If you've ever popped a box on HackTheBox, TryHackMe, or OffSec Proving Grounds, you know the drill. Initial access between Linux and Windows isn't that different. Scan, fuzz, find a CVE ("Heey there's an exploit.py"), get a shell. Not that much different between the OS. It gets interesting with privesc. On Linux you've got your SUID bits, writable cron jobs, sudo -l... it's almost cozy. Windows? Windows has services, tokens, ACLs, AppLocker, registry keys, integrity levels, and about fifteen ways a misconfigured service account will hand you SYSTEM if you know where to look. This post is Part 01 of my Windows PrivEsc series, amidst my series on Active Directory haha. Before we dive into the juicy stuff, here's the initial enumeration baseline you need to build every single time you land a shell. Get-WmiObject -Class Win32_OperatingSystem whoami /user whoami /priv whoami /groups whoami /priv is nice. Spot SeImpersonatePrivilege? That's basically game over via PrintSpoofer or Juicy Potato. SeBackupPrivilege? You can read SAM and NTDS.dit. Even Disabled state doesn't save you; these can be enabled in the same process with a few API calls. Want to properly memorize the important stuff? My blog post got interactive quizzes for that → niklas-heringer.com ipconfig /all # dual-homed? new network segment? arp -a # who has this machine talked to recently? route print # where can traffic go? netstat -ano # what's listening? especially on 127.0.0.1 Anything bound to 127.0.0.1 in netstat is invisible from outside, but once you have a shell, it's right there. A SQL Server or local web app running as SYSTEM on loopback with no hardening is a classic setup. Get-MpComputerStatus # Defender: is RealTimeProtection actually on? Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections AppLocker blocks cmd.exe for everyone? Fine, powershell.exe might not be? Or only a specific file?. Read the rules, find the gaps. tasklist /svc Ignore the svchost.exe army. Look for: Tomcat, FileZilla, SQL Server, third-party VPN services. Old Tomcat with default creds (tomcat:tomcat) = deploy a WAR = code execution. Old SQL Server = xp_cmdshell = SYSTEM. net user net localgroup administrators whoami /groups net accounts Lockout threshold: Never + Minimum password length: 0 in net accounts? Spray freely. Look for bob and bob_adm side by side: credential reuse gift. Non-standard groups sometimes exist purely to grant access to something sensitive and nobody maintains the membership. Get-HotFix | ft -AutoSize systeminfo Four hotfixes total, last one from 2021? Feed those KB numbers into WES-NG and watch it map them to CVEs for you. This is just the recon layer. Next post goes into process enumeration, service misconfigs, and where things start to get exploitable. Full walkthrough with command output and reasoning on my blog → niklas-heringer.com