Lab 11 — Escalate to SYSTEM on Windows¶
Hands-on lab · ← Back to the module concept
Setup¶
Windows VM required. This lab needs a Windows host; Docker won't work here.
Option A — Windows eval VM (local): 1. Download the Windows Server eval ISO (180-day free trial, no license key). 2. Create a VM in VirtualBox or VMware. Snapshot the clean state before planting misconfigs. 3. Run the lab seeder (as Administrator in PowerShell):
git clone https://github.com/plaintext-security/plaintext-labs.git
cd plaintext-labs\offensive\11-privesc-windows
Set-ExecutionPolicy -Scope Process Bypass
.\plant-misconfigs.ps1
net user labuser P@ssw0rd123 /add
Option B — Triage-only demo (no Windows needed): The triage tool runs on macOS/Linux against a sample winPEAS output:
git clone https://github.com/plaintext-security/plaintext-labs.git
cd plaintext-labs/offensive/11-privesc-windows
make demo
Scenario¶
You've obtained a low-privilege shell as labuser on the application server.
Enumerate the host with winPEAS, triage the findings, and exploit the
highest-confidence vector to reach SYSTEM.
Real-world anchor — the CVE this stands next to. The headline Windows
local-to-SYSTEM CVE of recent years is PrintNightmare (CVE-2021-34527), a
Windows Print Spooler RCE/LPE that a domain user could turn into SYSTEM on
fully-patched hosts; its sibling CVE-2021-1675 is the original Print Spooler
flaw (initially classed as LPE, later reclassified as RCE) that the same
spooler-loaded-driver bug grew out of. Those CVEs are the dramatic, patch-now
vectors. The planted vectors in this lab — AlwaysInstallElevated, an
unquoted service path (NorthwindUpdater), and a weak service-binary
ACL — are the boring-but-reliable misconfiguration classes that real
engagements live on: no exploit dev, no CVE window, just configuration you can
find with winPEAS and exploit with built-in tooling. You name the CVE; you
exploit the misconfig.
Authorization: this app is yours — attack it freely. The habit still matters everywhere else: only test systems you own or have explicit written permission to test (DVWA, PortSwigger Academy, targets you own).
Do¶
-
[ ] On the Windows VM, run winPEAS as
labuser(standard user) and save its output, then runtriage.pyover that output on your analysis machine. (winPEAS ships a single self-contained.exein the PEASS-ng releases; pipe its output to a file to capture it.) Note which vectors the tool ranks P0 (reliable) vs P3 (informational). -
[ ] From the triage output, confirm the planted vectors and identify which are P0:
AlwaysInstallElevatedregistry keys- the unquoted service path (
NorthwindUpdater) -
a weak service-binary ACL
-
[ ] Exploit AlwaysInstallElevated (P0 — most reliable) to get a SYSTEM shell. (What does this misconfig let any user do with an
.msi? Which msfvenom payload/format produces one, and how do you trigger an install that runs as SYSTEM?) Confirm withwhoami. -
[ ] Exploit the unquoted service path (P1):
- What path would Windows search before finding the real service binary?
- Create a stub at that path and restart the service.
-
What privilege does the service run as?
-
[ ] State the fix for each vector (see
triage.pyoutput for hints).
Success criteria — you're done when¶
- [ ] You ran
triage.pyon real winPEAS output from the planted-misconfig VM. - [ ] You escalated to SYSTEM via at least one P0 vector.
- [ ] You can explain the unquoted service path mechanism — why Windows searches multiple paths.
- [ ] You can state the remediation for all three planted misconfigs.
Deliverables¶
windows-privesc.md: the three vectors (finding, exploit command, proof-of-SYSTEM output),
a comparison of P0 vs P1 reliability, and the fix for each.
Automate & own it¶
Required. Extend triage.py to:
- Accept a winPEAS output file
- Add rules for at least two additional vectors (token privileges, writable PATH)
- Output a ranked report with an "exploit confidence" score per vector
AI drafts the additional regex rules; you validate each against real winPEAS output.
Commit the extended triage.py and windows-privesc.md.
AI acceleration¶
Paste your winPEAS output (or a section of it) to a model and ask it to explain
the top-priority vector and the exact exploit preconditions. Then verify those
preconditions on the target before acting — models confidently miss a detail that
makes the exploit fail or crash the service.
Connects forward¶
SYSTEM on a Windows host is the launchpad for Track 06 (Active Directory) — credential dumping with Mimikatz, Pass-the-Hash, and Kerberoasting all start from a SYSTEM or admin context. Module 12 (pivoting) shows how to use that access to reach adjacent hosts.
Marketable proof¶
"I enumerate and escalate privilege on Windows — AlwaysInstallElevated, unquoted service paths, and weak binary ACLs via winPEAS — and I can map each finding to the LOLBAS/registry fix."
Stretch¶
- Research PrintNightmare (CVE-2021-34527) and the original CVE-2021-1675: how did the Print Spooler reach SYSTEM, and what Windows patch closed it? Contrast its reliability and noise profile with the planted misconfig vectors.
- Run
accesschk.exe -uwcqv "labuser" *and compare service ACL output to winPEAS findings. Which tool surfaces more service vectors?
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).