Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WinPEAS v2.0-beta by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
- /---------------------------------------------------------------------------\
- | Do you like PEASS? |
- |---------------------------------------------------------------------------|
- | Become a Patreon : https://www.patreon.com/peass |
- | Follow on Twitter : @carlospolopm |
- |---------------------------------------------------------------------------|
- | Thank you! |
- \---------------------------------------------------------------------------/
- [+] Legend:
- Red Indicates a special privilege over an object or something is misconfigured
- Green Indicates that some protection is enabled or something is well configured
- Cyan Indicates active users
- Blue Indicates disabled users
- LightYellow Indicates links
- [?] You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
- Creating Dynamic lists, this could take a while, please wait...
- - Checking if domain...
- - Getting Win32_UserAccount info...
- - Creating current user groups list...
- - Creating active users list (local only)...
- - Creating disabled users list...
- - Admin users list...
- - Creating AppLocker bypass list...
- - Creating files/directories list for search...
- ==========================================(System Information)==========================================
- [+] Basic System Information
- [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
- Hostname: ATOM
- ProductName: Windows 10 Pro
- EditionID: Professional
- ReleaseId: 2009
- BuildBranch: vb_release
- CurrentMajorVersionNumber: 10
- CurrentVersion: 6.3
- Architecture: AMD64
- ProcessorCount: 2
- SystemLang: en-US
- KeyboardLang: English (United States)
- TimeZone: (UTC-08:00) Pacific Time (US & Canada)
- IsVirtualMachine: True
- Current Time: 5/29/2021 11:25:50 AM
- HighIntegrity: False
- PartOfDomain: False
- Hotfixes: KB4601554, KB4562830, KB4570334, KB4577586, KB4580325, KB4586864, KB4589212, KB5000842, KB5000981,
- [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
- [*] OS Version: 20H2 (19042)
- [*] Enumerating installed KBs...
- [*] Finished. Found 0 vulnerabilities.
- [+] Showing All Microsoft Updates
- HotFix ID : KB4601554
- Installed At (UTC) : 4/5/2021 11:33:15 AM
- Title : 2021-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601554)
- Client Application ID : MoUpdateOrchestrator
- Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
- =================================================================================================
- HotFix ID : KB4589212
- Installed At (UTC) : 4/5/2021 11:31:44 AM
- Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4589212)
- Client Application ID : MoUpdateOrchestrator
- Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
- =================================================================================================
- HotFix ID : KB4577586
- Installed At (UTC) : 4/5/2021 11:31:35 AM
- Title : Update for Removal of Adobe Flash Player for Windows 10 Version 20H2 for x64-based systems (KB4577586)
- Client Application ID : MoUpdateOrchestrator
- Description : This update will remove Adobe Flash Player from your Windows machine. After you install this item, you may have to restart your computer.
- =================================================================================================
- HotFix ID : KB5000842
- Installed At (UTC) : 4/5/2021 10:52:37 AM
- Title : 2021-03 Cumulative Update Preview for Windows 10 Version 20H2 for x64-based Systems (KB5000842)
- Client Application ID : MoUpdateOrchestrator
- Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
- =================================================================================================
- HotFix ID : KB5000802
- Installed At (UTC) : 4/3/2021 9:52:24 AM
- Title : 2021-03 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5000802)
- Client Application ID : MoUpdateOrchestrator
- Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
- =================================================================================================
- HotFix ID : KB4023057
- Installed At (UTC) : 4/3/2021 9:38:34 AM
- Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4023057)
- Client Application ID : MoUpdateOrchestrator
- Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
- =================================================================================================
- HotFix ID : KB4601050
- Installed At (UTC) : 4/3/2021 9:38:33 AM
- Title : 2021-02 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601050)
- Client Application ID : MoUpdateOrchestrator
- Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
- =================================================================================================
- HotFix ID : KB2267602
- Installed At (UTC) : 4/1/2021 8:18:26 PM
- Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1767.0)
- Client Application ID : MoUpdateOrchestrator
- Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
- =================================================================================================
- HotFix ID : KB4052623
- Installed At (UTC) : 4/1/2021 8:17:33 PM
- Title : Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2102.4)
- Client Application ID : MoUpdateOrchestrator
- Description : This package will update Microsoft Defender Antivirus antimalware platform's components on the user machine.
- =================================================================================================
- HotFix ID : KB2267602
- Installed At (UTC) : 4/1/2021 6:12:43 PM
- Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1761.0)
- Client Application ID : Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
- Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
- =================================================================================================
- [+] System Last Shutdown Date/time (from Registry)
- Last Shutdown Date/time : 4/14/2021 5:45:59 AM
- [+] User Environment Variables
- [?] Check for some passwords or keys in the env variables
- COMPUTERNAME: ATOM
- USERPROFILE: C:\Users\jason
- HOMEPATH: \Users\jason
- LOCALAPPDATA: C:\Users\jason\AppData\Local
- PSModulePath: C:\Users\jason\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
- PROCESSOR_ARCHITECTURE: AMD64
- Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\;C:\Users\jason\AppData\Roaming\npm;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps
- CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
- ProgramFiles(x86): C:\Program Files (x86)
- PROCESSOR_LEVEL: 23
- LOGONSERVER: \\ATOM
- PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
- HOMEDRIVE: C:
- SystemRoot: C:\WINDOWS
- ALLUSERSPROFILE: C:\ProgramData
- DriverData: C:\Windows\System32\Drivers\DriverData
- APPDATA: C:\Users\jason\AppData\Roaming
- PROCESSOR_REVISION: 0102
- USERNAME: jason
- CommonProgramW6432: C:\Program Files\Common Files
- OneDrive: C:\Users\jason\OneDrive
- CommonProgramFiles: C:\Program Files\Common Files
- OS: Windows_NT
- USERDOMAIN_ROAMINGPROFILE: ATOM
- PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
- ComSpec: C:\WINDOWS\system32\cmd.exe
- PROMPT: $P$G
- SystemDrive: C:
- TEMP: C:\Users\jason\AppData\Local\Temp
- ProgramFiles: C:\Program Files
- NUMBER_OF_PROCESSORS: 2
- TMP: C:\Users\jason\AppData\Local\Temp
- ProgramData: C:\ProgramData
- ProgramW6432: C:\Program Files
- windir: C:\WINDOWS
- USERDOMAIN: ATOM
- PUBLIC: C:\Users\Public
- [+] System Environment Variables
- [?] Check for some passwords or keys in the env variables
- ComSpec: C:\WINDOWS\system32\cmd.exe
- DriverData: C:\Windows\System32\Drivers\DriverData
- OS: Windows_NT
- PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
- PROCESSOR_ARCHITECTURE: AMD64
- TEMP: C:\WINDOWS\TEMP
- TMP: C:\WINDOWS\TEMP
- USERNAME: SYSTEM
- windir: C:\WINDOWS
- NUMBER_OF_PROCESSORS: 2
- PROCESSOR_LEVEL: 23
- PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
- PROCESSOR_REVISION: 0102
- Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\
- PSModulePath: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
- [+] Audit Settings
- [?] Check what is being logged
- Not Found
- [+] Audit Policy Settings - Classic & Advanced
- [+] WEF Settings
- [?] Windows Event Forwarding, is interesting to know were are sent the logs
- Not Found
- [+] LAPS Settings
- [?] If installed, local administrator password is changed frequently and is restricted by ACL
- LAPS Enabled: LAPS not installed
- [+] Wdigest
- [?] If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest
- Wdigest is not enabled
- [+] LSA Protection
- [?] If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection
- LSA Protection is not enabled
- [+] Credentials Guard
- [?] If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard
- CredentialGuard is not enabled
- Virtualization Based Security Status: Not enabled
- Configured: False
- Running: False
- [+] Cached Creds
- [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
- cachedlogonscount is 10
- [+] AV Information
- Some AV was detected, search for bypasses
- Name: Windows Defender
- ProductEXE: windowsdefender://
- pathToSignedReportingExe: %ProgramFiles%\Windows Defender\MsMpeng.exe
- [+] Windows Defender configuration
- Local Settings
- Group Policy Settings
- [+] UAC Status
- [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
- ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
- EnableLUA: 1
- LocalAccountTokenFilterPolicy: 1
- FilterAdministratorToken: 1
- [*] LocalAccountTokenFilterPolicy set to 1.
