OSCP Windows Privilege Escalation 2

Question 1

What is DLL hijacking in the context of Windows privilege escalation?

Accepted Answer

Placing a malicious DLL in a directory searched before the legitimate DLL location

Answer

Modifying system DLL files in System32

Answer

Injecting shellcode into a running DLL in memory

Answer

Replacing Windows Update DLLs with backdoored versions

Question 2

What tool can dump Windows NTLM password hashes from the SAM database when running as SYSTEM?

Accepted Answer

Mimikatz

Answer

Hydra

Answer

Responder

Answer

CrackMapExec

Question 3

What is the purpose of the 'AlwaysInstallElevated' Windows policy and how is it exploited?

Accepted Answer

It allows all users to install updates without admin rights — exploited by creating malicious MSI packages

Answer

It ensures all services run with SYSTEM privileges

Answer

It bypasses UAC for all signed applications

Answer

It automatically elevates PowerShell sessions

Question 4

Which PowerShell command checks whether the current user can modify a specific service's binary?

Accepted Answer

Get-Acl -Path 'C:\path	o\service.exe' | Format-List

Answer

Test-Path -Service 'servicename'

Answer

Get-Service -Name 'name' | Select-Object *

Answer

icacls /check 'C:\path	o\service.exe'

Question 5

What does the 'accesschk.exe' tool from Sysinternals help identify during Windows privilege escalation?

Accepted Answer

Permissions on files, registry keys, services, and other objects

Answer

Active network connections and their processes

Answer

All user accounts and their password policies

Answer

Scheduled tasks and their execution history

Question 6

What Windows privilege escalation technique abuses the SeImpersonatePrivilege token right?

Accepted Answer

Juicy Potato / PrintSpoofer token impersonation

Answer

Pass-the-Hash

Answer

DLL hijacking via PATH

Answer

UAC bypass via fodhelper