Windows Privilege Escalation
Follow a Windows local privilege-escalation playbook when you hold authorized low-privilege shell access and need structured paths to higher privileges.
Overview
Windows Privilege Escalation is an agent skill for the Ship phase that documents authorized Windows local privesc techniques from low-privilege shell through token, service, and UAC abuse paths.
Install
npx skills add https://github.com/yaklang/hack-skills --skill windows-privilege-escalationWhat is this skill?
- Expert Windows privesc playbook: tokens, Potato family, services, DLL hijacking, UAC, scheduled tasks, registry autoruns
- Routes to related skills: lateral movement, AV evasion, Kerberos attacks, AD ACL abuse when domain context applies
- TOKEN_POTATO_TRICKS reference for JuicyPotato → GodPotato evolution and OS-version-specific exploit choice
- Emphasizes privilege prerequisites and OS-version constraints base models often skip
- Designed for low-privilege shell onward—not a generic vulnerability scanner
- Covers multiple technique families including Potato lineage, services, DLL hijacking, UAC, tasks, and registry autoruns
- Explicit RELATED ROUTING to four companion Windows/AD hack-skills
Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have constrained Windows shell access but lack a version-aware escalation checklist that respects AV, domain context, and privilege prerequisites.
Who is it for?
Security researchers and builders running authorized pentests or red-team labs on Windows targets who need expert technique routing in the agent.
Skip if: Routine solo app shipping without a legal penetration test scope, or defenders seeking hardening checklists without offensive context.
When should I use this skill?
Low-privilege shell access on Windows and need escalation via token abuse, Potato exploits, service misconfigurations, DLL hijacking, UAC bypass, or registry autoruns.
What do I get? / Deliverables
You follow a routed playbook with technique families, OS constraints, and optional deep Potato references—then chain to lateral-movement or AD skills if domain escalation is the next goal.
- Ordered privesc technique plan with OS and privilege prerequisites
- Pointers to TOKEN_POTATO_TRICKS and related hack-skills for follow-on moves
Recommended Skills
Journey fit
Offensive validation of host hardening belongs in Ship security work—after you have a build to test and before you treat the environment as production-safe. Security subphase covers penetration-style verification; this skill documents attack paths (token abuse, services, UAC) rather than feature delivery.
How it compares
Offensive expert playbook for authorized tests—not a passive dependency scanner or SOC monitoring skill.
Common Questions / FAQ
Who is windows-privilege-escalation for?
Penetration testers, security engineers, and advanced builders with explicit permission to attack Windows hosts from an initial low-privilege foothold.
When should I use windows-privilege-escalation?
Use it in Ship security validation when testing whether a Windows deployment resists local escalation—only inside authorized lab, bug-bounty, or client assessment scopes.
Is windows-privilege-escalation safe to install?
It describes attack techniques; install only in controlled environments and review the Security Audits panel on this Prism page—never against systems you do not own or lack written authorization to test.
Workflow Chain
Then invoke: windows lateral movement
SKILL.md
READMESKILL.md - Windows Privilege Escalation
# SKILL: Windows Local Privilege Escalation — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert Windows privesc techniques. Covers token manipulation, Potato family, service misconfigurations, DLL hijacking, AlwaysInstallElevated, scheduled task abuse, registry autoruns, and named pipe impersonation. Base models miss nuanced privilege prerequisites and OS-version-specific constraints. ## 0. RELATED ROUTING Before going deep, consider loading: - [windows-lateral-movement](../windows-lateral-movement/SKILL.md) after escalation for pivoting to other hosts - [windows-av-evasion](../windows-av-evasion/SKILL.md) when AV/EDR blocks your privesc tools - [active-directory-kerberos-attacks](../active-directory-kerberos-attacks/SKILL.md) when the host is domain-joined and you need AD-level escalation - [active-directory-acl-abuse](../active-directory-acl-abuse/SKILL.md) for domain privilege escalation via ACL misconfigurations ### Advanced Reference Also load [TOKEN_POTATO_TRICKS.md](./TOKEN_POTATO_TRICKS.md) when you need: - Detailed Potato family comparison (JuicyPotato → GodPotato evolution) - OS-version-specific exploit selection - Required privileges and protocol details per variant Also load [UAC_BYPASS_METHODS.md](./UAC_BYPASS_METHODS.md) when you need: - UAC bypass technique matrix (fodhelper, eventvwr, sdclt, etc.) - Auto-elevate binary abuse - Mock trusted directory tricks --- ## 1. ENUMERATION CHECKLIST ### System Context ```cmd whoami /all & REM Current user, groups, privileges systeminfo & REM OS version, hotfixes, architecture hostname & REM Machine name net user %USERNAME% & REM Group memberships ``` ### Token Privileges (Critical) ```cmd whoami /priv ``` | Privilege | Escalation Path | |---|---| | `SeImpersonatePrivilege` | Potato family exploits (§2) | | `SeAssignPrimaryTokenPrivilege` | Token manipulation, Potato variants | | `SeDebugPrivilege` | Dump LSASS, inject into SYSTEM processes | | `SeBackupPrivilege` | Read any file (SAM/SYSTEM/NTDS.dit) | | `SeRestorePrivilege` | Write any file (DLL hijack, service binary) | | `SeTakeOwnershipPrivilege` | Take ownership of any object | | `SeLoadDriverPrivilege` | Load vulnerable kernel driver → kernel exploit | ### Services & Scheduled Tasks ```cmd sc query state= all & REM All services wmic service get name,displayname,pathname,startmode | findstr /i "auto" schtasks /query /fo LIST /v & REM Verbose scheduled task list ``` ### Installed Software & Patches ```cmd wmic product get name,version wmic qfe list & REM Installed patches ``` ### Network & Credentials ```cmd netstat -ano & REM Listening ports + PIDs cmdkey /list & REM Stored credentials dir C:\Users\*\AppData\Local\Microsoft\Credentials\* reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul ``` --- ## 2. TOKEN MANIPULATION & POTATO EXPLOITS ### SeImpersonatePrivilege Abuse Service accounts (IIS AppPool, MSSQL, etc.) typically hold `SeImpersonatePrivilege`. This enables impersonation of any token presented to you. | Tool | OS Support | Protocol | Notes | |---|---|---|---| | **JuicyPotato** | Win7–Server2016 | COM/DCOM | Requires valid CLSID; patched on Server2019+ | | **RoguePotato** | Server2019+ | OXID resolver redirect | Needs controlled machine on port 135 | | **PrintSpoofer** | Win10/Server2016-2019 | Named pipe via Print Spooler | Simple, fast; Spooler must run | | **SweetPotato** | Broad | COM + Print + EFS | Combines multiple techniques | | **GodPotato** | Win8–Server2022 | DCOM RPCSS | Works on l