If you've ever popped a box on HackTheBox, TryHackMe, or OffSec Proving Grounds, you know the drill. Initial access between Linux and Windows isn't that different. Scan, fuzz, find a CVE ("Heey there's an exploit.py "), get a shell. Not that much different between the OS. It gets interesting with privesc. On Linux you've got your SUID bits, writable cron jobs, sudo -l... it's almost cozy. Windows? Windows has services, tokens, ACLs, AppLocker, registry keys, integrity levels, and about fifteen ways a misconfigured service account will hand you SYSTEM if you know where to look. This post is Part 01 of my Windows PrivEsc series, amidst my series on Active Directory haha. Before we dive into the juicy stuff, here's the initial enumeration baseline you need to build every single time you land a shell. Know Where You Are Get-WmiObject -Class Win32_OperatingSystem whoami /user whoami /priv whoami /groups Enter fullscreen mode Exit fullscreen mode whoami /priv is nice. Spot SeImpersonatePrivilege ?…