winpeasCodeby

1. WinPEAS v2.0-beta by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
2.  
3. /---------------------------------------------------------------------------\
4. | Do you like PEASS? |
5. |---------------------------------------------------------------------------|
6. | Become a Patreon : https://www.patreon.com/peass |
7. | Follow on Twitter : @carlospolopm |
8. |---------------------------------------------------------------------------|
9. | Thank you! |
10. \---------------------------------------------------------------------------/
11.  
12. [+] Legend:
13. Red Indicates a special privilege over an object or something is misconfigured
14. Green Indicates that some protection is enabled or something is well configured
15. Cyan Indicates active users
16. Blue Indicates disabled users
17. LightYellow Indicates links
18.  
19. [?] You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
20. Creating Dynamic lists, this could take a while, please wait...
21. - Checking if domain...
22. - Getting Win32_UserAccount info...
23. - Creating current user groups list...
24. - Creating active users list (local only)...
25. - Creating disabled users list...
26. - Admin users list...
27. - Creating AppLocker bypass list...
28. - Creating files/directories list for search...
29.  
30.  
31. ==========================================(System Information)==========================================
32.  
33. [+] Basic System Information
34. [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
35. Hostname: ATOM
36. ProductName: Windows 10 Pro
37. EditionID: Professional
38. ReleaseId: 2009
39. BuildBranch: vb_release
40. CurrentMajorVersionNumber: 10
41. CurrentVersion: 6.3
42. Architecture: AMD64
43. ProcessorCount: 2
44. SystemLang: en-US
45. KeyboardLang: English (United States)
46. TimeZone: (UTC-08:00) Pacific Time (US & Canada)
47. IsVirtualMachine: True
48. Current Time: 5/29/2021 11:25:50 AM
49. HighIntegrity: False
50. PartOfDomain: False
51. Hotfixes: KB4601554, KB4562830, KB4570334, KB4577586, KB4580325, KB4586864, KB4589212, KB5000842, KB5000981,
52.  
53. [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
54. [*] OS Version: 20H2 (19042)
55. [*] Enumerating installed KBs...
56. [*] Finished. Found 0 vulnerabilities.
57.  
58.  
59. [+] Showing All Microsoft Updates
60. HotFix ID : KB4601554
61. Installed At (UTC) : 4/5/2021 11:33:15 AM
62. Title : 2021-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601554)
63. Client Application ID : MoUpdateOrchestrator
64. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
65.  
66. =================================================================================================
67.  
68. HotFix ID : KB4589212
69. Installed At (UTC) : 4/5/2021 11:31:44 AM
70. Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4589212)
71. Client Application ID : MoUpdateOrchestrator
72. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
73.  
74. =================================================================================================
75.  
76. HotFix ID : KB4577586
77. Installed At (UTC) : 4/5/2021 11:31:35 AM
78. Title : Update for Removal of Adobe Flash Player for Windows 10 Version 20H2 for x64-based systems (KB4577586)
79. Client Application ID : MoUpdateOrchestrator
80. Description : This update will remove Adobe Flash Player from your Windows machine. After you install this item, you may have to restart your computer.
81.  
82. =================================================================================================
83.  
84. HotFix ID : KB5000842
85. Installed At (UTC) : 4/5/2021 10:52:37 AM
86. Title : 2021-03 Cumulative Update Preview for Windows 10 Version 20H2 for x64-based Systems (KB5000842)
87. Client Application ID : MoUpdateOrchestrator
88. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
89.  
90. =================================================================================================
91.  
92. HotFix ID : KB5000802
93. Installed At (UTC) : 4/3/2021 9:52:24 AM
94. Title : 2021-03 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5000802)
95. Client Application ID : MoUpdateOrchestrator
96. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
97.  
98. =================================================================================================
99.  
100. HotFix ID : KB4023057
101. Installed At (UTC) : 4/3/2021 9:38:34 AM
102. Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4023057)
103. Client Application ID : MoUpdateOrchestrator
104. Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
105.  
106. =================================================================================================
107.  
108. HotFix ID : KB4601050
109. Installed At (UTC) : 4/3/2021 9:38:33 AM
110. Title : 2021-02 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601050)
111. Client Application ID : MoUpdateOrchestrator
112. Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
113.  
114. =================================================================================================
115.  
116. HotFix ID : KB2267602
117. Installed At (UTC) : 4/1/2021 8:18:26 PM
118. Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1767.0)
119. Client Application ID : MoUpdateOrchestrator
120. Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
121.  
122. =================================================================================================
123.  
124. HotFix ID : KB4052623
125. Installed At (UTC) : 4/1/2021 8:17:33 PM
126. Title : Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2102.4)
127. Client Application ID : MoUpdateOrchestrator
128. Description : This package will update Microsoft Defender Antivirus antimalware platform's components on the user machine.
129.  
130. =================================================================================================
131.  
132. HotFix ID : KB2267602
133. Installed At (UTC) : 4/1/2021 6:12:43 PM
134. Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1761.0)
135. Client Application ID : Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
136. Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
137.  
138. =================================================================================================
139.  
140.  
141. [+] System Last Shutdown Date/time (from Registry)
142.  
143. Last Shutdown Date/time : 4/14/2021 5:45:59 AM
144.  
145. [+] User Environment Variables
146. [?] Check for some passwords or keys in the env variables
147. COMPUTERNAME: ATOM
148. USERPROFILE: C:\Users\jason
149. HOMEPATH: \Users\jason
150. LOCALAPPDATA: C:\Users\jason\AppData\Local
151. PSModulePath: C:\Users\jason\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
152. PROCESSOR_ARCHITECTURE: AMD64
153. Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\;C:\Users\jason\AppData\Roaming\npm;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps
154. CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
155. ProgramFiles(x86): C:\Program Files (x86)
156. PROCESSOR_LEVEL: 23
157. LOGONSERVER: \\ATOM
158. PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
159. HOMEDRIVE: C:
160. SystemRoot: C:\WINDOWS
161. ALLUSERSPROFILE: C:\ProgramData
162. DriverData: C:\Windows\System32\Drivers\DriverData
163. APPDATA: C:\Users\jason\AppData\Roaming
164. PROCESSOR_REVISION: 0102
165. USERNAME: jason
166. CommonProgramW6432: C:\Program Files\Common Files
167. OneDrive: C:\Users\jason\OneDrive
168. CommonProgramFiles: C:\Program Files\Common Files
169. OS: Windows_NT
170. USERDOMAIN_ROAMINGPROFILE: ATOM
171. PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
172. ComSpec: C:\WINDOWS\system32\cmd.exe
173. PROMPT: $P$G
174. SystemDrive: C:
175. TEMP: C:\Users\jason\AppData\Local\Temp
176. ProgramFiles: C:\Program Files
177. NUMBER_OF_PROCESSORS: 2
178. TMP: C:\Users\jason\AppData\Local\Temp
179. ProgramData: C:\ProgramData
180. ProgramW6432: C:\Program Files
181. windir: C:\WINDOWS
182. USERDOMAIN: ATOM
183. PUBLIC: C:\Users\Public
184.  
185. [+] System Environment Variables
186. [?] Check for some passwords or keys in the env variables
187. ComSpec: C:\WINDOWS\system32\cmd.exe
188. DriverData: C:\Windows\System32\Drivers\DriverData
189. OS: Windows_NT
190. PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
191. PROCESSOR_ARCHITECTURE: AMD64
192. TEMP: C:\WINDOWS\TEMP
193. TMP: C:\WINDOWS\TEMP
194. USERNAME: SYSTEM
195. windir: C:\WINDOWS
196. NUMBER_OF_PROCESSORS: 2
197. PROCESSOR_LEVEL: 23
198. PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
199. PROCESSOR_REVISION: 0102
200. Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\
201. PSModulePath: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
202.  
203. [+] Audit Settings
204. [?] Check what is being logged
205. Not Found
206.  
207. [+] Audit Policy Settings - Classic & Advanced
208.  
209. [+] WEF Settings
210. [?] Windows Event Forwarding, is interesting to know were are sent the logs
211. Not Found
212.  
213. [+] LAPS Settings
214. [?] If installed, local administrator password is changed frequently and is restricted by ACL
215. LAPS Enabled: LAPS not installed
216.  
217. [+] Wdigest
218. [?] If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest
219. Wdigest is not enabled
220.  
221. [+] LSA Protection
222. [?] If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection
223. LSA Protection is not enabled
224.  
225. [+] Credentials Guard
226. [?] If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard
227. CredentialGuard is not enabled
228. Virtualization Based Security Status: Not enabled
229. Configured: False
230. Running: False
231.  
232. [+] Cached Creds
233. [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
234. cachedlogonscount is 10
235.  
