Embedded Files
Automatic Enumeration
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
WinPeas
.\WINPeas.exe
Download Link: https://medium.com/@s12deff/windows-privilege-escalation-with-winpeas-94be6fb0f173
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Seatbelt
.\Seatbelt.exe -group=all
Download Link: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/dotnet%20v4.7.2%20compiled%20binaries/Seatbelt.exe
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------PowerUp.ps1 Download
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
Download Link: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PRIVESCCHECK
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Manual Enumeration
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Username and hostname & - Existing users and groups
whoami
whoami /groups
whoami /priv
net user <username> # this command will give the current groups the user is a member of
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Group memberships of the current user
#The commands below are to be executed in powershell. To go to powershell, just hit powershell and then enter.
net user or Get-LocalUser #Gives the list of all the local users
Get-LocalGroup
Get-LocalGroupMember <Group Name>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operating system, version and architecture
systeminfo
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Network information
ipconfig /all
route print
netstat -ano
- Installed applications
#the below command is for 32 bit applications
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
#the below command is for 64 bit applications
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Running processes
Get-Process
#gives the services running
wmic service get name,startname,pathname
#You can list all service accounts to verify which ones you have by running
get-service | foreach {Write-Host NT Service\$($_.Name)} in powershell
#For example mine was NT Service\MSSQL$SQLEXPRESS2019
# Searching for files with any credentials
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\ -Include *.kdbx,*.aspx,*.ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
History
Get-History
(Get-PSReadlineOption).HistorySavePath
Page updated
Google Sites
Report abuse