OS – Will Chatham's Blog

April 13, 2018August 9, 2025

Windows Privilege Escalation (privesc) Resources

I have obtained a standard user account on Windows. Now what?

This is a common question I see people inquire about frequently on the Discord/Slack/Mattermost servers I hang out on. This includes people working on CTF exercises (Hack the Box), OSCP/PWK studies, and just pentesting in general. The answer, of course, is that you need to enumerate the system and find a way to become Admin.

The methodology for how you actually do this depends on a lot, all depending on your specific environment and circumstances.

Windows Privilege Escalation to the Rescue

Here are some useful resources on what to do next in your given situation, after you have succesfully exploited your way onto a Windows box, but before you have the system administrator role. I collected these links, snippets, and exploits during my OSCP studies, saving them in this massive OneNote notebook. Rather than letting them sit there where no one but me can access them, I thought I’d share.

Some of these get pretty detailed, and some of them have links to yet even more resources on this topic.

Have fun…this rabbit hole runs deep!

Privesc Resources

Updated 11.11.18: A new resource I came across that looks pretty awesome:

Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Elevating privileges by exploiting weak folder permissions
http://www.greyhathacker.net/?p=738/

Encyclopedia of Windows Privesc (video)
https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be

Windows Privesc Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html

Windows Privesc Cheatsheet
https://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html

Windows Privesc Check
A script that automates the checking of common vulnerabilities that can be exploited to escalate your privileges:
http://pentestmonkey.net/tools/windows-privesc-check

Common Windows Privesc Vectors
https://www.toshellandback.com/2015/11/24/ms-priv-esc/

Windows Post-Exploitation Command List
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf

WCE and Mimikatz in Memory over Meterpreter
https://justinelze.wordpress.com/2013/03/25/wce-and-mimikatz-in-memory-over-meterpreter/

Windows Privesc – includes tips and more resource links, on Github
https://github.com/togie6/Windows-Privesc

Do you have any Windows Privesc resources you think should go here? Comment below and I will add them.

June 17, 2017August 9, 2025

Microsoft Windows has Free Virtual Machines

Wish I had know about these earlier. Microsoft offers free Windows virtual machines for VirtualBox, VMWare, and others. You can choose from Windows 7, Windows 8, or Windows 10 (a few different flavors of each). They last 90 days before expiring, but you can snapshot them right after you install them to make it easy to reset that 90 days by rolling back to the snapshot.

Officially, these are for testing out the Edge browser, but you can also use them for whatever else 😉

Check them out here:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

February 25, 2014August 9, 2025

Apple FINALLY fixes Mac OS X SSL bug

Apple FINALLY fixes Mac OS X SSL bug that threw fans to the wolves

Update now!

IBM exec calls Vista the best recruiter for Linux

He said that Microsoft must be hoping that it gets Windows 7 right or it’s really in trouble.

via IBM exec calls Vista the best recruiter for Linux.

Falling Empire

Another sign that the Microsoft empire is failing and falling:

Steve Jobs acknowledges that Microsoft will be forced to embrace web-to-deskptop technology. He’s about two years too late. Google, Yahoo, and many others are way ahead in this game.

Linux Is Here To Stay

You may have read here before about my ventures with Linux on the home pc, where things must work for the whole family, not just me the Linux Geek.

Back in March or so, I grew tired of Windows XP on my home desktop. I was sick of having to keep up with WGA cracks (ahem), sick of bloated crapware, and not interested whatsoever in Vista.

So, I installed RedHat Linux (Fedora Core 6 to be exact). This was highly tolerable for a couple of months since I was used to using it at work all the time, and I am well versed in RedHat operating systems. However, it caused issues for Alicia because it just wasn’t intuitive enough, and it didn’t just work. There was always some fingling needed to be done in a terminal window.

I decided a few weeks ago that I would install Ubuntu 7.4 Fiesty Fawn, and I haven’t looked back since. When I learned that Dell was shipping PC’s with Ubuntu instead of Linux, I knew it must be time. The installation was fast, and it was insanely simple to do. The Ubuntu developers have thought of everything, and it seems like they are driven to make something with mass appeal that is better than Windows. In my opinion, they have.

It just works. Plugged in my iPod, it worked. Plugged in my old NTFS data drive, it worked. Plugged in my USB card reader, it worked. All of it works. Needed a codec to watch some video clip, and Ubuntu went and found it easily, letting me start watching within seconds.

The final test of Ubuntu’s readiness for the masses was how well my wife handled it. So far, the only complaint is that she cannot listen to music she bought from iTunes (until I work around that). So all in all, Ubuntu passes with flying colors.

The Biggest Shot In The Foot Ever?

For the last few weeks, the techie blogs have been circulating stories about how Microsoft Windows Vista can be installed and used for free for 120 days. You see, Microsoft gives you 30 days to try it out for nothing, but then they will disarm it and require you to purchase a license to continue using it.

Someone found out that Microsoft had built in a way to extend that 30 trial to 120 days through a little registry tweak.