- [+] Any local account can be used for lateral movement.
- [+] PowerShell Settings
- PowerShell v2 Version: 2.0
- PowerShell v5 Version: 5.1.19041.1
- PowerShell Core Version:
- Transcription Settings:
- Module Logging Settings:
- Scriptblock Logging Settings:
- PS history file:
- PS history size:
- [+] Enumerating PowerShell Session Settings using the registry
- You must be an administrator to run this check
- [+] PS default transcripts history
- [i] Read the PS history inside these files (if any)
- [+] HKCU Internet Settings
- CertificateRevocation: 1
- DisableCachingOfSSLPages: 0
- IE5_UA_Backup_Flag: 5.0
- PrivacyAdvanced: 1
- SecureProtocols: 2688
- User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
- ZonesSecurityUpgrade: System.Byte[]
- WarnonZoneCrossing: 0
- EnableNegotiate: 1
- MigrateProxy: 1
- ProxyEnable: 0
- [+] HKLM Internet Settings
- ActiveXCache: C:\Windows\Downloaded Program Files
- CodeBaseSearchPath: CODEBASE
- EnablePunycode: 1
- MinorVersion: 0
- WarnOnIntranet: 1
- [+] Drives Information
- [?] Remember that you should search more info inside the other drives
- C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 4 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories])
- [+] Checking WSUS
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
- Not Found
- [+] Checking AlwaysInstallElevated
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
- AlwaysInstallElevated isn't available
- [+] Enumerate LSA settings - auth packages included
- auditbasedirectories : 0
- auditbaseobjects : 0
- Bounds : 00-30-00-00-00-20-00-00
- crashonauditfail : 0
- LimitBlankPasswordUse : 1
- NoLmHash : 1
- Security Packages : ""
- Notification Packages : scecli
- Authentication Packages : msv1_0
- LsaCfgFlagsDefault : 0
- SecureBoot : 1
- disabledomaincreds : 0
- everyoneincludesanonymous : 0
- forceguest : 0
- restrictanonymous : 0
- restrictanonymoussam : 1
- fullprivilegeauditing : 80
- LsaCfgFlags : 0
- LsaPid : 688
- ProductType : 6
- [+] Enumerating NTLM Settings
- LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
- NTLM Signing Settings
- ClientRequireSigning : False
- ClientNegotiateSigning : True
- ServerRequireSigning : False
- ServerNegotiateSigning : False
- LdapSigning : Negotiate signing (Negotiate signing)
- Session Security
- NTLMMinClientSec : 536870912 (Require 128-bit encryption)
- NTLMMinServerSec : 536870912 (Require 128-bit encryption)
- NTLM Auditing and Restrictions
- InboundRestrictions : (Not defined)
- OutboundRestrictions : (Not defined)
- InboundAuditing : (Not defined)
- OutboundExceptions :
- [+] Display Local Group Policy settings - local users/machine
- Type : user
- Display Name : Local Group Policy
- Name : Local Group Policy
- Extensions : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
- File Sys Path : C:\WINDOWS\System32\GroupPolicy\User
- Link : Local
- GPO Link : Local Machine
- Options : All Sections Enabled
- =================================================================================================
- [+] Checking AppLocker effective policy
- AppLockerPolicy version: 1
- listing rules:
- [X] Exception: Object reference not set to an instance of an object.
- [+] Enumerating Printers (WMI)
- Name: Microsoft XPS Document Writer
- Status: Unknown
- Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
- Is default: False
- Is network printer: False
- =================================================================================================
- Name: Microsoft Print to PDF
- Status: Unknown
- Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
- Is default: True
- Is network printer: False
- =================================================================================================
- Name: Fax
- Status: Unknown
- Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
- Is default: False
- Is network printer: False
- =================================================================================================
- [+] Enumerating Named Pipes
- Name Sddl
- eventlog O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
- ROUTER O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
- SearchTextHarvester O:SYG:SYD:P(D;;FA;;;NU)(D;;FA;;;BG)(A;;FR;;;IU)(A;;FA;;;SY)(A;;FA;;;BA)
- vgauth-service O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
- [+] Enumerating AMSI registered providers
- Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
- Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2102.4-0\MpOav.dll"
- =================================================================================================
- [+] Enumerating Sysmon configuration
- You must be an administrator to run this check
- [+] Enumerating Sysmon process creation logs (1)
- You must be an administrator to run this check
- [+] Installed .NET versions
- CLR Versions
- 4.0.30319
- .NET Versions
- 4.8.04084
- .NET & AMSI (Anti-Malware Scan Interface) support
- .NET version supports AMSI : True
- OS supports AMSI : True
- [!] The highest .NET version is enrolled in AMSI!
- ==============================(Interesting Events information)==============================
- [+] Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials
- You must be an administrator to run this check
- [+] Printing Account Logon Events (4624) for the last 10 days.
