Windows Privilege Escalation TryHackMe

Overview

This room introduces common Windows privilege escalation paths, starting with account context and credential harvesting, then moving into practical misconfigurations such as writable scheduled task binaries, weak service permissions, and unquoted service paths.

Core idea: Windows privilege escalation often comes down to finding a place where a higher-privileged process trusts a path, file, or configuration that a lower-privileged user can influence.

1) Windows Account Types

The room starts by separating normal user context from high-privilege system context.

Administrators: can change system configuration and access most files.
Standard users: have limited permissions and are usually confined to their own data.
SYSTEM / LocalSystem: built-in OS account with even higher privilege than administrators.
Local Service / Network Service: service accounts with limited local rights but useful escalation targets in some cases.

2) Credential Harvesting Quick Wins

Before exploiting anything complex, the room points out several places where passwords or reusable credentials may already exist.

Unattended installation files: such as C:\Unattend.xml and Panther/sysprep variants.
PowerShell history: %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Saved Windows credentials: listed with cmdkey /list
IIS configuration: web.config files may contain connection strings or passwords.
Software-stored secrets: PuTTY proxy credentials and similar application configs.

Practical takeaway: credential theft is often simpler and less noisy than a full exploit chain, so check these first.

3) Scheduled Tasks

Writable scheduled task actions can produce a straightforward privilege escalation path.

List tasks with schtasks.
Inspect a specific task with schtasks /query /tn <task> /fo list /v.
Pay attention to Task To Run and Run As User.
Check file permissions on the target script or binary with icacls.

If you can modify the binary or batch file executed by the task, you can often force it to run your payload as the configured higher-privileged user.

4) AlwaysInstallElevated

This is a classic Windows installer misconfiguration where .msi packages are allowed to install with elevated rights.

Check both registry keys under HKCU and HKLM for the Installer policy.
If both are set correctly, a malicious MSI can be used for escalation.
The room notes this method as informational and not exploitable on that specific machine.

Typical exploitation uses msfvenom to generate a malicious MSI and msiexec to run it.

5) Windows Services Basics

Services are managed by the Service Control Manager and are a major source of Windows privilege escalation issues.

Query service config with sc qc <service>.
Look at BINARY_PATH_NAME to see what executable runs.
Look at SERVICE_START_NAME to see which account the service runs as.
Remember that PowerShell aliases sc, so use sc.exe there.

6) Insecure Permissions on Service Executables

If a service executable is writable by low-privileged users, escalation is usually trivial.

Identify the service binary with sc qc.
Check permissions with icacls.
If a broad group like Everyone has (M) or full access, replace the executable with your payload.
Restart the service or wait for it to restart.

Why it works: the service will execute your replacement binary using the privileges of the account configured for that service.

7) Unquoted Service Paths

Unquoted paths with spaces can be exploitable when Windows tries to guess which executable should run.

If a path like C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe is unquoted, Windows may try earlier path fragments first.
This can let an attacker place a malicious executable such as C:\MyPrograms\Disk.exe.
Exploitation only works if the intermediate path is writable by the attacker.

This is why both the path format and the directory permissions matter.

8) Practical Enumeration Mindset

This room is less about one single trick and more about checking the common Windows trust boundaries.

Look for plaintext credentials first.
Inspect scheduled tasks and what they execute.
Inspect services, service paths, and permissions.
Check whether installers or policies allow unexpected elevation.
Always verify which user context your payload will run as.

Exam Notes (PT1)

Windows privilege escalation often starts with credential discovery before exploitation.
Check unattended install files, PowerShell history, saved credentials, IIS configs, and third-party software like PuTTY.
Scheduled tasks are interesting when you can modify the file in Task To Run and the task runs as a more privileged user.
Service escalation revolves around BINARY_PATH_NAME, the service run account, executable permissions, and unquoted paths.
icacls, schtasks, cmdkey, and sc qc are key commands to remember.