> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/windows/windows-privilege-escalation.md).

# Windows Privilege Escalation

## Situational Awareness

After compromising a machine, this the information we need to gather that can help us to Privilege Escalate:

* Username and hostname
* Group memberships of the current user
* Existing users and groups
* Operating system, version and architecture
* Network information
* Installed applications
* Running processes

### Enumerate User

{% tabs %}
{% tab title="CMD" %}

```
whoami
whoami /groups
whoami /priv
```

{% endtab %}

{% tab title="PowerShell" %}

```
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember $user
Get-LocalGroup $groupname
```

{% endtab %}
{% endtabs %}

### Enumerate Hostname

```
systeminfo
```

### Enumerate Network

```
ipconfig /all
route print

netstat -ano
-a : display all active TCP Connections
-n : disable name resolution
-o : show process id
```

### Installed Application

```
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
```

### Process

```
Get-Process
```

## Hidden in Plain View

User might put Information in open directory that anyone can access

## PowerShell History

We can get interesting information from PowerShell.

Get list of command executed in the past:

```
Get-History
```

Clear-History just clear PowerShell own history but not PSReadline. We can grab it using below command:

```
(Get-PSReadlineOption).HistorySavePath
```

## Automated Tools

* winPeas
* PowerView
* JAWS