- You must be an administrator to run this check
- [+] Process creation events - searching logs (EID 4688) for sensitive data.
- You must be an administrator to run this check
- [+] PowerShell events - script block logs (EID 4104) - searching for sensitive data.
- [+] Displaying Power off/on events for last 5 days
- 5/29/2021 8:39:28 AM : Startup
- ===========================================(Users Information)===========================================
- [+] Users
- [?] Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
- Current user: jason
- Current groups: Domain Users, Everyone, Users, Interactive, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
- =================================================================================================
- ATOM\Administrator: Built-in account for administering the computer/domain
- |->Groups: Administrators
- |->Password: CanChange-NotExpi-Req
- ATOM\DefaultAccount(Disabled): A user account managed by the system.
- |->Groups: System Managed Accounts Group
- |->Password: CanChange-NotExpi-NotReq
- ATOM\Guest: Built-in account for guest access to the computer/domain
- |->Groups: Guests
- |->Password: NotChange-NotExpi-NotReq
- ATOM\jason
- |->Groups: Users
- |->Password: CanChange-NotExpi-Req
- ATOM\WDAGUtilityAccount(Disabled): A user account managed and used by the system for Windows Defender Application Guard scenarios.
- |->Password: CanChange-Expi-Req
- [+] Current User Idle Time
- Current User : ATOM\jason
- Idle Time : 02h:46m:08s:672ms
- [+] Display Tenant information (DsRegCmd.exe /status)
- Tenant is NOT Azure AD Joined.
- [+] Current Token privileges
- [?] Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
- SeShutdownPrivilege: DISABLED
- SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
- SeUndockPrivilege: DISABLED
- SeIncreaseWorkingSetPrivilege: DISABLED
- SeTimeZonePrivilege: DISABLED
- [+] Clipboard text
- [+] Logged users
- ATOM\Administrator
- ATOM\jason
- [+] Display information about local users
- Computer Name : ATOM
- User Name : Administrator
- User Id : 500
- Is Enabled : True
- User Type : Administrator
- Comment : Built-in account for administering the computer/domain
- Last Logon : 5/29/2021 8:40:45 AM
- Logons Count : 126
- Password Last Set : 3/31/2021 3:03:21 AM
- =================================================================================================
- Computer Name : ATOM
- User Name : DefaultAccount
- User Id : 503
- Is Enabled : False
- User Type : Guest
- Comment : A user account managed by the system.
- Last Logon : 1/1/1970 12:00:00 AM
- Logons Count : 0
- Password Last Set : 1/1/1970 12:00:00 AM
- =================================================================================================
- Computer Name : ATOM
- User Name : Guest
- User Id : 501
- Is Enabled : True
- User Type : Guest
- Comment : Built-in account for guest access to the computer/domain
- Last Logon : 5/29/2021 11:21:50 AM
- Logons Count : 0
- Password Last Set : 1/1/1970 12:00:00 AM
- =================================================================================================
- Computer Name : ATOM
- User Name : jason
- User Id : 1002
- Is Enabled : True
- User Type : User
- Comment :
- Last Logon : 5/29/2021 8:40:04 AM
- Logons Count : 65
- Password Last Set : 3/30/2021 1:14:57 PM
- =================================================================================================
- Computer Name : ATOM
- User Name : WDAGUtilityAccount
- User Id : 504
- Is Enabled : False
- User Type : Guest
- Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
- Last Logon : 1/1/1970 12:00:00 AM
- Logons Count : 0
- Password Last Set : 4/1/2021 3:51:54 AM
- =================================================================================================
- [+] RDP Sessions
- SessID pSessionName pUserName pDomainName State SourceIP
- 1 Console jason ATOM Active
- [+] Ever logged users
- ATOM\Administrator
- ATOM\jason
- [+] Home folders found
- C:\Users\Administrator
- C:\Users\All Users
- C:\Users\Default
- C:\Users\Default User
- C:\Users\jason : jason [AllAccess]
- C:\Users\Public : Interactive [WriteData/CreateFiles]
- [+] Looking for AutoLogon credentials
- Some AutoLogon credentials were found
- DefaultDomainName : ATOM
- DefaultUserName : jason
- [+] Password Policies
- [?] Check for a possible brute-force
- Domain: Builtin
- SID: S-1-5-32
- MaxPasswordAge: 42.22:47:31.7437440
- MinPasswordAge: 00:00:00
- MinPasswordLength: 0
- PasswordHistoryLength: 0
- PasswordProperties: 0
- =================================================================================================
- Domain: ATOM
- SID: S-1-5-21-1199094703-3580107816-3092147818
- MaxPasswordAge: 42.00:00:00
- MinPasswordAge: 00:00:00
- MinPasswordLength: 0
- PasswordHistoryLength: 0
- PasswordProperties: 0
- =================================================================================================
- [+] Print Logon Sessions
- Method: WMI
- Logon Server:
- Logon Server Dns Domain:
- Logon Id: 327750
- Logon Time:
- Logon Type: Interactive
- Start Time: 5/29/2021 8:40:04 AM
- Domain: ATOM
- Authentication Package: NTLM
- Start Time: 5/29/2021 8:40:04 AM
- User Name: jason
- User Principal Name:
- User SID:
- =================================================================================================
- =======================================(Processes Information)=======================================
- [+] Interesting Processes -non Microsoft-
- [?] Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
- heedv2(4728)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
- Command Line: "C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=11115843981059573204 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv2\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11115843981059573204 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
- =================================================================================================
- svchost(416)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
- =================================================================================================
- sihost(2564)[C:\WINDOWS\system32\sihost.exe] -- POwn: jason
- Command Line: sihost.exe
- =================================================================================================
- heedv1(6868)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
- Command Line: "C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=1232073659841223713 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv1\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1232073659841223713 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
- =================================================================================================
- svchost(5140)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
- =================================================================================================
- heedv3(3908)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
- Command Line: "C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=17375926803871715330 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv3\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=17375926803871715330 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
- =================================================================================================
- conhost(5996)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
- Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
- =================================================================================================
- heedv2(7284)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
- Command Line: C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe
- =================================================================================================
- PING(6848)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason
- Command Line: ping -n 30 127.0.0.1
- =================================================================================================
- RuntimeBroker(6832)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
- Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
- =================================================================================================
- vm3dservice(7908)[C:\Windows\System32\vm3dservice.exe] -- POwn: jason
- Command Line: "C:\Windows\System32\vm3dservice.exe" -u
- =================================================================================================
- node(2928)[C:\Program Files\nodejs\node.exe] -- POwn: jason
- Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client2 -p 8082
- =================================================================================================
- RuntimeBroker(2908)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
- Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
- =================================================================================================
- powershell(3328)[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: jason
- Command Line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"
- =================================================================================================
- node(2896)[C:\Program Files\nodejs\node.exe] -- POwn: jason
- Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client3 -p 8083
- =================================================================================================
- heedv1(4848)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
- Command Line: "C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14515363457901305326 --mojo-platform-channel-handle=1296 --ignored=" --type=renderer " /prefetch:2
- =================================================================================================
- StartMenuExperienceHost(6756)[C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe] -- POwn: jason
- Command Line: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
