Recommended privilege escalation resource: g0tm1lk’s Blog.
The Windows Sysinternal’s Process Explorer is an important tool for Windows enumeration.
net user $USERNAME to get a lot of information about a given Windows user.
lsass.exe process is responsible for all authentication on Windows - if you can gain access to this process, you basically own the box.
Processes running with a more highly permissioned user than your current user in Windows will not show CPU usage, path information, and other metadata. This is a quick-and-dirty way to locate potentially targets for exploitation.
Quick system information on Windows:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Exploiting an unquoted service path on Windows is really only useful for services, since these are normally run as SYSTEM (and that’s what we want to escalate to).
To cross-compile binaries for Windows using Linux, use the
Windows also has a
shutdown command with almost the same semantics as the equivalent *NIX command.