Windows privilege escalation is the process where an attacker moves from a low-level account (such as a standard user or service account) to a high-level account, typically Administrator or NT AUTHORITY\SYSTEM. In the context of CompTIA PenTest+, this phase follows initial exploitation and requires…Windows privilege escalation is the process where an attacker moves from a low-level account (such as a standard user or service account) to a high-level account, typically Administrator or NT AUTHORITY\SYSTEM. In the context of CompTIA PenTest+, this phase follows initial exploitation and requires a deep understanding of Windows architecture to identify misconfigurations, kernel vulnerabilities, and credential weaknesses.
A primary vector involves **Service and Registry Misconfigurations**. For example, 'Unquoted Service Paths' occur when a service path containing spaces is not enclosed in quotes. Windows interprets the space as a separator, potentially executing a malicious binary named 'C:\Program.exe' instead of the intended 'C:\Program Files\Service.exe'. Similarly, 'Insecure Service Permissions' allow users to modify a service's configuration, pointing the binary path (binPath) to a malicious executable that runs with SYSTEM privileges upon service restart.
**DLL Hijacking** is another common technique. It exploits the Windows DLL search order; if an application fails to load a specific DLL, an attacker can place a malicious DLL with the same name in a directory searched earlier (like the application's current folder), forcing the application to execute the attacker's code.
Attackers also target **Kernel Exploits** by enumerating missing patches using commands like `systeminfo` or automated enumeration scripts like **winPEAS** and **PowerUp**. If the OS is outdated, specific exploits (e.g., EternalBlue) can grant immediate SYSTEM access.
Finally, attackers leverage **Credential Dumping** and **Token Manipulation**. Tools like Mimikatz interact with the Local Security Authority Subsystem Service (LSASS) to retrieve cleartext passwords or NTLM hashes, or to steal access tokens from running processes to impersonate privileged users. Identifying vulnerabilities such as 'AlwaysInstallElevated' in the registry or weak file permissions on sensitive directories is essential for successful escalation.
Windows Privilege Escalation Guide for CompTIA PenTest+
What is Windows Privilege Escalation? Windows privilege escalation is the phase in a penetration test where an attacker attempts to gain higher-level permissions on a compromised system. This typically involves moving from a standard user account or a restricted service account to an account with administrative rights, such as a local Administrator or NT AUTHORITY\SYSTEM. It exploits misconfigurations, kernel vulnerabilities, or insecure permissions to bypass access controls.
Why is it Important? Initial access usually grants only limited privileges. Escalating to administrative or SYSTEM level is crucial because it allows the pentester to: 1. Dump password hashes (SAM/LSASS) to crack credentials. 2. Establish persistence (e.g., creating backdoors or new users). 3. Disable security controls (antivirus, firewalls). 4. Pivot to other machines within the network.
How it Works: Common Techniques 1. Unquoted Service Paths: If a service executable path contains spaces and is not enclosed in quotes (e.g., C:\Program Files\My App\service.exe), Windows attempts to execute 'C:\Program.exe' first. If an attacker can place a malicious executable there, it runs with the service's privileges (often SYSTEM). 2. Insecure Service Permissions: If a low-privileged user can modify a service's configuration (checked via accesschk or sc qc), they can change the 'binPath' to point to a malicious payload (e.g., a reverse shell) which executes when the service restarts. 3. AlwaysInstallElevated: If this registry key is set to '1' for both HKLM and HKCU, any user can run .MSI installer packages with elevated privileges. 4. Token Manipulation: Exploiting specific user privileges found via whoami /priv (such as SeDebugPrivilege or SeImpersonatePrivilege) to duplicate an administrator's access token. 5. Credential Dumping: Locating cleartext passwords left in files like Unattend.xml, sysprep.inf, or web.config.
Exam Tips: Answering Questions on Windows Privilege Escalation To answer PenTest+ questions effectively, focus on identifying the vulnerability from command-line output and knowing the remediation.
1. Analyze the Output: If you see output from wmic or sc query showing a path like C:\Program Files\Vuln App\executable.exe without quotes, the answer is Unquoted Service Path. If you see output from icacls showing 'Everyone:(F)' or 'BUILTIN\Users:(M)' on a service binary, the answer is Insecure File Permissions.
2. Know Your Enumeration Tools: Memorize the names of scripts used to automate this discovery. PowerUp (PowerShell), WinPEAS (Windows Privilege Escalation Awesome Scripts), and Seatbelt are the standard tools referenced in the exam context.
3. Recognize Dangerous Privileges: If a question displays the output of whoami /priv, look immediately for SeImpersonatePrivilege (vulnerable to Potato attacks like RottenPotato) or SeDebugPrivilege (allows process injection into SYSTEM processes).
4. Remediation Strategies: Expect questions on how to fix these flaws. For unquoted paths, the fix is adding quotes around the path in the registry. For weak permissions, the fix is removing the 'Write' or 'Full Control' permission for standard users.