You have a low-priv shell. A service runs as LocalSystem and its binary directory is writable by Users. What is the likely privesc?
Service binary replacement/hijack to execute as SYSTEM (with caution).
You find an unquoted service path: C:\Program Files\Vuln Service\service.exe. What’s the exploitation concept?
Drop an executable in a higher-precedence path segment (e.g., C:\Program.exe) if writable, then start service.
A scheduled task runs a PowerShell script in C:\Scripts\backup.ps1 that you can edit. Next step?
Modify script for benign SYSTEM proof action/shell and wait/trigger task as permitted.
You see a service loads a DLL from a directory writable by you. What is this?
DLL hijacking: replace the loaded DLL to execute code as the service account.
You’re in Administrators group but whoami /groups shows medium integrity. What does that suggest?
UAC: you’re not fully elevated; need an elevation path or SYSTEM via service/task misconfig.
You find cleartext creds in C:\Windows\Panther\Unattend.xml. What should you do?
Use creds to pivot/escalate, then document chain and capture proof.
WinRM (5985) is open and you obtained valid creds. What’s the next move?
Use WinRM for stable remote shell (authorized) and then enumerate privesc/AD.
You dump a hash but plaintext isn’t available. What OSCP-relevant technique might still work?
Use hash-based auth where applicable (PtH) within allowed tool rules.
You identify SeImpersonatePrivilege. Why do you care?
Some privesc techniques exploit impersonation privileges to get SYSTEM.
A service has weak registry permissions. How can that lead to privesc?
Modify service parameters (ImagePath) or related settings to execute code as service account.
You can write to C:\ProgramData\ but not service directories. What should you hunt?
Other privileged auto-runs: tasks, startup folders, writable scripts/configs referenced by SYSTEM processes.
You got SYSTEM but haven’t captured proof.txt screenshot. What’s the immediate priority?
Capture required proof evidence (type proof.txt from original location + screenshot).
You suspect AV blocks your payload. What’s an OSCP-safe approach?
Prefer living-off-the-land and minimal custom payloads; document failures and use alternate methods.
