Windows Privilege Escalation for OSCP & Beyond!
4.7 (350 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
1,421 students enrolled

Windows Privilege Escalation for OSCP & Beyond!

Finding and exploiting Windows vulnerabilities and misconfigurations to gain an administrator shell.
4.7 (350 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
1,421 students enrolled
Created by Tib3rius ⁣
Last updated 6/2020
English [Auto]
Price: $19.99
30-Day Money-Back Guarantee
This course includes
  • 1.5 hours on-demand video
  • 3 downloadable resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • Multiple methods for escalating privileges on a Windows system.
  • In depth explanations of why and how these methods work.
  • Tools which can help identify potential privilege escalation vulnerabilities on a Windows system.
  • A setup script you can run on a (free) trial version of Windows 10, creating an intentionally vulnerable VM to practice privilege escalation on.
  • A basic understanding of Windows systems

This course teaches privilege escalation in Windows, from basics such as how permissions work, to in-depth coverage and demonstrations of actual privilege escalation techniques. The course comes with a full set of slides (150+), and a script which can be used by students to create an intentionally vulnerable Windows 10 configuration to practice their own privilege escalation skills on. This is a 100% privilege escalation course, with absolutely no filler!

Please note that this course is aimed at students currently taking, or planning to take the OSCP, and thus covers more common forms of privilege escalation. Some extra methods are included, and more methods may be added in the future, however this course was not designed to cover every possible (or obscure) method.

Who this course is for:
  • Beginner and intermediate ethical hackers.
  • Students currently taking or planning to take the PWK/OSCP course.
Course content
Expand all 19 lectures 01:38:33
+ Introduction
5 lectures 21:14

An introduction to your lecturer and what the course covers, as well as some basic information about how to read commands in the slides. The slides contain all the information from the video lectures, as well as step-by-step instructions for performing the privilege escalations, and are attached as a downloadable resource to this video, along with the archive which will be useful for upcoming demos.

Disclaimer: Several files within the archive attached to this lecture may trigger your AntiVirus software. Please note that none of the files contained within the archive are viruses, spyware, or other malware. Rather, some of the files (e.g. cve-2018-8120-x64.exe, potato.exe,, JuicyPotato.exe, RoguePotato.exe, and PrintSpoofer.exe) are exploits which are used on the course to perform some kind of privilege escalation. As known exploits, they tend to trigger AntiVirus software in order to try and prevent their use.

Preview 04:15

A guide on how to set up the lab for this course. You should have a copy of Kali Linux (or your preferred pentesting distribution) ready. The lecture involves copying across the setup script from Kali to a Windows 10 VM and running that script in order to (intentionally) misconfigure Windows.

Preview 05:54

A short overview of permissions and access control in Windows, which is necessary to understand how privilege escalation is possible.

Privilege Escalation in Windows

This lecture explains how to spawn shells running as the Administrator or SYSTEM user. Note that the reverse.exe binary generated in this lecture is used multiple times in the upcoming demos, so it is recommended that you generate a version suited to your IP address at this point!

Preview 01:42

An overview of 5 privilege escalation tools: PowerUp, SharpUp, Seatbelt, winPEAS, and accesschk.exe.

Privilege Escalation Tools
+ Privilege Escalation Techniques
12 lectures 01:07:04

An overview of Kernel exploits, and a demo of the CVE-2018-8120 kernel exploit being used to spawn a SYSTEM shell on Windows 7.

Kernel Exploits

This lecture explains what services are, and then demonstrates 5 types of privilege escalation which services can have: Insecure Service Properties, Unquoted Service Paths, Weak Registry Permissions, Insecure Service Executables, and DLL Hijacking.

Service Exploits

Demonstrating two privilege escalation methods that relate directly to misconfigurations of the Windows Registry.

Registry Exploits

Sometimes privilege escalation is as easy as finding the administrator's password, and this lecture will show you some common locations and methods to search for passwords on a Windows system.


Scheduled tasks are hard to find, but if you find a script or program being run as part of a scheduled task, you may be able to escalate privileges.

Scheduled Tasks

Some GUI apps can be configured to run with admin privileges, and this can almost always lead to popping a shell running as with admin privileges too.

Insecure GUI Apps

Unlikely to occur on an exam or a CTF, the ability to create startup apps for administrator users can still be useful if you know that an admin will log in at some point.

Startup Apps

Using everything you've learned so far in the course, it should be no problem identifying exploits with currently installed applications and using their exploit-db entry to escalate your privileges.

Installed Apps

This spoofing attack works on older versions of Windows, but it is still worth knowing and seeing in action.

Hot Potato

This lecture discusses Token Impersonation, a common method for escalating privileges when you have a shell running as a service account. This section covers the original Rotten Potato exploit, and demos the more recent Juicy Potato, Rogue Potato, and PrintSpoofer exploits.

Token Impersonation

Learn how to access internal Windows ports from your Kali VM using this plink.exe trick!

Port Forwarding

As a way of summarizing the course, this video suggests some useful strategies to follow when performing privilege escalation in a time-limited setting, such as an exam.

Privilege Escalation Strategy
+ Extras
2 lectures 10:15

A look into Meterpreter's "getsystem" command, with explanations of Access Tokens, Named Pipes, and Token Duplication.

getsystem (Named Pipes & Token Duplication)

Explaining the concept of "Privileges" in Windows and how some assigned Privileges can be abused to escalate to an admin or SYSTEM user.

User Privileges