Skip to content

You've landed a low-privileged shell on a Windows host. How do you escalate privileges?

Short answer

Enumerate the account's privileges and the host's misconfigurations: token privileges like SeImpersonate, unquoted service paths, weak service permissions, AlwaysInstallElevated, and stored credentials. Then abuse the most reliable one — token impersonation (Potato attacks) is a common route to SYSTEM.

On Windows, the goal is usually NT AUTHORITY\SYSTEM, and the path almost always runs through a privilege or a service misconfiguration rather than a memory-corruption exploit. As with Linux, enumeration comes first.

Enumerate the account and host

  • Token privileges: whoami /priv. Privileges like SeImpersonate, SeAssignPrimaryToken, SeBackup, or SeDebug are escalation primitives in disguise. Service accounts (IIS, MSSQL) frequently hold SeImpersonate.
  • Service misconfigurations:
    • Unquoted service paths — a service path like C:\Program Files\My App\svc.exe without quotes lets you drop C:\Program.exe if the directory is writable.
    • Weak service permissions — if you can reconfigure a service's binary path (sc config), you run code as its account on restart.
    • Writable service binaries or DLL hijacking opportunities.
  • AlwaysInstallElevated: if both registry keys are set, any MSI you install runs as SYSTEM.
  • Stored credentials: unattend.xml, registry autologon, saved RDP/credential manager secrets, scripts.

Tools like WinPEAS, PowerUp, and Seatbelt automate the sweep.

Exploit the strongest primitive

  • SeImpersonate is the classic win on service accounts. The Potato family (JuicyPotato, PrintSpoofer, RoguePotato, GodPotato) coerces a SYSTEM process to authenticate, then impersonates that token to run as SYSTEM — reliable and quiet.
  • An unquoted path or writable service config gives you the service account, which on older boxes is often LocalSystem directly.
  • AlwaysInstallElevated is a single malicious MSI away from SYSTEM.

Why not just memory-corruption exploits?

They exist, but they're version-specific and risk crashing the host. Configuration and token abuse are more reliable and far less likely to cause an outage you'll have to explain.

What interviewers look for

A repeatable methodology, the whoami /priv instinct, recognition that SeImpersonate plus a Potato attack is a go-to for SYSTEM, and the same stability awareness that makes you prefer misconfigurations over fragile exploits.

Likely follow-ups

  • Why is the SeImpersonatePrivilege so valuable to an attacker?
  • How does an unquoted service path lead to code execution as the service account?
  • What is AlwaysInstallElevated and why is it such a gift?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.