- =================================================================================================
- cmd(7604)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client3 -p 8083
- =================================================================================================
- explorer(1048)[C:\WINDOWS\Explorer.EXE] -- POwn: jason
- Command Line: C:\WINDOWS\Explorer.EXE
- =================================================================================================
- powershell(3692)[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: jason
- Command Line: powershell
- =================================================================================================
- ShellExperienceHost(8000)[C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe] -- POwn: jason
- Command Line: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
- =================================================================================================
- heedv3(7988)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
- Command Line: "C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16483162655012643694 --mojo-platform-channel-handle=1320 --ignored=" --type=renderer " /prefetch:2
- =================================================================================================
- RuntimeBroker(7112)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
- Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
- =================================================================================================
- RuntimeBroker(4956)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
- Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
- =================================================================================================
- conhost(5812)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
- Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
- =================================================================================================
- winpeas(8828)[C:\Software_Updates\winpeas.exe] -- POwn: jason -- isDotNet
- Permissions: jason [AllAccess], Everyone [AllAccess]
- Possible DLL Hijacking folder: C:\Software_Updates (Everyone [AllAccess], jason [AllAccess])
- Command Line: "C:\Software_Updates\winpeas.exe"
- =================================================================================================
- v'ulnerable-app-setup-1.2.3(6672)[C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe] -- POwn: jason
- Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv1\__update__ (jason [AllAccess])
- Command Line: C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe --updated --force-run
- =================================================================================================
- cmd(7532)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client1 -p 8081
- =================================================================================================
- svchost(6232)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
- =================================================================================================
- svchost(8816)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
- =================================================================================================
- node(2752)[C:\Program Files\nodejs\node.exe] -- POwn: jason
- Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client1 -p 8081
- =================================================================================================
- heedv2(5764)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
- Command Line: "C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=4554134489477886038 --mojo-platform-channel-handle=1308 --ignored=" --type=renderer " /prefetch:2
- =================================================================================================
- ApplicationFrameHost(9200)[C:\WINDOWS\system32\ApplicationFrameHost.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding
- =================================================================================================
- vmtoolsd(7944)[C:\Program Files\VMware\VMware Tools\vmtoolsd.exe] -- POwn: jason
- Command Line: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
- =================================================================================================
- UserOOBEBroker(1400)[C:\Windows\System32\oobe\UserOOBEBroker.exe] -- POwn: jason
- Command Line: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
- =================================================================================================
- heedv1(7428)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
- Command Line: C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe
- =================================================================================================
- cmd(5256)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason
- Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\run.bat"
- =================================================================================================
- heedv3(7400)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
- Permissions: jason [AllAccess]
- Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
- Command Line: C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe
- =================================================================================================
- PING(4804)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason
- Command Line: ping -n 300 127.0.0.1
- =================================================================================================
- taskhostw(5216)[C:\WINDOWS\system32\taskhostw.exe] -- POwn: jason
- Command Line: taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
- =================================================================================================
- conhost(5980)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
- Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
- =================================================================================================
- WinStore.App(6064)[C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe] -- POwn: jason
- Command Line: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
- =================================================================================================
- YourPhone(7356)[C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe] -- POwn: jason
- Command Line: "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe" -ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca
- =================================================================================================
- SearchApp(7352)[C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe] -- POwn: jason
- Command Line: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
- =================================================================================================
- cmd(1740)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
- Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client2 -p 8082
- =================================================================================================
- RuntimeBroker(3460)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
- Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
- =================================================================================================
- cmd(5180)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason
- Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\clean.bat"
- =================================================================================================
- conhost(6472)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
- Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
- =================================================================================================
- cmd(4312)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
- Command Line: cmd
- =================================================================================================
- ========================================(Services Information)========================================
- [+] Interesting Services -non Microsoft-
- [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
- Apache2.4(Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
- Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
- =================================================================================================
- Redis(Redis)["C:\Program Files\Redis\redis-server.exe" --service-run "C:\Program Files\Redis\redis.windows-service.conf"] - Auto - Running
- This service runs the Redis server
- =================================================================================================
- ssh-agent(OpenSSH Authentication Agent)[C:\WINDOWS\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped
- Agent to hold private keys used for public key authentication.
- =================================================================================================
- VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running
- Alias Manager and Ticket Service
- =================================================================================================
- vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\WINDOWS\system32\vm3dservice.exe] - Auto - Running
- Helps VMware SVGA driver by collecting and conveying user mode information
- =================================================================================================
- VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running
- Provides support for synchronizing objects between the host and guest operating systems.
- =================================================================================================
- [+] Modifiable Services
- [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
- You cannot modify any service
- [+] Looking if you can modify any service registry
- [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions
- [-] Looks like you cannot change the registry of any service...
