying service binaries, writing to protected directories, or installing .msi packages are heavily logged. Where possible, use living-off-the-land binaries (LOLBAS) and more subtle techniques to achieve your goals and avoid triggering alarms prematurely.

Summary

• Systematic Enumeration is Key: Always begin with comprehensive tools like PowerUp and WinPEAS to map the attack surface, including service configurations, file permissions, and user privileges.
• Exploit Service Misconfigurations: Hunt for unquoted service paths and weak service permissions (modifiable binpath) to hijack the execution flow of privileged Windows services.
• Abuse Windows Mechanisms: Leverage DLL hijacking where search orders are insecure, and master token impersonation (e.g., Potato attacks) when the SeImpersonatePrivilege is available to jump to SYSTEM.
• Check for Policy Failures: Identify and exploit registry misconfigurations, most notably the AlwaysInstallElevated policy, which provides a direct route to elevated code execution via .msi packages.
• Privilege Escalation is a Process: It requires patience, thoroughness, and a deep understanding of both offensive techniques and the underlying Windows security architecture you are exploiting.