236. [+] AV Information
237. Some AV was detected, search for bypasses
238. Name: Windows Defender
239. ProductEXE: windowsdefender://
240. pathToSignedReportingExe: %ProgramFiles%\Windows Defender\MsMpeng.exe
241.  
242. [+] Windows Defender configuration
243. Local Settings
244. Group Policy Settings
245.  
246. [+] UAC Status
247. [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
248. ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
249. EnableLUA: 1
250. LocalAccountTokenFilterPolicy: 1
251. FilterAdministratorToken: 1
252. [*] LocalAccountTokenFilterPolicy set to 1.
253. [+] Any local account can be used for lateral movement.
254.  
255. [+] PowerShell Settings
256. PowerShell v2 Version: 2.0
257. PowerShell v5 Version: 5.1.19041.1
258. PowerShell Core Version:
259. Transcription Settings:
260. Module Logging Settings:
261. Scriptblock Logging Settings:
262. PS history file:
263. PS history size:
264.  
265. [+] Enumerating PowerShell Session Settings using the registry
266. You must be an administrator to run this check
267.  
268. [+] PS default transcripts history
269. [i] Read the PS history inside these files (if any)
270.  
271. [+] HKCU Internet Settings
272. CertificateRevocation: 1
273. DisableCachingOfSSLPages: 0
274. IE5_UA_Backup_Flag: 5.0
275. PrivacyAdvanced: 1
276. SecureProtocols: 2688
277. User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
278. ZonesSecurityUpgrade: System.Byte[]
279. WarnonZoneCrossing: 0
280. EnableNegotiate: 1
281. MigrateProxy: 1
282. ProxyEnable: 0
283.  
284. [+] HKLM Internet Settings
285. ActiveXCache: C:\Windows\Downloaded Program Files
286. CodeBaseSearchPath: CODEBASE
287. EnablePunycode: 1
288. MinorVersion: 0
289. WarnOnIntranet: 1
290.  
291. [+] Drives Information
292. [?] Remember that you should search more info inside the other drives
293. C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 4 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories])
294.  
295. [+] Checking WSUS
296. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
297. Not Found
298.  
299. [+] Checking AlwaysInstallElevated
300. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
301. AlwaysInstallElevated isn't available
302.  
303. [+] Enumerate LSA settings - auth packages included
304.  
305. auditbasedirectories : 0
306. auditbaseobjects : 0
307. Bounds : 00-30-00-00-00-20-00-00
308. crashonauditfail : 0
309. LimitBlankPasswordUse : 1
310. NoLmHash : 1
311. Security Packages : ""
312. Notification Packages : scecli
313. Authentication Packages : msv1_0
314. LsaCfgFlagsDefault : 0
315. SecureBoot : 1
316. disabledomaincreds : 0
317. everyoneincludesanonymous : 0
318. forceguest : 0
319. restrictanonymous : 0
320. restrictanonymoussam : 1
321. fullprivilegeauditing : 80
322. LsaCfgFlags : 0
323. LsaPid : 688
324. ProductType : 6
325.  
326. [+] Enumerating NTLM Settings
327. LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
328.  
329.  
330. NTLM Signing Settings
331. ClientRequireSigning : False
332. ClientNegotiateSigning : True
333. ServerRequireSigning : False
334. ServerNegotiateSigning : False
335. LdapSigning : Negotiate signing (Negotiate signing)
336.  
337. Session Security
338. NTLMMinClientSec : 536870912 (Require 128-bit encryption)
339. NTLMMinServerSec : 536870912 (Require 128-bit encryption)
340.  
341.  
342. NTLM Auditing and Restrictions
343. InboundRestrictions : (Not defined)
344. OutboundRestrictions : (Not defined)
345. InboundAuditing : (Not defined)
346. OutboundExceptions :
347.  
348. [+] Display Local Group Policy settings - local users/machine
349. Type : user
350. Display Name : Local Group Policy
351. Name : Local Group Policy
352. Extensions : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
353. File Sys Path : C:\WINDOWS\System32\GroupPolicy\User
354. Link : Local
355. GPO Link : Local Machine
356. Options : All Sections Enabled
357.  
358. =================================================================================================
359.  
360.  
361. [+] Checking AppLocker effective policy
362. AppLockerPolicy version: 1
363. listing rules:
364.  
365.  
366. [X] Exception: Object reference not set to an instance of an object.
367.  
368. [+] Enumerating Printers (WMI)
369. Name: Microsoft XPS Document Writer
370. Status: Unknown
371. Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
372. Is default: False
373. Is network printer: False
374.  
375. =================================================================================================
376.  
377. Name: Microsoft Print to PDF
378. Status: Unknown
379. Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
380. Is default: True
381. Is network printer: False
382.  
383. =================================================================================================
384.  
385. Name: Fax
386. Status: Unknown
387. Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
388. Is default: False
389. Is network printer: False
390.  
391. =================================================================================================
392.  
393.  
394. [+] Enumerating Named Pipes
395. Name Sddl
396.  
397. eventlog O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
398.  
399. ROUTER O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
400.  
401. SearchTextHarvester O:SYG:SYD:P(D;;FA;;;NU)(D;;FA;;;BG)(A;;FR;;;IU)(A;;FA;;;SY)(A;;FA;;;BA)
402.  
403. vgauth-service O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
404.  
405.  
406. [+] Enumerating AMSI registered providers
407. Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
408. Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2102.4-0\MpOav.dll"
409.  
410. =================================================================================================
411.  
412.  
413. [+] Enumerating Sysmon configuration
414. You must be an administrator to run this check
415.  
416. [+] Enumerating Sysmon process creation logs (1)
417. You must be an administrator to run this check
418.  
419. [+] Installed .NET versions
420.  
421. CLR Versions
422. 4.0.30319
423.  
424. .NET Versions
425. 4.8.04084
426.  
427. .NET & AMSI (Anti-Malware Scan Interface) support
428. .NET version supports AMSI : True
429. OS supports AMSI : True
430. [!] The highest .NET version is enrolled in AMSI!
431.  
432.  
433. ==============================(Interesting Events information)==============================
434.  
435. [+] Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials
436.  
437. You must be an administrator to run this check
438.  
439. [+] Printing Account Logon Events (4624) for the last 10 days.
440.  
441. You must be an administrator to run this check
442.  
443. [+] Process creation events - searching logs (EID 4688) for sensitive data.
444.  
445. You must be an administrator to run this check
446.  
447. [+] PowerShell events - script block logs (EID 4104) - searching for sensitive data.
448.  
449.  
450. [+] Displaying Power off/on events for last 5 days
451.  
452. 5/29/2021 8:39:28 AM : Startup
453.  
454.  
455. ===========================================(Users Information)===========================================
456.  
457. [+] Users
458. [?] Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
459. Current user: jason
460. Current groups: Domain Users, Everyone, Users, Interactive, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
461. =================================================================================================
462.  
463. ATOM\Administrator: Built-in account for administering the computer/domain
464. |->Groups: Administrators
465. |->Password: CanChange-NotExpi-Req
466.  
467. ATOM\DefaultAccount(Disabled): A user account managed by the system.
468. |->Groups: System Managed Accounts Group
469. |->Password: CanChange-NotExpi-NotReq
470.  
471. ATOM\Guest: Built-in account for guest access to the computer/domain
472. |->Groups: Guests
473. |->Password: NotChange-NotExpi-NotReq
474.  
475. ATOM\jason
476. |->Groups: Users
477. |->Password: CanChange-NotExpi-Req
478.  
479. ATOM\WDAGUtilityAccount(Disabled): A user account managed and used by the system for Windows Defender Application Guard scenarios.
480. |->Password: CanChange-Expi-Req
481.  
482.  
483. [+] Current User Idle Time
484. Current User : ATOM\jason
485. Idle Time : 02h:46m:08s:672ms
486.  
487. [+] Display Tenant information (DsRegCmd.exe /status)
488. Tenant is NOT Azure AD Joined.
489.  
490. [+] Current Token privileges
491. [?] Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
492. SeShutdownPrivilege: DISABLED
493. SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
494. SeUndockPrivilege: DISABLED
495. SeIncreaseWorkingSetPrivilege: DISABLED
496. SeTimeZonePrivilege: DISABLED
497.  
498. [+] Clipboard text
499.  
500. [+] Logged users
501. ATOM\Administrator
502. ATOM\jason
503.  
504. [+] Display information about local users
505. Computer Name : ATOM
506. User Name : Administrator
507. User Id : 500
508. Is Enabled : True
509. User Type : Administrator
510. Comment : Built-in account for administering the computer/domain
511. Last Logon : 5/29/2021 8:40:45 AM
512. Logons Count : 126
513. Password Last Set : 3/31/2021 3:03:21 AM
514.  
515. =================================================================================================
516.  
