If you've ever popped a box on HackTheBox, TryHackMe, or OffSec Proving Grounds, you know the drill. Initial access between Linux and Windows isn't that different. Scan, fuzz, find a CVE ("Heey there's an exploit.py"), get a shell. Not that much different between the OS.
It gets interesting with privesc.
On Linux you've got your SUID bits, writable cron jobs, sudo -l... it's almost cozy. Windows? Windows has services, tokens, ACLs, AppLocker, registry keys, integrity levels, and about fifteen ways a misconfigured service account will hand you SYSTEM if you know where to look.
This post is Part 01 of my Windows PrivEsc series, amidst my series on Active Directory haha. Before we dive into the juicy stuff, here's the initial enumeration baseline you need to build every single time you land a shell.
Know Where You Are
Get-WmiObject-ClassWin32_OperatingSystemwhoami/userwhoami/privwhoami/groupswhoami /priv is nice. Spot SeImpersonatePrivilege? That's basically game over via PrintSpoofer or Juicy Potato. SeBackupPrivilege? You can read SAM and NTDS.dit. Even Disabled state doesn't save you; these can be enabled in the same process with a few API calls.
Want to properly memorize the important stuff? My blog post got interactive quizzes for that → niklas-heringer.com
Network Recon From Inside
ipconfig /all # dual-homed? new network segment?
arp -a # who has this machine talked to recently?
route print # where can traffic go?
netstat -ano # what's listening? especially on 127.0.0.1
Anything bound to 127.0.0.1 in netstat is invisible from outside, but once you have a shell, it's right there. A SQL Server or local web app running as SYSTEM on loopback with no hardening is a classic setup.
Check Your Defenses
Get-MpComputerStatus# Defender: is RealTimeProtection actually on?Get-AppLockerPolicy-Effective|select-ExpandPropertyRuleCollectionsAppLocker blocks cmd.exe for everyone? Fine, powershell.exe might not be? Or only a specific file?. Read the rules, find the gaps.
Process & Service Hunting
tasklist /svc
Ignore the svchost.exe army. Look for: Tomcat, FileZilla, SQL Server, third-party VPN services. Old Tomcat with default creds (tomcat:tomcat) = deploy a WAR = code execution. Old SQL Server = xp_cmdshell = SYSTEM.
Users & Groups
net user
net localgroup administrators
whoami /groups
net accounts
Lockout threshold: Never + Minimum password length: 0 in net accounts? Spray freely. Look for bob and bob_adm side by side: credential reuse gift. Non-standard groups sometimes exist purely to grant access to something sensitive and nobody maintains the membership.
Patch Level
Get-HotFix|ft-AutoSizesysteminfoFour hotfixes total, last one from 2021? Feed those KB numbers into WES-NG and watch it map them to CVEs for you.
This is just the recon layer. Next post goes into process enumeration, service misconfigs, and where things start to get exploitable.
Full walkthrough with command output and reasoning on my blog → niklas-heringer.com
For further actions, you may consider blocking this person and/or reporting abuse
