Improving at Windows Privilege Escalation

Hello:

For many years I have been using GNU/Linux, both for personal computing as well as system administration of servers. While I do enjoy exploit/privilege escalation on *nix machines, I have a much harder time on Windows since I lack the in-depth system knowledge to do so. I’ve looked at books about “Windows Pentesting”, but most of the time it explains how to use metasploit etc etc, which isn’t really the type of knowledge I feel I need.

In order to enumerate a system for privilege escalation (and to a slightly lesser extent for getting a foothold etc…) it seems knowledge of the architecture is required, the way the system has been configured… Does anyone have good books/resources to become more knowledgeable on these? I feel in order to do a good enumeration someone needs to have at least solid basics of the system/app that is being investigated, otherwise it just becomes script kiddie pretty quick.

Many thanks!

This website has good information:

Thanks @dennisveninga,

I’ve also used this one many times: FuzzySecurity | Windows Privilege Escalation Fundamentals

These are good to cover the possibilities, but I still feel like I’m missing the in-depth how and why on these. I feel like I need to find the right 1000-page book to read so that in my head Windows is less mystical than it currently is lol.

I think there’s no way around this:
https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals

Ah! I was just looking at this:

I think this is the way to go, great, thanks @davidlightman

@davidlightman, may I ask you, did you read part 1 and 2 for these?

How was it? Did it bring some background knowledge that you find useful day to day?

Yes I did. It was incredibly demanding. It did bring a lot of background knowledge that is impossible to remember and needs to be organized in flowcharts/cheatsheets/procedures/whatever.

http://www.fuzzysecurity.com/tutorials/16.html
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

just remember buying a hard cover or soft cover is not always necessary when researchers offer up real world red team payloads like this and ways to expand

I am not against buying books I own allot I love books

but when it comes to the ever changing world of security I will stick to good old red team blogs etc

1 Like

Thanks and sure I agree there will always be a need for cheatsheets and blog posts on exploits and vulnerabilities discovered, which is the most important, of course. Having some background in some technology doesn’t really make you an expert at the security side of it. However, not having any background into something can be an issue too, especially if exploits need to be customized etc … It can also make your life easier and help you spot vulnerabilities without having to do as much guessing work. That’s just my personal experience and why I think you have certain positions advertised as “Pentester with an application developer background” or “XYZ with a network engineering background.” etc… Broad/Specific knowledge really helps to “feel a box” as well.

from Dostoevsky notes

Wow that’s a pretty extensive series of notes, even for the other chapters. Thanks for sharing this @peek

Type your comment> @peek said:

from Dostoevsky notes

https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md

This is awesome ? thanks for sharing ?