517. Computer Name : ATOM
518. User Name : DefaultAccount
519. User Id : 503
520. Is Enabled : False
521. User Type : Guest
522. Comment : A user account managed by the system.
523. Last Logon : 1/1/1970 12:00:00 AM
524. Logons Count : 0
525. Password Last Set : 1/1/1970 12:00:00 AM
526.  
527. =================================================================================================
528.  
529. Computer Name : ATOM
530. User Name : Guest
531. User Id : 501
532. Is Enabled : True
533. User Type : Guest
534. Comment : Built-in account for guest access to the computer/domain
535. Last Logon : 5/29/2021 11:21:50 AM
536. Logons Count : 0
537. Password Last Set : 1/1/1970 12:00:00 AM
538.  
539. =================================================================================================
540.  
541. Computer Name : ATOM
542. User Name : jason
543. User Id : 1002
544. Is Enabled : True
545. User Type : User
546. Comment :
547. Last Logon : 5/29/2021 8:40:04 AM
548. Logons Count : 65
549. Password Last Set : 3/30/2021 1:14:57 PM
550.  
551. =================================================================================================
552.  
553. Computer Name : ATOM
554. User Name : WDAGUtilityAccount
555. User Id : 504
556. Is Enabled : False
557. User Type : Guest
558. Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
559. Last Logon : 1/1/1970 12:00:00 AM
560. Logons Count : 0
561. Password Last Set : 4/1/2021 3:51:54 AM
562.  
563. =================================================================================================
564.  
565.  
566. [+] RDP Sessions
567. SessID pSessionName pUserName pDomainName State SourceIP
568. 1 Console jason ATOM Active
569.  
570. [+] Ever logged users
571. ATOM\Administrator
572. ATOM\jason
573.  
574. [+] Home folders found
575. C:\Users\Administrator
576. C:\Users\All Users
577. C:\Users\Default
578. C:\Users\Default User
579. C:\Users\jason : jason [AllAccess]
580. C:\Users\Public : Interactive [WriteData/CreateFiles]
581.  
582. [+] Looking for AutoLogon credentials
583. Some AutoLogon credentials were found
584. DefaultDomainName : ATOM
585. DefaultUserName : jason
586.  
587. [+] Password Policies
588. [?] Check for a possible brute-force
589. Domain: Builtin
590. SID: S-1-5-32
591. MaxPasswordAge: 42.22:47:31.7437440
592. MinPasswordAge: 00:00:00
593. MinPasswordLength: 0
594. PasswordHistoryLength: 0
595. PasswordProperties: 0
596. =================================================================================================
597.  
598. Domain: ATOM
599. SID: S-1-5-21-1199094703-3580107816-3092147818
600. MaxPasswordAge: 42.00:00:00
601. MinPasswordAge: 00:00:00
602. MinPasswordLength: 0
603. PasswordHistoryLength: 0
604. PasswordProperties: 0
605. =================================================================================================
606.  
607.  
608. [+] Print Logon Sessions
609. Method: WMI
610. Logon Server:
611. Logon Server Dns Domain:
612. Logon Id: 327750
613. Logon Time:
614. Logon Type: Interactive
615. Start Time: 5/29/2021 8:40:04 AM
616. Domain: ATOM
617. Authentication Package: NTLM
618. Start Time: 5/29/2021 8:40:04 AM
619. User Name: jason
620. User Principal Name:
621. User SID:
622.  
623. =================================================================================================
624.  
625.  
626.  
627. =======================================(Processes Information)=======================================
628.  
629. [+] Interesting Processes -non Microsoft-
630. [?] Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
631. heedv2(4728)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
632. Permissions: jason [AllAccess]
633. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
634. Command Line: "C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=11115843981059573204 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv2\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11115843981059573204 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
635. =================================================================================================
636.  
637. svchost(416)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
638. Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
639. =================================================================================================
640.  
641. sihost(2564)[C:\WINDOWS\system32\sihost.exe] -- POwn: jason
642. Command Line: sihost.exe
643. =================================================================================================
644.  
645. heedv1(6868)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
646. Permissions: jason [AllAccess]
647. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
648. Command Line: "C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=1232073659841223713 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv1\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1232073659841223713 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
649. =================================================================================================
650.  
651. svchost(5140)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
652. Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
653. =================================================================================================
654.  
655. heedv3(3908)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
656. Permissions: jason [AllAccess]
657. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
658. Command Line: "C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=17375926803871715330 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv3\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=17375926803871715330 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
659. =================================================================================================
660.  
661. conhost(5996)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
662. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
663. =================================================================================================
664.  
665. heedv2(7284)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
666. Permissions: jason [AllAccess]
667. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
668. Command Line: C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe
669. =================================================================================================
670.  
671. PING(6848)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason
672. Command Line: ping -n 30 127.0.0.1
673. =================================================================================================
674.  
675. RuntimeBroker(6832)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
676. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
677. =================================================================================================
678.  
679. vm3dservice(7908)[C:\Windows\System32\vm3dservice.exe] -- POwn: jason
680. Command Line: "C:\Windows\System32\vm3dservice.exe" -u
681. =================================================================================================
682.  
683. node(2928)[C:\Program Files\nodejs\node.exe] -- POwn: jason
684. Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client2 -p 8082
685. =================================================================================================
686.  
687. RuntimeBroker(2908)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
688. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
689. =================================================================================================
690.  
691. powershell(3328)[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: jason
692. Command Line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"
693. =================================================================================================
694.  
695. node(2896)[C:\Program Files\nodejs\node.exe] -- POwn: jason
696. Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client3 -p 8083
697. =================================================================================================
698.  
699. heedv1(4848)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
700. Permissions: jason [AllAccess]
701. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
702. Command Line: "C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14515363457901305326 --mojo-platform-channel-handle=1296 --ignored=" --type=renderer " /prefetch:2
703. =================================================================================================
704.  
705. StartMenuExperienceHost(6756)[C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe] -- POwn: jason
706. Command Line: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
707. =================================================================================================
708.  
709. cmd(7604)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
710. Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client3 -p 8083
711. =================================================================================================
712.  
713. explorer(1048)[C:\WINDOWS\Explorer.EXE] -- POwn: jason
714. Command Line: C:\WINDOWS\Explorer.EXE
715. =================================================================================================
716.  
717. powershell(3692)[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: jason
718. Command Line: powershell
719. =================================================================================================
720.  
721. ShellExperienceHost(8000)[C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe] -- POwn: jason
722. Command Line: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
723. =================================================================================================
724.  
725. heedv3(7988)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
726. Permissions: jason [AllAccess]
727. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
728. Command Line: "C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16483162655012643694 --mojo-platform-channel-handle=1320 --ignored=" --type=renderer " /prefetch:2
729. =================================================================================================
730.  
731. RuntimeBroker(7112)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
732. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
733. =================================================================================================
734.  
735. RuntimeBroker(4956)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
736. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
737. =================================================================================================
738.  
739. conhost(5812)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
740. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
741. =================================================================================================
742.  
743. winpeas(8828)[C:\Software_Updates\winpeas.exe] -- POwn: jason -- isDotNet
744. Permissions: jason [AllAccess], Everyone [AllAccess]
745. Possible DLL Hijacking folder: C:\Software_Updates (Everyone [AllAccess], jason [AllAccess])
746. Command Line: "C:\Software_Updates\winpeas.exe"
747. =================================================================================================
748.  
749. v'ulnerable-app-setup-1.2.3(6672)[C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe] -- POwn: jason
750. Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv1\__update__ (jason [AllAccess])
751. Command Line: C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe --updated --force-run
752. =================================================================================================
753.  
754. cmd(7532)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
755. Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client1 -p 8081
756. =================================================================================================
757.  
758. svchost(6232)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
759. Command Line: C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
760. =================================================================================================
761.  
762. svchost(8816)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
763. Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
764. =================================================================================================
765.  
766. node(2752)[C:\Program Files\nodejs\node.exe] -- POwn: jason
767. Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client1 -p 8081
768. =================================================================================================
769.  
770. heedv2(5764)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
771. Permissions: jason [AllAccess]
772. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
773. Command Line: "C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=4554134489477886038 --mojo-platform-channel-handle=1308 --ignored=" --type=renderer " /prefetch:2
774. =================================================================================================
775.  
776. ApplicationFrameHost(9200)[C:\WINDOWS\system32\ApplicationFrameHost.exe] -- POwn: jason
777. Command Line: C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding
778. =================================================================================================
779.  
780. vmtoolsd(7944)[C:\Program Files\VMware\VMware Tools\vmtoolsd.exe] -- POwn: jason
781. Command Line: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
782. =================================================================================================
783.  
784. UserOOBEBroker(1400)[C:\Windows\System32\oobe\UserOOBEBroker.exe] -- POwn: jason
785. Command Line: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
786. =================================================================================================
787.  
788. heedv1(7428)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
789. Permissions: jason [AllAccess]
790. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
791. Command Line: C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe
792. =================================================================================================
793.  
