# Windows privilege escalation ## Manual enumeration ### User ``` whoami net user username ``` ### Other Users ``` net user ``` ### Privileges ``` whoami /priv ``` ### Hostname ``` hostname ``` ### OS and architecture ``` systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" ``` ### Processes and services ``` tasklist /SVC ``` ### Network ``` ipconfig /all (interfaces) route print (routing table) netstat -ano (active connections) arp -a ``` ### Firewall/AV status ``` sc query windefend sc query type=service netsh netsh advfirewall show rule name -all netsh advfirewall dump netsh firewall show state netsh advfirewallshow currentprofile ``` ### Applications/patch levels/drivers/kernel modules ``` wmic product get name wmic product get version wmic product get vendor wmic product get name, version, vendor wmic qfe wmic qfe get Caption, Description, HotFixID, InstalledOn (PS) driverquery.exe /v /fo csv |ConvertFrom -CSV | Select-Object 'Display Name', 'Start Mode', Path (PS) Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DeviceVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMWare*"} ``` ### Readable/writeable directories ``` accesschk.exe -uws "Everyone" "C:\Program Files" (SysInternalsSuite) (PS) Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString-match "Everyone\sAllow\s\sModify"} ``` ### Mounted/unmounted disks ``` mountvol wmic logicaldisk list drives ``` ### Passwords ``` findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini dir /s *pass* == *cred* == *vnc* == *.config* findstr /spin “password” *.* ``` ### Scheduled tasks ``` schtasks /query /FO LIST /v ``` ### Binaries that auto elevate ``` reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer ``` ## Automated tools ``` winPEAS.exe PowerUp.ps1 windows-exploit-suggester.py Metasploit - post/multi/recon/local_exploit_suggester ``` ### windows-exploit-suggester.py * Run `systeminfo` and save the output into a text document * Update the database - `./windows-exploit-suggester.py --update` * .`/windows-exploit-suggester.py --database DBNameHere --systeminfo filepath.txt` ### Metasploit exploit suggester * Background session `background` * Select exploit to use * Set Session * Set LHOST and LPORT * Run