HackPath
BBoooottccaammppNEWCCoouurrsseessRRooaaddmmaappPPrraaccttiicceePPrriicciinngg
>_
HACKPATH

COURSE.EXE

Privilege Escalation Windows

0%
FUNDAMENTALS
01Windows Post-Exploitation Enumeration
45m
02Unquoted Service Paths
50m
REGISTRY & INSTALLERS
03AlwaysInstallElevated
45m
04Registry Misconfigurations
48m
DLL & SERVICES
05DLL Hijacking
58m
06Weak Service Permissions
52m
TOKEN ABUSE
07SeImpersonatePrivilege
55m
08Token Impersonation
50m
ADVANCED TECHNIQUES
09Autorun & Startup Abuse
45m
10Credential Dumping Windows
58m
Lesson 01·1 / 10·45 min

Windows Post-Exploitation Enumeration

Lesson details coming soon.

Privilege Escalation — Windows/Windows Post-Exploitation Enumeration

Windows Post-Exploitation Enumeration

Systematic enumeration is the key to effective privilege escalation on Windows. Before exploiting anything, you must map the environment.

◆
Treat privesc like a map: enumerate boundaries first, then validate the weakest link.

User and System Context

enumeration windows privesc
◆

Current Account Privileges

◆

Users and Groups

◆

Services and Processes

◆

Registry — Sensitive Keys

◆

Sensitive Files

◆

Network and Connections

◆

Automated Enumeration Tools

ToolDescriptionCommand
WinPEASComprehensive colored enumeration (Windows equivalent of LinPEAS).\winPEAS.exe
SeatbeltTargeted security enumeration.\Seatbelt.exe all
PowerUpPowerShell privesc automationImport-Module PowerUp.ps1; Invoke-AllChecks
SharpUpC# version of PowerUp.\SharpUp.exe audit
◆

Flashcards

FLASHCARDS · 1/2
CARD #0001
_□×
UNSEEN

Which Windows privileges are the most exploitable for privilege escalation?

◆
Exercises

Exercise 1 — Build a Windows privesc checklist

  1. On a Windows VM, run whoami /all and identify enabled privileges
  2. Check for SeImpersonatePrivilege (often present on IIS service accounts)
  3. Run WinPEAS: .\winPEAS.exe and review highlighted sections
  4. Search for credentials in the registry: reg query HKLM /f password /t REG_SZ /s
  5. Check for Unattend.xml files: dir /s /b C:\*unattend* 2>nul

◆
Open Questions

Question 1 — Why is enumeration the key in Windows privesc?

◆

Next Lesson

With enumeration complete, the next lesson exploits the most common Windows privilege escalation vector: Unquoted Service Paths.

Next: Unquoted Service Paths

Hands-on challenge

Practice what you learned — run it on your machine.

Do the challenge →

You're on a free lesson

Ready to go further?

Unlock all courses, exercises, real-world scenarios and flashcards — everything to build real skills.

Unlock full access →

No commitment · Cancel anytime

Sign in to track your progress.

Sign in to validate →

9 lessons locked in this course · 800+ students enrolled

$99/year — save 31% vs monthly

Unlock full access →
You type
# Current user
whoami
whoami /all       # Privileges, groups, SID

# System information

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix"

# Architecture

echo %PROCESSOR_ARCHITECTURE%

# Environment variables

set
echo %PATH%
You type
# List all privileges (look for SeImpersonate, SeDebug, etc.)
whoami /priv

# Interesting privileges:

# SeImpersonatePrivilege → Potato attacks

# SeDebugPrivilege → Read memory of privileged processes

# SeBackupPrivilege → Read any file

# SeRestorePrivilege → Write anywhere

# SeTakeOwnershipPrivilege → Take ownership of files

# SeLoadDriverPrivilege → Load kernel drivers
You type
# Local users
net user
net user administrator
net localgroup

# Members of the Administrators group

net localgroup Administrators
net localgroup "Remote Desktop Users"

# Logged-in users

query user
query session
You type
# Running services
sc query
sc query type= all

# Services with execution paths (check for unquoted paths)

sc qc ServiceName
wmic service get name,pathname,startmode,startname

# Running processes (look for those running as SYSTEM)

tasklist
tasklist /v # With associated user

# Via PowerShell

Get-Service
Get-Process | Select-Object Name, Id, @{N='User';E={$\_.GetOwner().User}}
You type
# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Credentials stored in the registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# AutoLogon credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
You type
# Search for files containing 'password' in their name
dir /s /b C:*password* 2>nul
dir /s /b C:*credential* 2>nul
dir /s /b C:*unattend* 2>nul

# Common configuration files

type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\inetpub\wwwroot\web.config

# SAM databases (local credentials)

dir /s /b SAM

# C:\Windows\System32\config\SAM

# C:\Windows\System32\config\SYSTEM
You type
# Network interfaces
ipconfig /all

# Active connections and open ports

netstat -ano

# ARP table (other hosts on the network)

arp -a

# Routes

route print