- [+] Checking write permissions in PATH folders (DLL Hijacking)
- [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
- C:\WINDOWS\system32
- C:\WINDOWS
- C:\WINDOWS\System32\Wbem
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\
- C:\Program Files\nodejs\
- C:\WINDOWS\System32\OpenSSH\
- ====================================(Applications Information)====================================
- [+] Current Active Window Application
- Heed
- [+] Installed Applications --Via Program Files/Uninstall registry--
- [?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
- C:\Program Files\Common Files
- C:\Program Files\CUAssistant
- C:\Program Files\desktop.ini
- C:\Program Files\Internet Explorer
- C:\Program Files\Microsoft Update Health Tools
- C:\Program Files\ModifiableWindowsApps
- C:\Program Files\nodejs
- C:\Program Files\Redis
- C:\Program Files\rempl
- C:\Program Files\Uninstall Information
- C:\Program Files\VMware
- C:\Program Files\Windows Defender
- C:\Program Files\Windows Defender Advanced Threat Protection
- C:\Program Files\Windows Mail
- C:\Program Files\Windows Media Player
- C:\Program Files\Windows Multimedia Platform
- C:\Program Files\Windows NT
- C:\Program Files\Windows Photo Viewer
- C:\Program Files\Windows Portable Devices
- C:\Program Files\Windows Security
- C:\Program Files\Windows Sidebar
- C:\Program Files\WindowsApps
- C:\Program Files\WindowsPowerShell
- C:\xampp
- [+] Autorun Applications
- [?] Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Key: SecurityHealth
- Folder: C:\WINDOWS\system32
- File: C:\WINDOWS\system32\SecurityHealthSystray.exe
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Key: WindowsDefender
- Folder: C:\Program Files\Windows Defender
- File: C:\Program Files\Windows Defender\MSASCuiL.exe (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Key: VMware VM3DService Process
- Folder: C:\WINDOWS\system32
- File: C:\WINDOWS\system32\vm3dservice.exe -u
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Key: VMware User Process
- Folder: C:\Program Files\VMware\VMware Tools
- File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Key: Common Startup
- Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- Key: Common Startup
- Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Key: Userinit
- Folder: C:\Windows\system32
- File: C:\Windows\system32\userinit.exe,
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Key: Shell
- Folder: None (PATH Injection)
- File: explorer.exe
- =================================================================================================
- RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
- Key: AlternateShell
- Folder: None (PATH Injection)
- File: cmd.exe
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
- Key: Adobe Type Manager
- Folder: None (PATH Injection)
- File: atmfd.dll
- =================================================================================================
- RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
- Key: Adobe Type Manager
- Folder: None (PATH Injection)
- File: atmfd.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: aux
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: midi
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: midimapper
- Folder: None (PATH Injection)
- File: midimap.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: mixer
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.imaadpcm
- Folder: None (PATH Injection)
- File: imaadp32.acm
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.msadpcm
- Folder: None (PATH Injection)
- File: msadp32.acm
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.msg711
- Folder: None (PATH Injection)
- File: msg711.acm
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.msgsm610
- Folder: None (PATH Injection)
- File: msgsm32.acm
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.i420
- Folder: None (PATH Injection)
- File: iyuv_32.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.iyuv
- Folder: None (PATH Injection)
- File: iyuv_32.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.mrle
- Folder: None (PATH Injection)
- File: msrle32.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.msvc
- Folder: None (PATH Injection)
- File: msvidc32.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.uyvy
- Folder: None (PATH Injection)
- File: msyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.yuy2
- Folder: None (PATH Injection)
- File: msyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.yvu9
- Folder: None (PATH Injection)
- File: tsbyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.yvyu
- Folder: None (PATH Injection)
- File: msyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: wave
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: wavemapper
- Folder: None (PATH Injection)
- File: msacm32.drv
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.l3acm
- Folder: C:\Windows\System32
- File: C:\Windows\System32\l3codeca.acm
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: aux
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: midi
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: midimapper
- Folder: None (PATH Injection)
- File: midimap.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: mixer
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.imaadpcm
- Folder: None (PATH Injection)
- File: imaadp32.acm
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.msadpcm
- Folder: None (PATH Injection)
- File: msadp32.acm
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.msg711
- Folder: None (PATH Injection)
- File: msg711.acm
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.msgsm610
- Folder: None (PATH Injection)
- File: msgsm32.acm
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.cvid
- Folder: None (PATH Injection)
- File: iccvid.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.i420
- Folder: None (PATH Injection)
- File: iyuv_32.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.iyuv
- Folder: None (PATH Injection)
- File: iyuv_32.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.mrle
- Folder: None (PATH Injection)
- File: msrle32.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.msvc
- Folder: None (PATH Injection)
- File: msvidc32.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.uyvy
- Folder: None (PATH Injection)
- File: msyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.yuy2
- Folder: None (PATH Injection)
- File: msyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.yvu9
- Folder: None (PATH Injection)
- File: tsbyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: vidc.yvyu
- Folder: None (PATH Injection)
- File: msyuv.dll
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: wave
- Folder: None (PATH Injection)
- File: wdmaud.drv
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: wavemapper
- Folder: None (PATH Injection)
- File: msacm32.drv
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
- Key: msacm.l3acm
- Folder: C:\Windows\SysWOW64
- File: C:\Windows\SysWOW64\l3codeca.acm
- =================================================================================================
- RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
- Folder: C:\Program Files\Internet Explorer
- File: C:\Program Files\Internet Explorer\IEXPLORE.EXE %1 (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: _wowarmhw
- Folder: None (PATH Injection)
- File: wowarmhw.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: _xtajit
- Folder: None (PATH Injection)
- File: xtajit.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: advapi32
- Folder: None (PATH Injection)
- File: advapi32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: clbcatq
- Folder: None (PATH Injection)
- File: clbcatq.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: combase
- Folder: None (PATH Injection)
- File: combase.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: COMDLG32
- Folder: None (PATH Injection)
- File: COMDLG32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: coml2
- Folder: None (PATH Injection)
- File: coml2.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: DifxApi
- Folder: None (PATH Injection)
- File: difxapi.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: gdi32
- Folder: None (PATH Injection)
- File: gdi32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: gdiplus
- Folder: None (PATH Injection)
- File: gdiplus.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: IMAGEHLP
- Folder: None (PATH Injection)
- File: IMAGEHLP.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: IMM32
- Folder: None (PATH Injection)
- File: IMM32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: kernel32
- Folder: None (PATH Injection)
- File: kernel32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: MSCTF
- Folder: None (PATH Injection)
- File: MSCTF.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: MSVCRT
- Folder: None (PATH Injection)
- File: MSVCRT.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: NORMALIZ
- Folder: None (PATH Injection)
- File: NORMALIZ.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: NSI
- Folder: None (PATH Injection)
- File: NSI.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: ole32
- Folder: None (PATH Injection)
- File: ole32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: OLEAUT32
- Folder: None (PATH Injection)
- File: OLEAUT32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: PSAPI
- Folder: None (PATH Injection)
- File: PSAPI.DLL
