Windows Privilege Escalation — Complete Course

From whoami /priv to NT AUTHORITY\SYSTEM — every technique, tool, and HTB/THM/PG practice machine

🖧 Network Pentest Intermediate 26 modules 4.9h 0 enrolled
A complete, end-to-end Windows privilege escalation course covering every primitive from manual enumeration to token impersonation. Each topic includes the exact commands, the tools (winPEAS, PowerUp, PrivescCheck, Seatbelt, JuicyPotato, PrintSpoofer, GodPotato, EfsPotato, LOLDrivers, WES-NG, ...), a quick-reference cheatsheet, and a curated list of HackTheBox, TryHackMe, and Offsec Proving Grounds practice machines so you can immediately apply what you learn. Built from the Swissky / PayloadsAllTheThings reference and updated with 2026 tradecraft.
Instructor
lazyhackers
🔒
Premium Course

Login or subscribe to access this course.

Login View Plans

Curriculum — 8 sections · 26 modules · 4.9h

📄
Windows Privesc Mindset & Methodology
Lesson · 12m ·Free Preview ·Lab ↗
📄
Lab Setup — HTB, TryHackMe, PG & Self-Build
Lesson · 15m ·Free Preview ·Lab ↗
📄
Access Tokens, Integrity Levels & Privileges
Lesson · 10m · Locked ·Lab ↗
What You'll Learn
  • Master local Windows privilege escalation end-to-end:
  • • Identify exploitable misconfigurations through manual and automated enumeration (winPEAS, PowerUp, PrivescCheck, Seatbelt, WES-NG)
  • • Loot saved credentials from SAM, HiveNightmare, LAPS, unattend.xml, registry, browsers, SessionGopher and PowerShell history
  • • Exploit weak service permissions, unquoted paths, $PATH interception, and DLL hijacking
  • • Abuse AlwaysInstallElevated, MSI Custom Actions and vulnerable signed drivers (BYOVD)
  • • Land NT SYSTEM via the entire Potato family — JuicyPotato, RoguePotato, PrintSpoofer, EFSPotato, GodPotato
  • • Weaponise PrintNightmare and Print Spooler attacks
  • • Use the SeImpersonate / SeBackup / SeRestore / SeDebug / SeLoadDriver / SeTakeOwnership matrix
  • + 1 more
Course Info
LevelIntermediate
Duration4.9h
Modules26
Enrolled0
Access Premium

Related Articles

5
Active Directory

ADCS Attacks (ESC1–ESC16)

AD CS is the quietest road to Domain Admin: one mis-set checkbox on a certificate template…

23m read
Tools & Scripts

Nmap Mastery

Complete Nmap mastery guide — scan types, timing, OS detection, NSE script categories, out…

14m read
Walkthroughs

Vulnlab: Sweep — Medium (Windows)

Full security assessment walkthrough for Sweep on Vulnlab. Includes reconnaissance, enumer…

1m read
Tools & Scripts

Burp Suite Professional

Master Burp Suite Pro — proxy interception, Intruder attack types, Scanner, extensions, HT…

18m read
Walkthroughs

Vulnlab: Watcher — Medium (Linux)

Full security assessment walkthrough for Watcher on Vulnlab. Includes reconnaissance, enum…

1m read

Related Cheatsheets

5
exploitation

John the Ripper — Password Cracking

John the Ripper — versatile password cracker with hash extraction helpers for common file …

212 views
active-directory

Responder — LLMNR/NBT-NS Poisoning

Responder poisons LLMNR, NBT-NS, and mDNS to capture NTLMv2 hashes from Windows hosts on t…

169 views
active-directory

NetExec (CrackMapExec) — AD Lateral Movement

NetExec (nxc) — the Swiss Army knife for Windows/AD lateral movement, credential spraying,…

150 views
active-directory

Impacket — Windows & Active Directory Attacks

Impacket Python library with tools for SMB, MSRPC, Kerberos, NTLM, WMI, and AD attacks.

150 views
network-pentest

Nmap — Network Scanning & Enumeration

Complete Nmap reference for host discovery, port scanning, service detection, and NSE scri…

135 views