Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time

Windows-Privilege-Escalation-Resources

Compilation of Resources from TCM's Windows Priv Esc Udemy Course

General Links

Link to Website: https://www.thecybermentor.com/

Links to course:

Link to discord server: https://discord.gg/EM6tqPZ

HackTheBox: https://www.hackthebox.eu/

TryHackMe: https://tryhackme.com/

TryHackMe Escalation Lab: https://tryhackme.com/room/windowsprivescarena

Introduction

Fuzzy Security Guide: https://www.fuzzysecurity.com/tutorials/16.html

PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

Absoloom's Guide: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Sushant 747's Guide: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

Gaining a Foothold

msfvenom: https://netsec.ws/?p=331

Exploring Automated Tools

winpeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Windows Priv Esc Checklist: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Sherlock: https://github.com/rasta-mouse/Sherlock

Watson: https://github.com/rasta-mouse/Watson

PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

JAWS: https://github.com/411Hall/JAWS

Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Metasploit Local Exploit Suggester: https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

Seatbelt: https://github.com/GhostPack/Seatbelt

SharpUp: https://github.com/GhostPack/SharpUp

Escalation Path: Kernel Exploits

Windows Kernel Exploits: https://github.com/SecWiki/windows-kernel-exploits

Kitrap0d Info: https://seclists.org/fulldisclosure/2010/Jan/341

MS10-059: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059

Escalation Path: Passwords and Port Forwarding

Achat Exploit: https://www.exploit-db.com/exploits/36025

Achat Exploit (Metasploit): https://www.rapid7.com/db/modules/exploit/windows/misc/achat_bof

Plink Download: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Escalation Path: Windows Subsystem for Linux

Spawning TTY Shell: https://netsec.ws/?p=337

Impacket Toolkit: https://github.com/SecureAuthCorp/impacket

Impersonation and Potato Attacks

Rotten Potato: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

Juicy Potato: https://github.com/ohpe/juicy-potato

Groovy Reverse Shell: https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76

Alternative Data Streams: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

Escalation Path: getsystem

getsystem Explained: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

Escalation Path: Startup Applications

icacls Docs: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

Escalation Path: CVE-2019-1388

ZeroDayInitiative CVE-2019-1388: https://www.youtube.com/watch?v=3BQKpPNlTSo

Rapid7 CVE-2019-1388: https://www.rapid7.com/db/vulnerabilities/msft-cve-2019-1388

Capstone Challenge

Basic Powershell for Pentesters: https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters

Mounting VHD Files: https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25

Capturing MSSQL Creds: https://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478