Priv Esc Tools

WinPEAS

WinPEAS is a great tool that usually enumerates lots of useful information.

I recommend running it as one of your first steps but don’t rely on it 100%.

Download to your Windows target and run:

winpeas.exe -h  # shows options
winpeas.exe  # runs all checks
winpeas.exe userinfo  # runs user checks

PowerUp

PowerUp is part of PowerSploit and is another tool that I rate very highly.

You should ideally run both winPEAS and PowerUp as they usually pick up things that the other has missed.

Download to your Windows target and run:

Download here:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

Drop into a PowerShell shell or generate a PowerShell reverse shell:
powershell -nop -exec bypass

. .\PowerUp.ps1
Invoke-AllChecks

accesschk.exe

accesschk is another great tool that offers something different than the others.

Windows doesn’t reveal file permissions like Linux does so you need to use accesschk.exe to enumerate permission details.

There are a number of ways you can priv esc with insecure permissions so accesschk needs to be in your arsenal.

We’ll cover this tool in more detail throughout the cheat sheet.

PreviousWindows Priv Exc NextByPass UAC

Last updated 4 years ago

Was this helpful?