Physical attacks
Mobile Apps Pentesting
Pentesting

Checklist - Local Windows Privilege Escalation

Best tool to look for Windows local privilege escalation vectors: WinPEAS

  • Search for kernel exploits using scripts (post/windows/gather/enum_patches, post/multi/recon/local_exploit_suggester, sherlock, watson )

  • Use Google to search for kernel exploits

  • Use searchsploit to search for kernel exploits

Network

Vulnerable Software or Processes?

  • Is any unknown software running?

  • Is any software with more privileges that it should have running?

  • Search for exploits for running processes (specially if running of versions)

  • Can you read some interesting process memory (where passwords could be saved)?

  • Have write permissions over the binaries executed by the processes?

  • Have write permissions over the folder of a binary being executed to perform a DLL Hijacking?

  • What is running on startup of is scheduled? Can you modify the binary?

  • Can you dump the memory of any process to extract passwords?

Services

  • Can you write in any folder inside PATH?

  • Is there any known service binary that tries to load any non-existant DLL?

  • Can you write in some binaries folder?

  • Is this enabled?

  • Is it vulnerable?

  • Are you able to write files that could grant you more privileges?

  • There are several ways to bypass the UAC