794. cmd(5256)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason
795. Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\run.bat"
796. =================================================================================================
797.  
798. heedv3(7400)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
799. Permissions: jason [AllAccess]
800. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
801. Command Line: C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe
802. =================================================================================================
803.  
804. PING(4804)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason
805. Command Line: ping -n 300 127.0.0.1
806. =================================================================================================
807.  
808. taskhostw(5216)[C:\WINDOWS\system32\taskhostw.exe] -- POwn: jason
809. Command Line: taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
810. =================================================================================================
811.  
812. conhost(5980)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
813. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
814. =================================================================================================
815.  
816. WinStore.App(6064)[C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe] -- POwn: jason
817. Command Line: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
818. =================================================================================================
819.  
820. YourPhone(7356)[C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe] -- POwn: jason
821. Command Line: "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe" -ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca
822. =================================================================================================
823.  
824. SearchApp(7352)[C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe] -- POwn: jason
825. Command Line: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
826. =================================================================================================
827.  
828. cmd(1740)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
829. Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client2 -p 8082
830. =================================================================================================
831.  
832. RuntimeBroker(3460)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
833. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
834. =================================================================================================
835.  
836. cmd(5180)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason
837. Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\clean.bat"
838. =================================================================================================
839.  
840. conhost(6472)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
841. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
842. =================================================================================================
843.  
844. cmd(4312)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
845. Command Line: cmd
846. =================================================================================================
847.  
848.  
849.  
850. ========================================(Services Information)========================================
851.  
852. [+] Interesting Services -non Microsoft-
853. [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
854. Apache2.4(Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
855. Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
856. =================================================================================================
857.  
858. Redis(Redis)["C:\Program Files\Redis\redis-server.exe" --service-run "C:\Program Files\Redis\redis.windows-service.conf"] - Auto - Running
859. This service runs the Redis server
860. =================================================================================================
861.  
862. ssh-agent(OpenSSH Authentication Agent)[C:\WINDOWS\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped
863. Agent to hold private keys used for public key authentication.
864. =================================================================================================
865.  
866. VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running
867. Alias Manager and Ticket Service
868. =================================================================================================
869.  
870. vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\WINDOWS\system32\vm3dservice.exe] - Auto - Running
871. Helps VMware SVGA driver by collecting and conveying user mode information
872. =================================================================================================
873.  
874. VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running
875. Provides support for synchronizing objects between the host and guest operating systems.
876. =================================================================================================
877.  
878.  
879. [+] Modifiable Services
880. [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
881. You cannot modify any service
882.  
883. [+] Looking if you can modify any service registry
884. [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions
885. [-] Looks like you cannot change the registry of any service...
886.  
887. [+] Checking write permissions in PATH folders (DLL Hijacking)
888. [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
889. C:\WINDOWS\system32
890. C:\WINDOWS
891. C:\WINDOWS\System32\Wbem
892. C:\WINDOWS\System32\WindowsPowerShell\v1.0\
893. C:\Program Files\nodejs\
894. C:\WINDOWS\System32\OpenSSH\
895.  
896.  
897. ====================================(Applications Information)====================================
898.  
899. [+] Current Active Window Application
900. Heed
901.  
902. [+] Installed Applications --Via Program Files/Uninstall registry--
903. [?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
904. C:\Program Files\Common Files
905. C:\Program Files\CUAssistant
906. C:\Program Files\desktop.ini
907. C:\Program Files\Internet Explorer
908. C:\Program Files\Microsoft Update Health Tools
909. C:\Program Files\ModifiableWindowsApps
910. C:\Program Files\nodejs
911. C:\Program Files\Redis
912. C:\Program Files\rempl
913. C:\Program Files\Uninstall Information
914. C:\Program Files\VMware
915. C:\Program Files\Windows Defender
916. C:\Program Files\Windows Defender Advanced Threat Protection
917. C:\Program Files\Windows Mail
918. C:\Program Files\Windows Media Player
919. C:\Program Files\Windows Multimedia Platform
920. C:\Program Files\Windows NT
921. C:\Program Files\Windows Photo Viewer
922. C:\Program Files\Windows Portable Devices
923. C:\Program Files\Windows Security
924. C:\Program Files\Windows Sidebar
925. C:\Program Files\WindowsApps
926. C:\Program Files\WindowsPowerShell
927. C:\xampp
928.  
929.  
930. [+] Autorun Applications
931. [?] Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
932.  
933. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
934. Key: SecurityHealth
935. Folder: C:\WINDOWS\system32
936. File: C:\WINDOWS\system32\SecurityHealthSystray.exe
937. =================================================================================================
938.  
939.  
940. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
941. Key: WindowsDefender
942. Folder: C:\Program Files\Windows Defender
943. File: C:\Program Files\Windows Defender\MSASCuiL.exe (Unquoted and Space detected)
944. =================================================================================================
945.  
946.  
947. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
948. Key: VMware VM3DService Process
949. Folder: C:\WINDOWS\system32
950. File: C:\WINDOWS\system32\vm3dservice.exe -u
951. =================================================================================================
952.  
953.  
954. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
955. Key: VMware User Process
956. Folder: C:\Program Files\VMware\VMware Tools
957. File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)
958. =================================================================================================
959.  
960.  
961. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
962. Key: Common Startup
963. Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
964. =================================================================================================
965.  
966.  
967. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
968. Key: Common Startup
969. Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
970. =================================================================================================
971.  
972.  
973. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
974. Key: Userinit
975. Folder: C:\Windows\system32
976. File: C:\Windows\system32\userinit.exe,
977. =================================================================================================
978.  
979.  
980. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
981. Key: Shell
982. Folder: None (PATH Injection)
983. File: explorer.exe
984. =================================================================================================
985.  
986.  
987. RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
988. Key: AlternateShell
989. Folder: None (PATH Injection)
990. File: cmd.exe
991. =================================================================================================
992.  
993.  
994. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
995. Key: Adobe Type Manager
996. Folder: None (PATH Injection)
997. File: atmfd.dll
998. =================================================================================================
999.  
1000.  
1001. RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
1002. Key: Adobe Type Manager
1003. Folder: None (PATH Injection)
1004. File: atmfd.dll
1005. =================================================================================================
1006.  
1007.  
1008. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1009. Key: aux
1010. Folder: None (PATH Injection)
1011. File: wdmaud.drv
1012. =================================================================================================
1013.  
1014.  
1015. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1016. Key: midi
1017. Folder: None (PATH Injection)
1018. File: wdmaud.drv
1019. =================================================================================================
1020.  
1021.  
1022. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1023. Key: midimapper
1024. Folder: None (PATH Injection)
1025. File: midimap.dll
1026. =================================================================================================
1027.  
1028.  
1029. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1030. Key: mixer
1031. Folder: None (PATH Injection)
1032. File: wdmaud.drv
1033. =================================================================================================
1034.  
1035.  
1036. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1037. Key: msacm.imaadpcm
1038. Folder: None (PATH Injection)
1039. File: imaadp32.acm
1040. =================================================================================================
1041.  
1042.  
1043. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1044. Key: msacm.msadpcm
1045. Folder: None (PATH Injection)
1046. File: msadp32.acm
1047. =================================================================================================
1048.  
1049.  
1050. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1051. Key: msacm.msg711
1052. Folder: None (PATH Injection)
1053. File: msg711.acm
1054. =================================================================================================
1055.  
1056.  
1057. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1058. Key: msacm.msgsm610
1059. Folder: None (PATH Injection)
1060. File: msgsm32.acm
1061. =================================================================================================
1062.  
1063.  
1064. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1065. Key: vidc.i420
1066. Folder: None (PATH Injection)
1067. File: iyuv_32.dll
1068. =================================================================================================
1069.  
1070.  
1071. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1072. Key: vidc.iyuv
1073. Folder: None (PATH Injection)
1074. File: iyuv_32.dll
1075. =================================================================================================
1076.  
1077.  
1078. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1079. Key: vidc.mrle
1080. Folder: None (PATH Injection)
1081. File: msrle32.dll
1082. =================================================================================================
1083.  
1084.  
1085. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1086. Key: vidc.msvc
1087. Folder: None (PATH Injection)
1088. File: msvidc32.dll
1089. =================================================================================================
1090.  
1091.  
1092. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1093. Key: vidc.uyvy
1094. Folder: None (PATH Injection)
1095. File: msyuv.dll
1096. =================================================================================================
1097.  
1098.  
1099. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1100. Key: vidc.yuy2
1101. Folder: None (PATH Injection)
1102. File: msyuv.dll
1103. =================================================================================================
1104.  
1105.  
1106. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1107. Key: vidc.yvu9
1108. Folder: None (PATH Injection)
1109. File: tsbyuv.dll
1110. =================================================================================================
1111.  
1112.  