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: rpcrt4
- Folder: None (PATH Injection)
- File: rpcrt4.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: sechost
- Folder: None (PATH Injection)
- File: sechost.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: Setupapi
- Folder: None (PATH Injection)
- File: Setupapi.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: SHCORE
- Folder: None (PATH Injection)
- File: SHCORE.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: SHELL32
- Folder: None (PATH Injection)
- File: SHELL32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: SHLWAPI
- Folder: None (PATH Injection)
- File: SHLWAPI.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: user32
- Folder: None (PATH Injection)
- File: user32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: WLDAP32
- Folder: None (PATH Injection)
- File: WLDAP32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: wow64
- Folder: None (PATH Injection)
- File: wow64.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: wow64win
- Folder: None (PATH Injection)
- File: wow64win.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: WS2_32
- Folder: None (PATH Injection)
- File: WS2_32.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: _Wow64
- Folder: None (PATH Injection)
- File: Wow64.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: _Wow64cpu
- Folder: None (PATH Injection)
- File: Wow64cpu.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: _Wow64win
- Folder: None (PATH Injection)
- File: Wow64win.dll
- =================================================================================================
- RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- Key: LPK
- Folder: None (PATH Injection)
- File: LPK.dll
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
- Key: StubPath
- Folder: \
- FolderPerms: Authenticated Users [AppendData/CreateDirectories]
- File: /UserInstall
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
- Key: StubPath
- Folder: C:\WINDOWS\system32
- File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
- Key: StubPath
- Folder: None (PATH Injection)
- File: U
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- Key: StubPath
- Folder: C:\Windows\System32
- File: C:\Windows\System32\ie4uinit.exe -UserConfig
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
- Key: StubPath
- Folder: C:\Windows\System32
- File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
- Key: StubPath
- Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\Installer
- File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\Installer\setup.exe --configure-user-settings --verbose-logging --system-level --msedge (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
- Key: StubPath
- Folder: C:\WINDOWS\system32
- File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
- Key: StubPath
- Folder: C:\Windows\SysWOW64
- File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
- =================================================================================================
- RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
- Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO
- File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected)
- =================================================================================================
- RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
- Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO
- File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected)
- =================================================================================================
- Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
- File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
- =================================================================================================
- Folder: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- FolderPerms: jason [AllAccess]
- File: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
- FilePerms: jason [AllAccess]
- =================================================================================================
- Folder: C:\windows\tasks
- FolderPerms: Authenticated Users [WriteData/CreateFiles]
- =================================================================================================
- Folder: C:\windows\system32\tasks
- FolderPerms: Authenticated Users [WriteData/CreateFiles]
- =================================================================================================
- Folder: C:\windows
- File: C:\windows\system.ini
- =================================================================================================
- Folder: C:\windows
- File: C:\windows\win.ini
- =================================================================================================
- Key: From WMIC
- Folder: C:\WINDOWS\system32
- File: C:\WINDOWS\system32\SecurityHealthSystray.exe
- =================================================================================================
- Key: From WMIC
- Folder: C:\Program Files\Windows Defender
- File: C:\Program Files\Windows Defender\MSASCuiL.exe
- =================================================================================================
- Key: From WMIC
- Folder: C:\WINDOWS\system32
- File: C:\WINDOWS\system32\vm3dservice.exe -u
- =================================================================================================
- Key: From WMIC
- Folder: C:\Program Files\VMware\VMware Tools
- File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr
- =================================================================================================
- [+] Scheduled Applications --Non Microsoft--
- [?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
- (ATOM\Administrator) SoftwareUpdates: C:\Users\jason\appdata\roaming\cache\run.bat
- Permissions file: jason [WriteData/CreateFiles AllAccess]
- Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
- Trigger: At log on of ATOM\jason
- =================================================================================================
- (ATOM\Administrator) UpdateServer: C:\Users\jason\appdata\roaming\cache\http-server.bat
- Permissions file: jason [WriteData/CreateFiles AllAccess]
- Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
- Trigger: At log on of ATOM\jason
- =================================================================================================
- [+] Device Drivers --Non Microsoft--
- [?] Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers
- QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
- QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
- VMware vSockets Service - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
- NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys
- VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys
- Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys
- VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys
- LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
- AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys
- Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
- AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys
- Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
- Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys
- LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys
- Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys
- Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys
- LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
- MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys
- MEGASAS RAID Controller Driver for Windows - 6.714.20.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
- MEGASAS RAID Controller Driver for Windows - 7.710.10.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys
- MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys
- Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys
- NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys
- MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys
- MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys
- Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys
- Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys
- VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys
- Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys
- Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys
- Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1015 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys
- PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
- Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
- SmartRAID, SmartHBA PQI Storport Driver - 1.50.1.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys
- VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmusbmouse.sys
- VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
- VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys
- VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys
- VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys
- VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys
- =========================================(Network Information)=========================================
- [+] Network Shares
- ADMIN$ (Path: C:\WINDOWS)
- C$ (Path: C:\)
- IPC$ (Path: )
- Software_Updates (Path: C:\Software_Updates) -- Permissions: AllAccess
- [+] Enumerate Network Mapped Drives (WMI)
- [+] Host File
- [+] Network Ifaces and known hosts
- [?] The masks are only for the IPv4 addresses