Well, now someone has figured out how to extend it indefinitely, not by hacking or cracking the operating system, but by using the built-in tools that Microsoft included in the operating system.

From DailyCupOfTech.com:

“It appears that crackers need not break Windows Vista activation because Microsoft has done it for them! Brian Livingston of Window Secrets writes in Microsoft allows bypass of Vista activation about how to allow you to keep your Vista box running indefinitely without activating it.”

It is likely that MS will try and fix this through some future patch, but what will they break in doing so? They obviously had a need to provide this functionality for some reason.

Now that I’ve abandoned Winders on the home desktop completely for RedHat Fedora linux, this makes me chuckle. However, maybe I’ll give it a shot and see what happens!

Setting up Apache, Tomcat, and mod_jk on RHEL4

I just got through setting up Tomcat5.5, Apache2, and mod_jk on a RedHat Enterprise AS4.4 machine at work. In the past, I have done this by compiling each component separately and fingling with config files until it all worked. But I wanted to stick with RedHat-approved RPM’s from the RedHat network to ease updates and patch management, and to allow the organization to have support options.

I had a lot of trouble finding any documentation on how to do this anywhere, so I thought I’d throw it out here for anyone in a similar situation in search of help.

The following are my notes, sprinkled with a little help I got from a RedHat support tech.

First, I had to enable the following channel within the RedHat Network for this system:

–Red Hat Application Server v. 2 (AS v. 4 for i386)

If you don’t have a RHEL license for updating your system, you will need one.

Once those channels were enabled, I installed the following packages using up2date at the command line:

# up2date tomcat5 # up2date tomcat5-webapps # up2date tomcat5-admin-webapps # up2date mod_jk-ap20

With the packages installed, I set out to configure a virtual host to pass requests to Tomcat as needed by using the mod_jk connector. The following steps explain how to do this for a web site called example.com using IP address 123.123.123.123. Substitute your domain and IP accordingly.

Step 1. – Add mod_jk to Apache

In /etc/httpd/conf/httpd.conf add this:

LoadModule jk_module modules/mod_jk.so <ifmodule mod_jk.c> JkWorkersFile "/etc/httpd/conf/workers.properties" JkLogFile "/etc/httpd/logs/mod_jk.log" JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y]" </ifmodule>

That loads the module into Apache, tells apache where the worker is that will handle jsp/servlets, and tells Apache where to record log entries for mod_jk.

Step 2. – create a new file called /etc/httpd/conf/workers.properties and add this to it:

[channel.socket:example.com:8009] port=8009 host=example.com [uri:example.com/*.jsp] worker=ajp13:example.com:8009

Step 3. Create a virtual host in /etc/httpd/conf/httpd.conf like so:

<virtualhost 123.123.123.123:80> ServerAdmin webmaster@example.com ServerName www.example.com DocumentRoot /var/www/html JkMount /*.jsp ajp13 JkMount /servlet/* ajp13 # Deny direct access to WEB-INF </virtualhost>

Step 4. Set up Tomcat5 by adding this to /etc/tomcat5/server.xml just before the very last </Engine> tag at the bottom of the document:

<host name="example" appBase="/var/www/html" unpackWARs="true" autoDeploy="true"> <context path="" docBase="" debug="0" reloadable="true"/> <alias>www.example.com</alias> <valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="web1_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> </host>

Still with me? We are almost done.

Step 6. Create a sample jsp file called /var/www/html/test.jsp and add this to it:

Time: < %= new java.util.Date() %>

Step 7. Start up the services
# apachectl start # service tomcat5 start

Step 8. Try it!

Browse to http://www.example.com/test.jsp

If all went well, you should see the system’s current date and time when you load the web page. Congrats. Hope it works for you!

February 11, 2006

Windows Free – Update 1

After about 4 hours of using Ubuntu Linux, I ditched it and installed Fedora Core 4. The main reason was that Ubuntu does not have a root user. This may seem odd to experienced Linux folks, but the intentions behind it are good. Unless you know what you are doing, you can completely hose a Linux operating system as the root user. So, in order to become as user-friendly as possible for Linux newbies, they require you to use ‘sudo’ for everything in Ubuntu.

To me, this was a slowdown. I decided to go with what I am most familiar with, and that is the RedHat-based Fedora Core 4.

More on my venture to discard Windows from my life will soon follow.

February 11, 2006

Windows Free!

I got fed up. Fed up with a bogged down operating system. I got tired of viruses, spyware, licenses, etc etc etc.

Tonight I made the switch.

No, not to Apple. To Linux. Full-time, full-on Linux. Ubuntu, to be exact.

Within two hours I was up and running a smooth desktop, playing music from my iTunes library, browsing with Firefox, checking all my email in Thunderbird, and enjoying the feeling of being free from Windows.

The remarkable thing is that almost all of my USB devices work. My webcam does not, but a quick lookup found a tutorial on setting it up. Transferring all of my files was easy too. I just mounted my WinXP hard drive and whammo – it’s all accessible.

It’s still very early to tell how well I will adjust to this in my day-to-day working environment at home, so I will report back here on the matter in a week or two.

clicky