OSCP Windows Privilege Escalation 2

Question 1

What is DLL hijacking in the context of Windows privilege escalation?

Accepted Answer

Placing a malicious DLL in a directory searched before the legitimate DLL location

Answer

DLL hijacking exploits Windows's DLL search order by placing a malicious DLL with the correct name in a directory that is searched before the legitimate DLL's directory.

Question 2

What tool can dump Windows NTLM password hashes from the SAM database when running as SYSTEM?

Accepted Answer

Mimikatz

Answer

Mimikatz's 'lsadump::sam' or 'sekurlsa::logonpasswords' commands can extract NTLM hashes and plaintext credentials from the SAM database and LSASS memory when run with SYSTEM privileges.

Question 3

What is the purpose of the 'AlwaysInstallElevated' Windows policy and how is it exploited?

Accepted Answer

It allows all users to install updates without admin rights — exploited by creating malicious MSI packages

Answer

When AlwaysInstallElevated is enabled in both HKCU and HKLM, any user can install MSI packages with SYSTEM privileges, allowing privilege escalation via a crafted malicious MSI file.

Question 4

Which PowerShell command checks whether the current user can modify a specific service's binary?

Accepted Answer

Get-Acl -Path 'C:\path	o\service.exe' | Format-List

Answer

Get-Acl retrieves the security descriptor (ACL) of a file, revealing which users have read, write, or modify permissions on the service binary.

Question 5

What does the 'accesschk.exe' tool from Sysinternals help identify during Windows privilege escalation?

Accepted Answer

Permissions on files, registry keys, services, and other objects

Answer

Accesschk.exe audits permissions on Windows objects (files, services, registry, kernel objects), making it essential for finding world-writable services, files, or registry keys.

OSCP - Offensive Security Certified Professional Practice Test

OSCP - Offensive Security Certified Professional Practice Test

OSCP Windows Privilege Escalation 2