- Ethernet0[00:50:56:B9:57:45]: 10.10.10.237, fe80::d8d6:9e76:e070:89e3%6, dead:beef::25ba:42d2:1e11:4c29, dead:beef::d8d6:9e76:e070:89e3 / 255.255.255.0
- Gateways: 10.10.10.2, fe80::250:56ff:feb9:188e%6
- DNSs: 1.1.1.1
- Known hosts:
- 10.10.10.2 00-50-56-B9-18-8E Dynamic
- 10.10.10.255 FF-FF-FF-FF-FF-FF Static
- 224.0.0.22 01-00-5E-00-00-16 Static
- 224.0.0.251 01-00-5E-00-00-FB Static
- 224.0.0.252 01-00-5E-00-00-FC Static
- 239.255.255.250 01-00-5E-7F-FF-FA Static
- Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
- DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
- Known hosts:
- 224.0.0.22 00-00-00-00-00-00 Static
- 239.255.255.250 00-00-00-00-00-00 Static
- [+] Current TCP Listening Ports
- [?] Check for services restricted from the outside
- Enumerating IPv4 connections
- Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
- TCP 0.0.0.0 80 0.0.0.0 0 Listening 2668 httpd
- TCP 0.0.0.0 135 0.0.0.0 0 Listening 916 svchost
- TCP 0.0.0.0 443 0.0.0.0 0 Listening 2668 httpd
- TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
- TCP 0.0.0.0 5040 0.0.0.0 0 Listening 5668 svchost
- TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
- TCP 0.0.0.0 6379 0.0.0.0 0 Listening 7792 redis-server
- TCP 0.0.0.0 8081 0.0.0.0 0 Listening 2752 C:\Program Files\nodejs\node.exe
- TCP 0.0.0.0 8082 0.0.0.0 0 Listening 2928 C:\Program Files\nodejs\node.exe
- TCP 0.0.0.0 8083 0.0.0.0 0 Listening 2896 C:\Program Files\nodejs\node.exe
- TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
- TCP 0.0.0.0 49664 0.0.0.0 0 Listening 688 lsass
- TCP 0.0.0.0 49665 0.0.0.0 0 Listening 532 wininit
- TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1100 svchost
- TCP 0.0.0.0 49667 0.0.0.0 0 Listening 1500 svchost
- TCP 0.0.0.0 49668 0.0.0.0 0 Listening 2216 spoolsv
- TCP 0.0.0.0 49669 0.0.0.0 0 Listening 672 services
- TCP 10.10.10.237 139 0.0.0.0 0 Listening 4 System
- TCP 10.10.10.237 445 10.10.16.210 57882 Established 4 System
- TCP 10.10.10.237 63651 10.10.16.210 1234 Established 6672 C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe
- TCP 127.0.0.1 8081 127.0.0.1 53213 FIN Wait 2 2752 C:\Program Files\nodejs\node.exe
- TCP 127.0.0.1 8082 127.0.0.1 53211 FIN Wait 2 2928 C:\Program Files\nodejs\node.exe
- TCP 127.0.0.1 8083 127.0.0.1 53212 FIN Wait 2 2896 C:\Program Files\nodejs\node.exe
- TCP 127.0.0.1 53211 127.0.0.1 8082 Close Wait 7284 C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe
- TCP 127.0.0.1 53212 127.0.0.1 8083 Close Wait 7400 C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe
- TCP 127.0.0.1 53213 127.0.0.1 8081 Close Wait 7428 C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe
- Enumerating IPv6 connections
- Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
- TCP [::] 80 [::] 0 Listening 2668 httpd
- TCP [::] 135 [::] 0 Listening 916 svchost
- TCP [::] 443 [::] 0 Listening 2668 httpd
- TCP [::] 445 [::] 0 Listening 4 System
- TCP [::] 5985 [::] 0 Listening 4 System
- TCP [::] 6379 [::] 0 Listening 7792 redis-server
- TCP [::] 47001 [::] 0 Listening 4 System
- TCP [::] 49664 [::] 0 Listening 688 lsass
- TCP [::] 49665 [::] 0 Listening 532 wininit
- TCP [::] 49666 [::] 0 Listening 1100 svchost
- TCP [::] 49667 [::] 0 Listening 1500 svchost
- TCP [::] 49668 [::] 0 Listening 2216 spoolsv
- TCP [::] 49669 [::] 0 Listening 672 services
- [+] Current UDP Listening Ports
- [?] Check for services restricted from the outside
- Enumerating IPv4 connections
- Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
- UDP 0.0.0.0 5050 *:* 5668 svchost
- UDP 0.0.0.0 5353 *:* 1076 svchost
- UDP 0.0.0.0 5355 *:* 1076 svchost
- UDP 10.10.10.237 137 *:* 4 System
- UDP 10.10.10.237 138 *:* 4 System
- UDP 10.10.10.237 1900 *:* 6072 svchost
- UDP 10.10.10.237 62079 *:* 6072 svchost
- UDP 127.0.0.1 1900 *:* 6072 svchost
- UDP 127.0.0.1 62080 *:* 6072 svchost
- UDP 127.0.0.1 64928 *:* 2920 svchost
- Enumerating IPv6 connections
- Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
- UDP [::] 5353 *:* 1076 svchost
- UDP [::] 5355 *:* 1076 svchost
- UDP [::1] 1900 *:* 6072 svchost
- UDP [::1] 62078 *:* 6072 svchost
- UDP [fe80::d8d6:9e76:e070:89e3%6] 1900 *:* 6072 svchost
- UDP [fe80::d8d6:9e76:e070:89e3%6] 62077 *:* 6072 svchost
- [+] Firewall Rules
- [?] Showing only DENY rules (too many ALLOW rules always)
- Current Profiles: PUBLIC
- FirewallEnabled (Domain): True
- FirewallEnabled (Private): True
- FirewallEnabled (Public): True
- DENY rules:
- (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:*
- Node.js: Server-side JavaScript
- (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:*
- Node.js: Server-side JavaScript
- (2)redis-server[C:\redis\redis-server.exe]: DENY UDP IN from *:* --> *:*
- redis-server
- (2)redis-server[C:\redis\redis-server.exe]: DENY TCP IN from *:* --> *:*
- redis-server
- (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:*
- Node.js: Server-side JavaScript
- (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:*
- Node.js: Server-side JavaScript
- [+] DNS cached --limit 70--
- Entry Name Data
- [+] Enumerating Internet settings, zone and proxy configuration
- General Settings
- Hive Key Value
- HKCU CertificateRevocation 1
- HKCU DisableCachingOfSSLPages 0
- HKCU IE5_UA_Backup_Flag 5.0
- HKCU PrivacyAdvanced 1
- HKCU SecureProtocols 2688
- HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
- HKCU ZonesSecurityUpgrade System.Byte[]
- HKCU WarnonZoneCrossing 0
- HKCU EnableNegotiate 1
- HKCU MigrateProxy 1
- HKCU ProxyEnable 0
- HKLM ActiveXCache C:\Windows\Downloaded Program Files
- HKLM CodeBaseSearchPath CODEBASE
- HKLM EnablePunycode 1
- HKLM MinorVersion 0
- HKLM WarnOnIntranet 1
- Zone Maps
- No URLs configured
- Zone Auth Settings
- No Zone Auth Settings
- =========================================(Windows Credentials)=========================================
- [+] Checking Windows Vault
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
- Not Found
- [+] Checking Credential manager
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
- [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
- Username: ATOM\jason
- Password: kidvscat_electron_@123
- Target: ATOM\jason
- PersistenceType: Enterprise
- LastWriteTime: 3/31/2021 2:53:49 AM
- =================================================================================================
- [+] Saved RDP connections
- Not Found
- [+] Remote Desktop Server/Client Settings
- RDP Server Settings
- Network Level Authentication :
- Block Clipboard Redirection :
- Block COM Port Redirection :
- Block Drive Redirection :
- Block LPT Port Redirection :
- Block PnP Device Redirection :
- Block Printer Redirection :
- Allow Smart Card Redirection :
- RDP Client Settings
- Disable Password Saving : True
- Restricted Remote Administration : False
- [+] Recently run commands
- a: cmd\1
- MRUList: acdb
- b: compmgmt.msc\1
- c: appwiz.cpl\1
- d: control panel\1
- [+] Checking for DPAPI Master Keys
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
- MasterKey: C:\Users\jason\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199094703-3580107816-3092147818-1002\a96996a9-5aec-4f82-a145-68ee2de5ea3f
- Accessed: 5/29/2021 8:40:50 AM
- Modified: 3/30/2021 1:17:16 PM
- =================================================================================================
- [+] Checking for DPAPI Credential Files
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
- CredFile: C:\Users\jason\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
- Description: Local Credential Data
- MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f
- Accessed: 5/29/2021 11:00:35 AM
- Modified: 4/6/2021 7:25:24 PM
- Size: 11184
- =================================================================================================
- CredFile: C:\Users\jason\AppData\Roaming\Microsoft\Credentials\9F6E8E76E5D3AE66EB8D50DDC3B0A7EC
- Description: Enterprise Credential Data
- MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f
- Accessed: 5/29/2021 11:00:35 AM
- Modified: 3/31/2021 2:53:49 AM
- Size: 490
- =================================================================================================
- [i] Follow the provided link for further instructions in how to decrypt the creds file
- [+] Checking for RDCMan Settings Files
- [?] Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
- Not Found
- [+] Looking for Kerberos tickets
- [?] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
- Not Found
- [+] Looking for saved Wifi credentials
- [X] Exception: The service has not been started
- [+] Looking AppCmd.exe
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
- Not Found
- You must be an administrator to run this check
- [+] Looking SSClient.exe
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm
- Not Found
- [+] Enumerating SSCM - System Center Configuration Manager settings
- [+] Enumerating Security Packages Credentials
- Version: NetNTLMv2
- Hash: jason::ATOM:1122334455667788:a4855cc92d76c6dcaff4bd6554268141:01010000000000001e4fb40fb854d701001901727b5b4d4c00000000080030003000000000000000000000000020000015718f51208716144f38c738968a3b193a582aba1e9cd3687494144057e021bc0a00100000000000000000000000000000000000090000000000000000000000
- =================================================================================================
- ========================================(Browsers Information)========================================
- [+] Showing saved credentials for Firefox
- Info: if no credentials were listed, you might need to close the browser and try again.
