You've landed a low-privileged shell on a Windows host. How do you escalate privileges?
Short answer
Enumerate the account's privileges and the host's misconfigurations: token privileges like SeImpersonate, unquoted service paths, weak service permissions, AlwaysInstallElevated, and stored credentials. Then abuse the most reliable one — token impersonation (Potato attacks) is a common route to SYSTEM.
On Windows, the goal is usually NT AUTHORITY\SYSTEM, and the path almost always runs through a privilege or a service misconfiguration rather than a memory-corruption exploit. As with Linux, enumeration comes first.
Enumerate the account and host
- Token privileges:
whoami /priv. Privileges like SeImpersonate, SeAssignPrimaryToken, SeBackup, or SeDebug are escalation primitives in disguise. Service accounts (IIS, MSSQL) frequently hold SeImpersonate. - Service misconfigurations:
- Unquoted service paths — a service path like
C:\Program Files\My App\svc.exewithout quotes lets you dropC:\Program.exeif the directory is writable. - Weak service permissions — if you can reconfigure a service's binary path (
sc config), you run code as its account on restart. - Writable service binaries or DLL hijacking opportunities.
- Unquoted service paths — a service path like
- AlwaysInstallElevated: if both registry keys are set, any MSI you install runs as SYSTEM.
- Stored credentials: unattend.xml, registry autologon, saved RDP/credential manager secrets, scripts.
Tools like WinPEAS, PowerUp, and Seatbelt automate the sweep.
Exploit the strongest primitive
- SeImpersonate is the classic win on service accounts. The Potato family (JuicyPotato, PrintSpoofer, RoguePotato, GodPotato) coerces a SYSTEM process to authenticate, then impersonates that token to run as SYSTEM — reliable and quiet.
- An unquoted path or writable service config gives you the service account, which on older boxes is often LocalSystem directly.
- AlwaysInstallElevated is a single malicious MSI away from SYSTEM.
Why not just memory-corruption exploits?
They exist, but they're version-specific and risk crashing the host. Configuration and token abuse are more reliable and far less likely to cause an outage you'll have to explain.
What interviewers look for
A repeatable methodology, the whoami /priv instinct, recognition that SeImpersonate plus a Potato attack is a go-to for SYSTEM, and the same stability awareness that makes you prefer misconfigurations over fragile exploits.
Likely follow-ups
- Why is the SeImpersonatePrivilege so valuable to an attacker?
- How does an unquoted service path lead to code execution as the service account?
- What is AlwaysInstallElevated and why is it such a gift?