In episode 2 of Tradecraft Security Weekly Beau Bullock (@dafthack) discusses Windows privilege escalation techniques. There are many reasons why normal employees should not be local administrators of their own systems. Network administrators tend to lock down permissions correctly for users, but privilege escalation vulnerabilities still arise through various software or system configuration. A few tools and techniques for discovering these vulnerabilities include PowerUp (by @harmj0y), Hot Potato (by foxglovesec), and manually finding exploits for missing MS patches with Searchsploit are discussed.

Command Notes:

Command to check for installed patches (on the target Windows box):

C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn

Searchsploit command to check for exploits in exploit-db (from Kali):

# searchsploit MS16 windows local

Import PowerUp

C:\> powershell.exe -exec bypass
PS C:\> Import-Module PowerUp.ps1

Links:

PowerUp by harmj0y
Potato by foxglovesec
Tater (PowerShell Implementation of Hot Potato exploit)
SessionGopher

About the author

Paul Asadoorian is the Founder & CEO of Security Weekly, where the flagship show, "Paul's Security Weekly", has been airing since 2005. In 2016, Security Weekly grew into the first security podcast network and added shows like Hack Naked News, Enterprise Security Weekly, and more. Paul hosts the various shows here at Security Weekly, all dedicated to providing the latest security news, interviews with the industry's finest, and technical how-to segments. Paul is also the CEO of Offensive CounterMeasures, a software company dedicated to producing security products aimed at defenders.