1113. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1114. Key: vidc.yvyu
1115. Folder: None (PATH Injection)
1116. File: msyuv.dll
1117. =================================================================================================
1118.  
1119.  
1120. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1121. Key: wave
1122. Folder: None (PATH Injection)
1123. File: wdmaud.drv
1124. =================================================================================================
1125.  
1126.  
1127. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1128. Key: wavemapper
1129. Folder: None (PATH Injection)
1130. File: msacm32.drv
1131. =================================================================================================
1132.  
1133.  
1134. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
1135. Key: msacm.l3acm
1136. Folder: C:\Windows\System32
1137. File: C:\Windows\System32\l3codeca.acm
1138. =================================================================================================
1139.  
1140.  
1141. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1142. Key: aux
1143. Folder: None (PATH Injection)
1144. File: wdmaud.drv
1145. =================================================================================================
1146.  
1147.  
1148. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1149. Key: midi
1150. Folder: None (PATH Injection)
1151. File: wdmaud.drv
1152. =================================================================================================
1153.  
1154.  
1155. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1156. Key: midimapper
1157. Folder: None (PATH Injection)
1158. File: midimap.dll
1159. =================================================================================================
1160.  
1161.  
1162. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1163. Key: mixer
1164. Folder: None (PATH Injection)
1165. File: wdmaud.drv
1166. =================================================================================================
1167.  
1168.  
1169. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1170. Key: msacm.imaadpcm
1171. Folder: None (PATH Injection)
1172. File: imaadp32.acm
1173. =================================================================================================
1174.  
1175.  
1176. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1177. Key: msacm.msadpcm
1178. Folder: None (PATH Injection)
1179. File: msadp32.acm
1180. =================================================================================================
1181.  
1182.  
1183. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1184. Key: msacm.msg711
1185. Folder: None (PATH Injection)
1186. File: msg711.acm
1187. =================================================================================================
1188.  
1189.  
1190. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1191. Key: msacm.msgsm610
1192. Folder: None (PATH Injection)
1193. File: msgsm32.acm
1194. =================================================================================================
1195.  
1196.  
1197. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1198. Key: vidc.cvid
1199. Folder: None (PATH Injection)
1200. File: iccvid.dll
1201. =================================================================================================
1202.  
1203.  
1204. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1205. Key: vidc.i420
1206. Folder: None (PATH Injection)
1207. File: iyuv_32.dll
1208. =================================================================================================
1209.  
1210.  
1211. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1212. Key: vidc.iyuv
1213. Folder: None (PATH Injection)
1214. File: iyuv_32.dll
1215. =================================================================================================
1216.  
1217.  
1218. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1219. Key: vidc.mrle
1220. Folder: None (PATH Injection)
1221. File: msrle32.dll
1222. =================================================================================================
1223.  
1224.  
1225. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1226. Key: vidc.msvc
1227. Folder: None (PATH Injection)
1228. File: msvidc32.dll
1229. =================================================================================================
1230.  
1231.  
1232. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1233. Key: vidc.uyvy
1234. Folder: None (PATH Injection)
1235. File: msyuv.dll
1236. =================================================================================================
1237.  
1238.  
1239. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1240. Key: vidc.yuy2
1241. Folder: None (PATH Injection)
1242. File: msyuv.dll
1243. =================================================================================================
1244.  
1245.  
1246. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1247. Key: vidc.yvu9
1248. Folder: None (PATH Injection)
1249. File: tsbyuv.dll
1250. =================================================================================================
1251.  
1252.  
1253. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1254. Key: vidc.yvyu
1255. Folder: None (PATH Injection)
1256. File: msyuv.dll
1257. =================================================================================================
1258.  
1259.  
1260. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1261. Key: wave
1262. Folder: None (PATH Injection)
1263. File: wdmaud.drv
1264. =================================================================================================
1265.  
1266.  
1267. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1268. Key: wavemapper
1269. Folder: None (PATH Injection)
1270. File: msacm32.drv
1271. =================================================================================================
1272.  
1273.  
1274. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1275. Key: msacm.l3acm
1276. Folder: C:\Windows\SysWOW64
1277. File: C:\Windows\SysWOW64\l3codeca.acm
1278. =================================================================================================
1279.  
1280.  
1281. RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
1282. Folder: C:\Program Files\Internet Explorer
1283. File: C:\Program Files\Internet Explorer\IEXPLORE.EXE %1 (Unquoted and Space detected)
1284. =================================================================================================
1285.  
1286.  
1287. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1288. Key: _wowarmhw
1289. Folder: None (PATH Injection)
1290. File: wowarmhw.dll
1291. =================================================================================================
1292.  
1293.  
1294. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1295. Key: _xtajit
1296. Folder: None (PATH Injection)
1297. File: xtajit.dll
1298. =================================================================================================
1299.  
1300.  
1301. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1302. Key: advapi32
1303. Folder: None (PATH Injection)
1304. File: advapi32.dll
1305. =================================================================================================
1306.  
1307.  
1308. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1309. Key: clbcatq
1310. Folder: None (PATH Injection)
1311. File: clbcatq.dll
1312. =================================================================================================
1313.  
1314.  
1315. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1316. Key: combase
1317. Folder: None (PATH Injection)
1318. File: combase.dll
1319. =================================================================================================
1320.  
1321.  
1322. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1323. Key: COMDLG32
1324. Folder: None (PATH Injection)
1325. File: COMDLG32.dll
1326. =================================================================================================
1327.  
1328.  
1329. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1330. Key: coml2
1331. Folder: None (PATH Injection)
1332. File: coml2.dll
1333. =================================================================================================
1334.  
1335.  
1336. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1337. Key: DifxApi
1338. Folder: None (PATH Injection)
1339. File: difxapi.dll
1340. =================================================================================================
1341.  
1342.  
1343. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1344. Key: gdi32
1345. Folder: None (PATH Injection)
1346. File: gdi32.dll
1347. =================================================================================================
1348.  
1349.  
1350. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1351. Key: gdiplus
1352. Folder: None (PATH Injection)
1353. File: gdiplus.dll
1354. =================================================================================================
1355.  
1356.  
1357. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1358. Key: IMAGEHLP
1359. Folder: None (PATH Injection)
1360. File: IMAGEHLP.dll
1361. =================================================================================================
1362.  
1363.  
1364. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1365. Key: IMM32
1366. Folder: None (PATH Injection)
1367. File: IMM32.dll
1368. =================================================================================================
1369.  
1370.  
1371. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1372. Key: kernel32
1373. Folder: None (PATH Injection)
1374. File: kernel32.dll
1375. =================================================================================================
1376.  
1377.  
1378. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1379. Key: MSCTF
1380. Folder: None (PATH Injection)
1381. File: MSCTF.dll
1382. =================================================================================================
1383.  
1384.  
1385. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1386. Key: MSVCRT
1387. Folder: None (PATH Injection)
1388. File: MSVCRT.dll
1389. =================================================================================================
1390.  
1391.  
1392. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1393. Key: NORMALIZ
1394. Folder: None (PATH Injection)
1395. File: NORMALIZ.dll
1396. =================================================================================================
1397.  
1398.  
1399. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1400. Key: NSI
1401. Folder: None (PATH Injection)
1402. File: NSI.dll
1403. =================================================================================================
1404.  
1405.  
1406. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1407. Key: ole32
1408. Folder: None (PATH Injection)
1409. File: ole32.dll
1410. =================================================================================================
1411.  
1412.  
1413. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1414. Key: OLEAUT32
1415. Folder: None (PATH Injection)
1416. File: OLEAUT32.dll
1417. =================================================================================================
1418.  
1419.  
1420. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1421. Key: PSAPI
1422. Folder: None (PATH Injection)
1423. File: PSAPI.DLL
1424. =================================================================================================
1425.  
1426.  
1427. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1428. Key: rpcrt4
1429. Folder: None (PATH Injection)
1430. File: rpcrt4.dll
1431. =================================================================================================
1432.  
1433.  
1434. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1435. Key: sechost
1436. Folder: None (PATH Injection)
1437. File: sechost.dll
1438. =================================================================================================
1439.  
1440.  
1441. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1442. Key: Setupapi
1443. Folder: None (PATH Injection)
1444. File: Setupapi.dll
1445. =================================================================================================
1446.  
1447.  
1448. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1449. Key: SHCORE
1450. Folder: None (PATH Injection)
1451. File: SHCORE.dll
1452. =================================================================================================
1453.  
1454.  
1455. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1456. Key: SHELL32
1457. Folder: None (PATH Injection)
1458. File: SHELL32.dll
1459. =================================================================================================
1460.  
1461.  
1462. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1463. Key: SHLWAPI
1464. Folder: None (PATH Injection)
1465. File: SHLWAPI.dll
1466. =================================================================================================
1467.  
1468.  
1469. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1470. Key: user32
1471. Folder: None (PATH Injection)
1472. File: user32.dll
1473. =================================================================================================
1474.  
1475.  
1476. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1477. Key: WLDAP32
1478. Folder: None (PATH Injection)
1479. File: WLDAP32.dll
1480. =================================================================================================
1481.  
1482.  
1483. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1484. Key: wow64
1485. Folder: None (PATH Injection)
1486. File: wow64.dll
1487. =================================================================================================
1488.  
1489.  
1490. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1491. Key: wow64win
1492. Folder: None (PATH Injection)
1493. File: wow64win.dll
1494. =================================================================================================
1495.  
1496.  
1497. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1498. Key: WS2_32
1499. Folder: None (PATH Injection)
1500. File: WS2_32.dll
1501. =================================================================================================
1502.  
1503.  
1504. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1505. Key: _Wow64
1506. Folder: None (PATH Injection)
1507. File: Wow64.dll
1508. =================================================================================================
1509.  
1510.  
1511. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1512. Key: _Wow64cpu
1513. Folder: None (PATH Injection)
1514. File: Wow64cpu.dll
1515. =================================================================================================
1516.  
1517.  
1518. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1519. Key: _Wow64win
1520. Folder: None (PATH Injection)
1521. File: Wow64win.dll
1522. =================================================================================================
1523.  
1524.  
1525. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1526. Key: LPK
1527. Folder: None (PATH Injection)
1528. File: LPK.dll
1529. =================================================================================================
1530.  
1531.  
1532. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
1533. Key: StubPath
1534. Folder: \
1535. FolderPerms: Authenticated Users [AppendData/CreateDirectories]
1536. File: /UserInstall
1537. =================================================================================================
1538.  
1539.  
1540. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
1541. Key: StubPath
1542. Folder: C:\WINDOWS\system32
1543. File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon
1544. =================================================================================================
1545.  
1546.  
1547. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
1548. Key: StubPath
1549. Folder: None (PATH Injection)
1550. File: U
1551. =================================================================================================
1552.  
1553.  
1554. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
1555. Key: StubPath
1556. Folder: C:\Windows\System32
1557. File: C:\Windows\System32\ie4uinit.exe -UserConfig
1558. =================================================================================================
1559.  
1560.  
1561. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
1562. Key: StubPath
1563. Folder: C:\Windows\System32
1564. File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
1565. =================================================================================================
1566.  
1567.  
1568. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
1569. Key: StubPath
1570. Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\Installer
1571. File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\Installer\setup.exe --configure-user-settings --verbose-logging --system-level --msedge (Unquoted and Space detected)
1572. =================================================================================================
1573.  
1574.  
1575. RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
1576. Key: StubPath
1577. Folder: C:\WINDOWS\system32
1578. File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon
1579. =================================================================================================
1580.  
1581.  
1582. RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
1583. Key: StubPath
1584. Folder: C:\Windows\SysWOW64
1585. File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
1586. =================================================================================================
1587.  
1588.  
1589. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
1590. Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO
1591. File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected)
1592. =================================================================================================
1593.  
1594.  
1595. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
1596. Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO
1597. File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected)
1598. =================================================================================================
1599.  
1600.  
1601. Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
1602. File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
1603. =================================================================================================
1604.  
1605.  
1606. Folder: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
1607. FolderPerms: jason [AllAccess]
1608. File: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
1609. FilePerms: jason [AllAccess]
1610. =================================================================================================
1611.  
1612.  
1613. Folder: C:\windows\tasks
1614. FolderPerms: Authenticated Users [WriteData/CreateFiles]
1615. =================================================================================================
1616.  
1617.  
1618. Folder: C:\windows\system32\tasks
1619. FolderPerms: Authenticated Users [WriteData/CreateFiles]
1620. =================================================================================================
1621.  
1622.  
1623. Folder: C:\windows
1624. File: C:\windows\system.ini
1625. =================================================================================================
1626.  
1627.  
1628. Folder: C:\windows
1629. File: C:\windows\win.ini
1630. =================================================================================================
1631.  
1632.  
1633. Key: From WMIC
1634. Folder: C:\WINDOWS\system32
1635. File: C:\WINDOWS\system32\SecurityHealthSystray.exe
1636. =================================================================================================
1637.  
1638.  
1639. Key: From WMIC
1640. Folder: C:\Program Files\Windows Defender
1641. File: C:\Program Files\Windows Defender\MSASCuiL.exe
1642. =================================================================================================
1643.  
1644.  
1645. Key: From WMIC
1646. Folder: C:\WINDOWS\system32
1647. File: C:\WINDOWS\system32\vm3dservice.exe -u
1648. =================================================================================================
1649.  
1650.  
1651. Key: From WMIC
1652. Folder: C:\Program Files\VMware\VMware Tools
1653. File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr
1654. =================================================================================================
1655.  
1656.  
1657. [+] Scheduled Applications --Non Microsoft--
1658. [?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
1659. (ATOM\Administrator) SoftwareUpdates: C:\Users\jason\appdata\roaming\cache\run.bat
1660. Permissions file: jason [WriteData/CreateFiles AllAccess]
1661. Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
1662. Trigger: At log on of ATOM\jason
1663.  
1664. =================================================================================================
1665.  
1666. (ATOM\Administrator) UpdateServer: C:\Users\jason\appdata\roaming\cache\http-server.bat
1667. Permissions file: jason [WriteData/CreateFiles AllAccess]
1668. Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
1669. Trigger: At log on of ATOM\jason
1670.  
1671. =================================================================================================
1672.  
1673.  
1674. [+] Device Drivers --Non Microsoft--
1675. [?] Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers
1676. QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
1677. QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
1678. VMware vSockets Service - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
1679. NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys
1680. VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys
1681. Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys
1682. VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys
1683. LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
1684. AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys
1685. Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
1686. AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys
1687. Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
1688. Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys
1689. LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys
1690. Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys
1691. Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys
1692. LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
1693. MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys
1694. MEGASAS RAID Controller Driver for Windows - 6.714.20.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
1695. MEGASAS RAID Controller Driver for Windows - 7.710.10.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys
1696. MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys
1697. Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys
1698. NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys
1699. MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys
1700. MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys
1701. Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys
1702. Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys
1703. VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys
1704. Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys
1705. Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys
1706. Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1015 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys
1707. PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
1708. Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
1709. SmartRAID, SmartHBA PQI Storport Driver - 1.50.1.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys
1710. VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmusbmouse.sys
1711. VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
1712. VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys
1713. VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys
1714. VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys
1715. VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys
1716.  
1717.  
1718. =========================================(Network Information)=========================================
1719.  
1720. [+] Network Shares
1721. ADMIN$ (Path: C:\WINDOWS)
1722. C$ (Path: C:\)
1723. IPC$ (Path: )
1724. Software_Updates (Path: C:\Software_Updates) -- Permissions: AllAccess
1725.  
1726. [+] Enumerate Network Mapped Drives (WMI)
1727.  
1728. [+] Host File
1729.  
1730. [+] Network Ifaces and known hosts
1731. [?] The masks are only for the IPv4 addresses
1732. Ethernet0[00:50:56:B9:57:45]: 10.10.10.237, fe80::d8d6:9e76:e070:89e3%6, dead:beef::25ba:42d2:1e11:4c29, dead:beef::d8d6:9e76:e070:89e3 / 255.255.255.0
1733. Gateways: 10.10.10.2, fe80::250:56ff:feb9:188e%6
1734. DNSs: 1.1.1.1
1735. Known hosts:
1736. 10.10.10.2 00-50-56-B9-18-8E Dynamic
1737. 10.10.10.255 FF-FF-FF-FF-FF-FF Static
1738. 224.0.0.22 01-00-5E-00-00-16 Static
1739. 224.0.0.251 01-00-5E-00-00-FB Static
1740. 224.0.0.252 01-00-5E-00-00-FC Static
1741. 239.255.255.250 01-00-5E-7F-FF-FA Static
1742.  
1743. Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
1744. DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
1745. Known hosts:
1746. 224.0.0.22 00-00-00-00-00-00 Static
1747. 239.255.255.250 00-00-00-00-00-00 Static
1748.  
1749.  
1750. [+] Current TCP Listening Ports
1751. [?] Check for services restricted from the outside
1752. Enumerating IPv4 connections
1753.  
1754. Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
1755.  
1756. TCP 0.0.0.0 80 0.0.0.0 0 Listening 2668 httpd
1757. TCP 0.0.0.0 135 0.0.0.0 0 Listening 916 svchost
1758. TCP 0.0.0.0 443 0.0.0.0 0 Listening 2668 httpd
1759. TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
1760. TCP 0.0.0.0 5040 0.0.0.0 0 Listening 5668 svchost
1761. TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
1762. TCP 0.0.0.0 6379 0.0.0.0 0 Listening 7792 redis-server
1763. TCP 0.0.0.0 8081 0.0.0.0 0 Listening 2752 C:\Program Files\nodejs\node.exe
1764. TCP 0.0.0.0 8082 0.0.0.0 0 Listening 2928 C:\Program Files\nodejs\node.exe
1765. TCP 0.0.0.0 8083 0.0.0.0 0 Listening 2896 C:\Program Files\nodejs\node.exe
1766. TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
1767. TCP 0.0.0.0 49664 0.0.0.0 0 Listening 688 lsass
1768. TCP 0.0.0.0 49665 0.0.0.0 0 Listening 532 wininit
1769. TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1100 svchost
1770. TCP 0.0.0.0 49667 0.0.0.0 0 Listening 1500 svchost
1771. TCP 0.0.0.0 49668 0.0.0.0 0 Listening 2216 spoolsv
1772. TCP 0.0.0.0 49669 0.0.0.0 0 Listening 672 services
1773. TCP 10.10.10.237 139 0.0.0.0 0 Listening 4 System
1774. TCP 10.10.10.237 445 10.10.16.210 57882 Established 4 System
1775. TCP 10.10.10.237 63651 10.10.16.210 1234 Established 6672 C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe
1776. TCP 127.0.0.1 8081 127.0.0.1 53213 FIN Wait 2 2752 C:\Program Files\nodejs\node.exe
1777. TCP 127.0.0.1 8082 127.0.0.1 53211 FIN Wait 2 2928 C:\Program Files\nodejs\node.exe
1778. TCP 127.0.0.1 8083 127.0.0.1 53212 FIN Wait 2 2896 C:\Program Files\nodejs\node.exe
1779. TCP 127.0.0.1 53211 127.0.0.1 8082 Close Wait 7284 C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe
1780. TCP 127.0.0.1 53212 127.0.0.1 8083 Close Wait 7400 C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe
1781. TCP 127.0.0.1 53213 127.0.0.1 8081 Close Wait 7428 C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe
1782.  
1783. Enumerating IPv6 connections
1784.  
1785. Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
1786.  
1787. TCP [::] 80 [::] 0 Listening 2668 httpd
1788. TCP [::] 135 [::] 0 Listening 916 svchost
1789. TCP [::] 443 [::] 0 Listening 2668 httpd
1790. TCP [::] 445 [::] 0 Listening 4 System
1791. TCP [::] 5985 [::] 0 Listening 4 System
1792. TCP [::] 6379 [::] 0 Listening 7792 redis-server
1793. TCP [::] 47001 [::] 0 Listening 4 System
1794. TCP [::] 49664 [::] 0 Listening 688 lsass
1795. TCP [::] 49665 [::] 0 Listening 532 wininit
1796. TCP [::] 49666 [::] 0 Listening 1100 svchost
1797. TCP [::] 49667 [::] 0 Listening 1500 svchost
1798. TCP [::] 49668 [::] 0 Listening 2216 spoolsv
1799. TCP [::] 49669 [::] 0 Listening 672 services
1800.  
1801. [+] Current UDP Listening Ports
1802. [?] Check for services restricted from the outside
1803. Enumerating IPv4 connections
1804.  
1805. Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
1806.  
1807. UDP 0.0.0.0 5050 *:* 5668 svchost
1808. UDP 0.0.0.0 5353 *:* 1076 svchost
1809. UDP 0.0.0.0 5355 *:* 1076 svchost
1810. UDP 10.10.10.237 137 *:* 4 System
1811. UDP 10.10.10.237 138 *:* 4 System
1812. UDP 10.10.10.237 1900 *:* 6072 svchost
1813. UDP 10.10.10.237 62079 *:* 6072 svchost
1814. UDP 127.0.0.1 1900 *:* 6072 svchost
1815. UDP 127.0.0.1 62080 *:* 6072 svchost
1816. UDP 127.0.0.1 64928 *:* 2920 svchost
1817.  
1818. Enumerating IPv6 connections
1819.  
1820. Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
1821.  
1822. UDP [::] 5353 *:* 1076 svchost
1823. UDP [::] 5355 *:* 1076 svchost
1824. UDP [::1] 1900 *:* 6072 svchost
1825. UDP [::1] 62078 *:* 6072 svchost
1826. UDP [fe80::d8d6:9e76:e070:89e3%6] 1900 *:* 6072 svchost
1827. UDP [fe80::d8d6:9e76:e070:89e3%6] 62077 *:* 6072 svchost
1828.  
1829. [+] Firewall Rules
1830. [?] Showing only DENY rules (too many ALLOW rules always)
1831. Current Profiles: PUBLIC
1832. FirewallEnabled (Domain): True
1833. FirewallEnabled (Private): True
1834. FirewallEnabled (Public): True
1835. DENY rules:
1836. (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:*
1837. Node.js: Server-side JavaScript
1838. (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:*
1839. Node.js: Server-side JavaScript
1840. (2)redis-server[C:\redis\redis-server.exe]: DENY UDP IN from *:* --> *:*
1841. redis-server
1842. (2)redis-server[C:\redis\redis-server.exe]: DENY TCP IN from *:* --> *:*
1843. redis-server
1844. (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:*
1845. Node.js: Server-side JavaScript
1846. (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:*
1847. Node.js: Server-side JavaScript
1848.  
1849. [+] DNS cached --limit 70--
1850. Entry Name Data
1851.  
1852. [+] Enumerating Internet settings, zone and proxy configuration
1853. General Settings
1854. Hive Key Value
1855. HKCU CertificateRevocation 1
1856. HKCU DisableCachingOfSSLPages 0
1857. HKCU IE5_UA_Backup_Flag 5.0
1858. HKCU PrivacyAdvanced 1
1859. HKCU SecureProtocols 2688
1860. HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
1861. HKCU ZonesSecurityUpgrade System.Byte[]
1862. HKCU WarnonZoneCrossing 0
1863. HKCU EnableNegotiate 1
1864. HKCU MigrateProxy 1
1865. HKCU ProxyEnable 0
1866. HKLM ActiveXCache C:\Windows\Downloaded Program Files
1867. HKLM CodeBaseSearchPath CODEBASE
1868. HKLM EnablePunycode 1
1869. HKLM MinorVersion 0
1870. HKLM WarnOnIntranet 1
1871.  
1872. Zone Maps
1873. No URLs configured
1874.  
1875. Zone Auth Settings
1876. No Zone Auth Settings
1877.  
1878.  
1879. =========================================(Windows Credentials)=========================================
1880.  
1881. [+] Checking Windows Vault
1882. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
1883. Not Found
1884.  
1885. [+] Checking Credential manager
1886. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
1887. [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
1888.  
1889.  
1890. Username: ATOM\jason
1891. Password: kidvscat_electron_@123
1892. Target: ATOM\jason
1893. PersistenceType: Enterprise
1894. LastWriteTime: 3/31/2021 2:53:49 AM
1895.  
1896. =================================================================================================
1897.  
1898.  
1899. [+] Saved RDP connections
1900. Not Found
1901.  
1902. [+] Remote Desktop Server/Client Settings
1903. RDP Server Settings
1904. Network Level Authentication :
1905. Block Clipboard Redirection :
1906. Block COM Port Redirection :
1907. Block Drive Redirection :
1908. Block LPT Port Redirection :
1909. Block PnP Device Redirection :
1910. Block Printer Redirection :
1911. Allow Smart Card Redirection :
1912.  
1913. RDP Client Settings
1914. Disable Password Saving : True
1915. Restricted Remote Administration : False
1916.  
1917. [+] Recently run commands
1918. a: cmd\1
1919. MRUList: acdb
1920. b: compmgmt.msc\1
1921. c: appwiz.cpl\1
1922. d: control panel\1
1923.  
1924. [+] Checking for DPAPI Master Keys
1925. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
1926. MasterKey: C:\Users\jason\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199094703-3580107816-3092147818-1002\a96996a9-5aec-4f82-a145-68ee2de5ea3f
1927. Accessed: 5/29/2021 8:40:50 AM
1928. Modified: 3/30/2021 1:17:16 PM
1929. =================================================================================================
1930.  
1931.  
1932. [+] Checking for DPAPI Credential Files
1933. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
1934. CredFile: C:\Users\jason\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
1935. Description: Local Credential Data
1936.  
1937. MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f
1938. Accessed: 5/29/2021 11:00:35 AM
1939. Modified: 4/6/2021 7:25:24 PM
1940. Size: 11184
1941. =================================================================================================
1942.  
1943. CredFile: C:\Users\jason\AppData\Roaming\Microsoft\Credentials\9F6E8E76E5D3AE66EB8D50DDC3B0A7EC
1944. Description: Enterprise Credential Data
1945.  
1946. MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f
1947. Accessed: 5/29/2021 11:00:35 AM
1948. Modified: 3/31/2021 2:53:49 AM
1949. Size: 490
1950. =================================================================================================
1951.  
1952. [i] Follow the provided link for further instructions in how to decrypt the creds file
1953.  
1954. [+] Checking for RDCMan Settings Files
1955. [?] Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
1956. Not Found
1957.  
1958. [+] Looking for Kerberos tickets
1959. [?] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
1960. Not Found
1961.  
1962. [+] Looking for saved Wifi credentials
1963. [X] Exception: The service has not been started
1964.  
1965. [+] Looking AppCmd.exe
1966. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
1967. Not Found
1968. You must be an administrator to run this check
1969.  
1970. [+] Looking SSClient.exe
1971. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm
1972. Not Found
1973.  
1974. [+] Enumerating SSCM - System Center Configuration Manager settings
1975.  
1976. [+] Enumerating Security Packages Credentials
1977. Version: NetNTLMv2
1978. Hash: jason::ATOM:1122334455667788:a4855cc92d76c6dcaff4bd6554268141:01010000000000001e4fb40fb854d701001901727b5b4d4c00000000080030003000000000000000000000000020000015718f51208716144f38c738968a3b193a582aba1e9cd3687494144057e021bc0a00100000000000000000000000000000000000090000000000000000000000
1979.  
1980. =================================================================================================
1981.  
1982.  
1983.  
1984. ========================================(Browsers Information)========================================
1985.  
1986. [+] Showing saved credentials for Firefox
1987. Info: if no credentials were listed, you might need to close the browser and try again.
1988.  
1989. [+] Looking for Firefox DBs
1990. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
1991. Not Found
1992.  
1993. [+] Looking for GET credentials in Firefox history
1994. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
1995. Not Found
1996.  
1997. [+] Showing saved credentials for Chrome
1998. Info: if no credentials were listed, you might need to close the browser and try again.
1999.  
2000. [+] Looking for Chrome DBs
2001. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
2002. Not Found
2003.  
2004. [+] Looking for GET credentials in Chrome history
2005. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
2006. Not Found
2007.  
2008. [+] Chrome bookmarks
2009. Not Found
2010.  
2011. [+] Showing saved credentials for Opera
2012. Info: if no credentials were listed, you might need to close the browser and try again.
2013.  
2014. [+] Showing saved credentials for Brave Browser
2015. Info: if no credentials were listed, you might need to close the browser and try again.
2016.  
2017. [+] Showing saved credentials for Internet Explorer (unsupported)
2018. Info: if no credentials were listed, you might need to close the browser and try again.
2019.  
2020. [+] Current IE tabs
2021. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
2022. Not Found
2023.  
2024. [+] Looking for GET credentials in IE history
2025. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
2026.  
2027. [+] IE favorites
2028. http://go.microsoft.com/fwlink/p/?LinkId=255142
2029.  
2030.  
2031. ==============================(Interesting files and registry)==============================
2032.  
2033. [+] Putty Sessions
2034. Not Found
2035.  
2036. [+] Putty SSH Host keys
2037. Not Found
2038.  
2039. [+] SSH keys in registry
2040. [?] If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry
2041. Not Found
2042.  
2043. [+] SuperPutty configuration files
2044.  
2045. [+] Enumerating Office 365 endpoints synced by OneDrive.
2046.  
2047. SID: S-1-5-19
2048. =================================================================================================
2049.  
2050. SID: S-1-5-20
2051. =================================================================================================
2052.  
2053. SID: S-1-5-21-1199094703-3580107816-3092147818-1002
2054. =================================================================================================
2055.  
2056. SID: S-1-5-21-1199094703-3580107816-3092147818-500
2057. =================================================================================================
2058.  
2059. SID: S-1-5-18
2060. =================================================================================================
2061.  
2062.  
2063. [+] Cloud Credentials
2064. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
2065. Not Found
2066.  
2067. [+] Unattend Files
2068.  
2069. [+] Looking for common SAM & SYSTEM backups
2070.  
2071. [+] Looking for McAfee Sitelist.xml Files
2072.  
2073. [+] Cached GPP Passwords
2074.  
2075. [+] Looking for possible regs with creds
2076. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry
2077. Not Found
2078. Not Found
2079. Not Found
2080. Not Found
2081.  
2082. [+] Looking for possible password files in users homes
2083. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
2084. C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
2085.  
2086. [+] Searching for Oracle SQL Developer config files
2087.  
2088.  
2089. [+] Slack files & directories
2090. note: check manually if something is found
2091.  
2092. [+] Looking for LOL Binaries and Scripts (can be slow)
2093. [?] https://lolbas-project.github.io/
2094. [!] Check skipped, if you want to run it, please specify '-lolbas' argument
2095.  
2096. [+] Enumerating Outlook download files
2097.  
2098.  
2099. [+] Enumerating machine and user certificate files
2100.  
2101.  
2102. [+] Searching known files that can contain creds in home
2103. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
2104. C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlskey.der
2105. C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlscert.der
2106. C:\Users\jason\NTUSER.DAT
2107.  
2108. [+] Looking for documents --limit 100--
2109. C:\Users\jason\Downloads\PortableKanban\User Guide.pdf
2110. C:\Users\jason\Documents\UAT_Testing_Procedures.pdf
2111.  
2112. [+] Office Most Recent Files -- limit 50
2113.  
2114. Last Access Date User Application Document
2115.  
2116. [+] Recent files --limit 70--
2117. Not Found
2118.  
2119. [+] Looking inside the Recycle Bin for creds files
2120. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
2121. Not Found
2122.  
2123. [+] Searching hidden files or folders in C:\Users home (can be slow)
2124.  
2125. C:\Users\All Users\ntuser.pol
2126. C:\Users\jason\AppData\Local\Temp\BITE0BD.tmp
2127. C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
2128. C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
2129. C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
2130. C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
2131.  
2132. [+] Searching interesting files in other users home directories (can be slow)
2133.  
2134. Checking folder: c:\users\administrator
2135.  
2136. =================================================================================================
2137.  
2138.  
2139. [+] Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
2140. File Permissions "C:\Software_Updates\winpeas.exe": jason [AllAccess],Everyone [AllAccess]
2141. File Permissions "C:\Users\jason\Downloads\PortableKanban\PortableKanban.exe": jason [AllAccess]
2142. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\opener.ps1": jason [AllAccess]
2143. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mkdirp.ps1": jason [AllAccess]
2144. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mime.ps1": jason [AllAccess]
2145. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\http-server.ps1": jason [AllAccess]
2146. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\hs.ps1": jason [AllAccess]
2147. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\he.ps1": jason [AllAccess]
2148. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\ecstatic.ps1": jason [AllAccess]
2149. File Permissions "C:\Users\jason\Desktop\windowstempwinPEAS.bat": jason [AllAccess]
2150. File Permissions "C:\Users\jason\AppData\Roaming\heedv3\__installer.exe": jason [AllAccess]
2151. File Permissions "C:\Users\jason\AppData\Roaming\heedv2\__installer.exe": jason [AllAccess]
2152. File Permissions "C:\Users\jason\AppData\Roaming\heedv1\__installer.exe": jason [AllAccess]
2153. File Permissions "C:\Users\jason\AppData\Roaming\cache\run.bat": jason [WriteData/CreateFiles AllAccess]
2154. File Permissions "C:\Users\jason\AppData\Roaming\cache\http-server.bat": jason [WriteData/CreateFiles AllAccess]
2155. File Permissions "C:\Users\jason\AppData\Roaming\cache\clean.bat": jason [WriteData/CreateFiles AllAccess]
2156. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\Uninstall heedv3.exe": jason [AllAccess]
2157. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\heedv3.exe": jason [AllAccess]
2158. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\resources\elevate.exe": jason [AllAccess]
2159. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\Uninstall heedv2.exe": jason [AllAccess]
2160. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\heedv2.exe": jason [AllAccess]
2161. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\resources\elevate.exe": jason [AllAccess]
2162. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\Uninstall heedv1.exe": jason [AllAccess]
2163. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\heedv1.exe": jason [AllAccess]
2164. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\resources\elevate.exe": jason [AllAccess]
2165. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Skype.exe": jason [AllAccess]
2166. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python3.exe": jason [AllAccess]
2167. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python.exe": jason [AllAccess]
2168. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe": jason [AllAccess]
2169. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe": jason [AllAccess]
2170. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe": jason [AllAccess]
2171. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.SkypeApp_kzf8qxf38zg5c\Skype.exe": jason [AllAccess]
2172. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe": jason [AllAccess]
2173. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe": jason [AllAccess]
2174. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe": jason [AllAccess]
2175.  
2176. [+] Looking for Linux shells/distributions - wsl.exe, bash.exe
2177.