- [+] Looking for Firefox DBs
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
- Not Found
- [+] Looking for GET credentials in Firefox history
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
- Not Found
- [+] Showing saved credentials for Chrome
- Info: if no credentials were listed, you might need to close the browser and try again.
- [+] Looking for Chrome DBs
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
- Not Found
- [+] Looking for GET credentials in Chrome history
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
- Not Found
- [+] Chrome bookmarks
- Not Found
- [+] Showing saved credentials for Opera
- Info: if no credentials were listed, you might need to close the browser and try again.
- [+] Showing saved credentials for Brave Browser
- Info: if no credentials were listed, you might need to close the browser and try again.
- [+] Showing saved credentials for Internet Explorer (unsupported)
- Info: if no credentials were listed, you might need to close the browser and try again.
- [+] Current IE tabs
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
- Not Found
- [+] Looking for GET credentials in IE history
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
- [+] IE favorites
- http://go.microsoft.com/fwlink/p/?LinkId=255142
- ==============================(Interesting files and registry)==============================
- [+] Putty Sessions
- Not Found
- [+] Putty SSH Host keys
- Not Found
- [+] SSH keys in registry
- [?] If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry
- Not Found
- [+] SuperPutty configuration files
- [+] Enumerating Office 365 endpoints synced by OneDrive.
- SID: S-1-5-19
- =================================================================================================
- SID: S-1-5-20
- =================================================================================================
- SID: S-1-5-21-1199094703-3580107816-3092147818-1002
- =================================================================================================
- SID: S-1-5-21-1199094703-3580107816-3092147818-500
- =================================================================================================
- SID: S-1-5-18
- =================================================================================================
- [+] Cloud Credentials
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
- Not Found
- [+] Unattend Files
- [+] Looking for common SAM & SYSTEM backups
- [+] Looking for McAfee Sitelist.xml Files
- [+] Cached GPP Passwords
- [+] Looking for possible regs with creds
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry
- Not Found
- Not Found
- Not Found
- Not Found
- [+] Looking for possible password files in users homes
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
- C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
- [+] Searching for Oracle SQL Developer config files
- [+] Slack files & directories
- note: check manually if something is found
- [+] Looking for LOL Binaries and Scripts (can be slow)
- [?] https://lolbas-project.github.io/
- [!] Check skipped, if you want to run it, please specify '-lolbas' argument
- [+] Enumerating Outlook download files
- [+] Enumerating machine and user certificate files
- [+] Searching known files that can contain creds in home
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
- C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlskey.der
- C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlscert.der
- C:\Users\jason\NTUSER.DAT
- [+] Looking for documents --limit 100--
- C:\Users\jason\Downloads\PortableKanban\User Guide.pdf
- C:\Users\jason\Documents\UAT_Testing_Procedures.pdf
- [+] Office Most Recent Files -- limit 50
- Last Access Date User Application Document
- [+] Recent files --limit 70--
- Not Found
- [+] Looking inside the Recycle Bin for creds files
- [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
- Not Found
- [+] Searching hidden files or folders in C:\Users home (can be slow)
- C:\Users\All Users\ntuser.pol
- C:\Users\jason\AppData\Local\Temp\BITE0BD.tmp
- C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
- C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
- C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
- C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
- [+] Searching interesting files in other users home directories (can be slow)
- Checking folder: c:\users\administrator
- =================================================================================================
- [+] Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
- File Permissions "C:\Software_Updates\winpeas.exe": jason [AllAccess],Everyone [AllAccess]
- File Permissions "C:\Users\jason\Downloads\PortableKanban\PortableKanban.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\opener.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mkdirp.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mime.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\http-server.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\hs.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\he.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Downloads\node_modules\.bin\ecstatic.ps1": jason [AllAccess]
- File Permissions "C:\Users\jason\Desktop\windowstempwinPEAS.bat": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Roaming\heedv3\__installer.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Roaming\heedv2\__installer.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Roaming\heedv1\__installer.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Roaming\cache\run.bat": jason [WriteData/CreateFiles AllAccess]
- File Permissions "C:\Users\jason\AppData\Roaming\cache\http-server.bat": jason [WriteData/CreateFiles AllAccess]
- File Permissions "C:\Users\jason\AppData\Roaming\cache\clean.bat": jason [WriteData/CreateFiles AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\Uninstall heedv3.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\heedv3.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\resources\elevate.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\Uninstall heedv2.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\heedv2.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\resources\elevate.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\Uninstall heedv1.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\heedv1.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\resources\elevate.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Skype.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python3.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.SkypeApp_kzf8qxf38zg5c\Skype.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe": jason [AllAccess]
- File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe": jason [AllAccess]
- [+] Looking for Linux shells/distributions - wsl.exe, bash.exe
Add Comment
Please, Sign In to add comment