Useful links/articles:

Pretty much where I have pulled most of this content.

Windows SysInternals Tools:


Running Powershell Commands from CMD:

Basic Powershell Commands within CMD.exe:

Download a File (Similar to Linux’s WGET):

Download and Import Powershell Modules:

Getting a Reverse TCP Powershell Shell with Nishang:

One Liner Reverse Powershell from CMD:

CMD.exe Execution
HTTP Get Request & Catching Shell

Basic Information Gathering:


Powerview.ps1 – Queries the Domain Controller and attempts to check if you (current Windows user) have admin privileges on other hosts. If so, we can psexec to get Admin.

Working with PETools:

Search for Credential Files:

Search Window Registry for Passwords:

Check for Local Only services:

Windows Priv-Esc Exploit Suggestor:

Github Repository is linked above but, if you’re lazy, here it is again.

On Windows Host:

systeminfo > systeminfo.txt

Transfer the file back to kali to be run against the python exploit suggester.

On Kali host:

Windows “at” Scheduler:

This command can be used locally to get System privileges since the at system executes commands as system.

Scheduled Tasks:

Unquoted / Trusted Service Paths:

It happens when a developer fails to enclose the file path in quotes if that path has a space. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.

So if we find a file without quotes, like below, it’s vulnerable:

C:\Program Files\Some Folder\1\Service.exe

Windows would try to execute:


C:\Program Files\Some.exe

C:\Program Files\Some Folder\Service.exe

So if we have write access on some target directory we can write a file on that directory:

Check for Weak Service Permissions:

Stolen from Insomnia Security
Permission Matrix

Check for Weak File Permissions:

Check Program Files for Writeable Objects:

Check for AlwaysInstallElevated Group Policy Setting:

This setting installs all .msi packages with system privileges for everyone.

/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation

Password Spraying:

A loop that iterated over all the users in users.txt and tries all the passwords listed in
pass.txt . Can be used with the net user /domain command listed above for every user in the domain.

Using Procmon.exe to check for “NAME NOT FOUND” dll’s:

Simply use a DLL written in C++ in which DLLMain contains malicious code or points to a malicious function in the code such as a shellcode loader or downloader/executor.

  1. Download procmon.exe
  2. execute on Windows machine and set the following filters:
Procmon.exe Dll Hijacking

Check the UPNP Server on Older Machines:

Windows XP and Older:

If you have a GUI with a user that is included in Administrators group you first need to open up cmd.exefor the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do Run as Administrator you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from c:\windows\system32\cmd.exe. This will give you a cmd with Administrators rights.

From here we want to become SYSTEM user. To do this we run:

First we check what time it is on the local machine:

Vista and Newer:

Get Psexec onto the system and run: