Ethical hacking: Top privilege escalation techniques in Windows


In this article, we will discuss the top techniques that hackers use today when performing privilege escalation within Windows machines. Where necessary, we shall give examples of the techniques being discussed in order to show how it can be done. 

This article is intended for hackers who already have an idea of Windows hacking, so we will not be providing an introduction to concepts such as Metasploit hacking and msfvenom payload generation.


As a penetration tester or hacker, you often break into a Windows machine either through a vulnerability or weak credentials. In situations like these, you’ll want to identify the privileges that you are running under. 

For every hacker, there are numerous times where your shell will be low-privileged. The following are the methods by which you can be able to elevate privileges within your compromised host:

Unquoted service paths

An unquoted service path is a vulnerability that occurs when a service path is not enclosed with quotation marks and contains spaces.

This happens when a service is created with an executable path containing spaces that are not enclosed within quotes.

How are unquoted service paths detected?

In order to detect unquoted service paths, you can use the following command:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v 
"C:Windows\" |findstr /i /v """

The following screenshot shows this command and the output received from Windows:

If we are to look at how this registry entry is defined by using “regedit”, we can note something interesting. The entry is given as shown below:

C:Program Files (x86)Program FolderA SubfolderExecutable.exe

The entry should be given as follows, defined around quotation marks:

"C:Program Files (x86)Program FolderA SubfolderExecutable.exe"

The screenshot showing this is given below:

When Windows attempts to run this service, it follows the following (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: