Guest User

winpeasCodeby

a guest
May 29th, 2021
129
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. WinPEAS v2.0-beta by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
  2.  
  3. /---------------------------------------------------------------------------\
  4. | Do you like PEASS? |
  5. |---------------------------------------------------------------------------|
  6. | Become a Patreon : https://www.patreon.com/peass |
  7. | Follow on Twitter : @carlospolopm |
  8. |---------------------------------------------------------------------------|
  9. | Thank you! |
  10. \---------------------------------------------------------------------------/
  11.  
  12. [+] Legend:
  13. Red Indicates a special privilege over an object or something is misconfigured
  14. Green Indicates that some protection is enabled or something is well configured
  15. Cyan Indicates active users
  16. Blue Indicates disabled users
  17. LightYellow Indicates links
  18.  
  19. [?] You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
  20. Creating Dynamic lists, this could take a while, please wait...
  21. - Checking if domain...
  22. - Getting Win32_UserAccount info...
  23. - Creating current user groups list...
  24. - Creating active users list (local only)...
  25. - Creating disabled users list...
  26. - Admin users list...
  27. - Creating AppLocker bypass list...
  28. - Creating files/directories list for search...
  29.  
  30.  
  31. ==========================================(System Information)==========================================
  32.  
  33. [+] Basic System Information
  34. [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
  35. Hostname: ATOM
  36. ProductName: Windows 10 Pro
  37. EditionID: Professional
  38. ReleaseId: 2009
  39. BuildBranch: vb_release
  40. CurrentMajorVersionNumber: 10
  41. CurrentVersion: 6.3
  42. Architecture: AMD64
  43. ProcessorCount: 2
  44. SystemLang: en-US
  45. KeyboardLang: English (United States)
  46. TimeZone: (UTC-08:00) Pacific Time (US & Canada)
  47. IsVirtualMachine: True
  48. Current Time: 5/29/2021 11:25:50 AM
  49. HighIntegrity: False
  50. PartOfDomain: False
  51. Hotfixes: KB4601554, KB4562830, KB4570334, KB4577586, KB4580325, KB4586864, KB4589212, KB5000842, KB5000981,
  52.  
  53. [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
  54. [*] OS Version: 20H2 (19042)
  55. [*] Enumerating installed KBs...
  56. [*] Finished. Found 0 vulnerabilities.
  57.  
  58.  
  59. [+] Showing All Microsoft Updates
  60. HotFix ID : KB4601554
  61. Installed At (UTC) : 4/5/2021 11:33:15 AM
  62. Title : 2021-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601554)
  63. Client Application ID : MoUpdateOrchestrator
  64. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
  65.  
  66. =================================================================================================
  67.  
  68. HotFix ID : KB4589212
  69. Installed At (UTC) : 4/5/2021 11:31:44 AM
  70. Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4589212)
  71. Client Application ID : MoUpdateOrchestrator
  72. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
  73.  
  74. =================================================================================================
  75.  
  76. HotFix ID : KB4577586
  77. Installed At (UTC) : 4/5/2021 11:31:35 AM
  78. Title : Update for Removal of Adobe Flash Player for Windows 10 Version 20H2 for x64-based systems (KB4577586)
  79. Client Application ID : MoUpdateOrchestrator
  80. Description : This update will remove Adobe Flash Player from your Windows machine. After you install this item, you may have to restart your computer.
  81.  
  82. =================================================================================================
  83.  
  84. HotFix ID : KB5000842
  85. Installed At (UTC) : 4/5/2021 10:52:37 AM
  86. Title : 2021-03 Cumulative Update Preview for Windows 10 Version 20H2 for x64-based Systems (KB5000842)
  87. Client Application ID : MoUpdateOrchestrator
  88. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
  89.  
  90. =================================================================================================
  91.  
  92. HotFix ID : KB5000802
  93. Installed At (UTC) : 4/3/2021 9:52:24 AM
  94. Title : 2021-03 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5000802)
  95. Client Application ID : MoUpdateOrchestrator
  96. Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
  97.  
  98. =================================================================================================
  99.  
  100. HotFix ID : KB4023057
  101. Installed At (UTC) : 4/3/2021 9:38:34 AM
  102. Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4023057)
  103. Client Application ID : MoUpdateOrchestrator
  104. Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
  105.  
  106. =================================================================================================
  107.  
  108. HotFix ID : KB4601050
  109. Installed At (UTC) : 4/3/2021 9:38:33 AM
  110. Title : 2021-02 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601050)
  111. Client Application ID : MoUpdateOrchestrator
  112. Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
  113.  
  114. =================================================================================================
  115.  
  116. HotFix ID : KB2267602
  117. Installed At (UTC) : 4/1/2021 8:18:26 PM
  118. Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1767.0)
  119. Client Application ID : MoUpdateOrchestrator
  120. Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
  121.  
  122. =================================================================================================
  123.  
  124. HotFix ID : KB4052623
  125. Installed At (UTC) : 4/1/2021 8:17:33 PM
  126. Title : Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2102.4)
  127. Client Application ID : MoUpdateOrchestrator
  128. Description : This package will update Microsoft Defender Antivirus antimalware platform's components on the user machine.
  129.  
  130. =================================================================================================
  131.  
  132. HotFix ID : KB2267602
  133. Installed At (UTC) : 4/1/2021 6:12:43 PM
  134. Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1761.0)
  135. Client Application ID : Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
  136. Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
  137.  
  138. =================================================================================================
  139.  
  140.  
  141. [+] System Last Shutdown Date/time (from Registry)
  142.  
  143. Last Shutdown Date/time : 4/14/2021 5:45:59 AM
  144.  
  145. [+] User Environment Variables
  146. [?] Check for some passwords or keys in the env variables
  147. COMPUTERNAME: ATOM
  148. USERPROFILE: C:\Users\jason
  149. HOMEPATH: \Users\jason
  150. LOCALAPPDATA: C:\Users\jason\AppData\Local
  151. PSModulePath: C:\Users\jason\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
  152. PROCESSOR_ARCHITECTURE: AMD64
  153. Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\;C:\Users\jason\AppData\Roaming\npm;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps
  154. CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
  155. ProgramFiles(x86): C:\Program Files (x86)
  156. PROCESSOR_LEVEL: 23
  157. LOGONSERVER: \\ATOM
  158. PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
  159. HOMEDRIVE: C:
  160. SystemRoot: C:\WINDOWS
  161. ALLUSERSPROFILE: C:\ProgramData
  162. DriverData: C:\Windows\System32\Drivers\DriverData
  163. APPDATA: C:\Users\jason\AppData\Roaming
  164. PROCESSOR_REVISION: 0102
  165. USERNAME: jason
  166. CommonProgramW6432: C:\Program Files\Common Files
  167. OneDrive: C:\Users\jason\OneDrive
  168. CommonProgramFiles: C:\Program Files\Common Files
  169. OS: Windows_NT
  170. USERDOMAIN_ROAMINGPROFILE: ATOM
  171. PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
  172. ComSpec: C:\WINDOWS\system32\cmd.exe
  173. PROMPT: $P$G
  174. SystemDrive: C:
  175. TEMP: C:\Users\jason\AppData\Local\Temp
  176. ProgramFiles: C:\Program Files
  177. NUMBER_OF_PROCESSORS: 2
  178. TMP: C:\Users\jason\AppData\Local\Temp
  179. ProgramData: C:\ProgramData
  180. ProgramW6432: C:\Program Files
  181. windir: C:\WINDOWS
  182. USERDOMAIN: ATOM
  183. PUBLIC: C:\Users\Public
  184.  
  185. [+] System Environment Variables
  186. [?] Check for some passwords or keys in the env variables
  187. ComSpec: C:\WINDOWS\system32\cmd.exe
  188. DriverData: C:\Windows\System32\Drivers\DriverData
  189. OS: Windows_NT
  190. PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
  191. PROCESSOR_ARCHITECTURE: AMD64
  192. TEMP: C:\WINDOWS\TEMP
  193. TMP: C:\WINDOWS\TEMP
  194. USERNAME: SYSTEM
  195. windir: C:\WINDOWS
  196. NUMBER_OF_PROCESSORS: 2
  197. PROCESSOR_LEVEL: 23
  198. PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD
  199. PROCESSOR_REVISION: 0102
  200. Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\
  201. PSModulePath: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
  202.  
  203. [+] Audit Settings
  204. [?] Check what is being logged
  205. Not Found
  206.  
  207. [+] Audit Policy Settings - Classic & Advanced
  208.  
  209. [+] WEF Settings
  210. [?] Windows Event Forwarding, is interesting to know were are sent the logs
  211. Not Found
  212.  
  213. [+] LAPS Settings
  214. [?] If installed, local administrator password is changed frequently and is restricted by ACL
  215. LAPS Enabled: LAPS not installed
  216.  
  217. [+] Wdigest
  218. [?] If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest
  219. Wdigest is not enabled
  220.  
  221. [+] LSA Protection
  222. [?] If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection
  223. LSA Protection is not enabled
  224.  
  225. [+] Credentials Guard
  226. [?] If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard
  227. CredentialGuard is not enabled
  228. Virtualization Based Security Status: Not enabled
  229. Configured: False
  230. Running: False
  231.  
  232. [+] Cached Creds
  233. [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
  234. cachedlogonscount is 10
  235.  
  236. [+] AV Information
  237. Some AV was detected, search for bypasses
  238. Name: Windows Defender
  239. ProductEXE: windowsdefender://
  240. pathToSignedReportingExe: %ProgramFiles%\Windows Defender\MsMpeng.exe
  241.  
  242. [+] Windows Defender configuration
  243. Local Settings
  244. Group Policy Settings
  245.  
  246. [+] UAC Status
  247. [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
  248. ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
  249. EnableLUA: 1
  250. LocalAccountTokenFilterPolicy: 1
  251. FilterAdministratorToken: 1
  252. [*] LocalAccountTokenFilterPolicy set to 1.
  253. [+] Any local account can be used for lateral movement.
  254.  
  255. [+] PowerShell Settings
  256. PowerShell v2 Version: 2.0
  257. PowerShell v5 Version: 5.1.19041.1
  258. PowerShell Core Version:
  259. Transcription Settings:
  260. Module Logging Settings:
  261. Scriptblock Logging Settings:
  262. PS history file:
  263. PS history size:
  264.  
  265. [+] Enumerating PowerShell Session Settings using the registry
  266. You must be an administrator to run this check
  267.  
  268. [+] PS default transcripts history
  269. [i] Read the PS history inside these files (if any)
  270.  
  271. [+] HKCU Internet Settings
  272. CertificateRevocation: 1
  273. DisableCachingOfSSLPages: 0
  274. IE5_UA_Backup_Flag: 5.0
  275. PrivacyAdvanced: 1
  276. SecureProtocols: 2688
  277. User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  278. ZonesSecurityUpgrade: System.Byte[]
  279. WarnonZoneCrossing: 0
  280. EnableNegotiate: 1
  281. MigrateProxy: 1
  282. ProxyEnable: 0
  283.  
  284. [+] HKLM Internet Settings
  285. ActiveXCache: C:\Windows\Downloaded Program Files
  286. CodeBaseSearchPath: CODEBASE
  287. EnablePunycode: 1
  288. MinorVersion: 0
  289. WarnOnIntranet: 1
  290.  
  291. [+] Drives Information
  292. [?] Remember that you should search more info inside the other drives
  293. C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 4 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories])
  294.  
  295. [+] Checking WSUS
  296. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
  297. Not Found
  298.  
  299. [+] Checking AlwaysInstallElevated
  300. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
  301. AlwaysInstallElevated isn't available
  302.  
  303. [+] Enumerate LSA settings - auth packages included
  304.  
  305. auditbasedirectories : 0
  306. auditbaseobjects : 0
  307. Bounds : 00-30-00-00-00-20-00-00
  308. crashonauditfail : 0
  309. LimitBlankPasswordUse : 1
  310. NoLmHash : 1
  311. Security Packages : ""
  312. Notification Packages : scecli
  313. Authentication Packages : msv1_0
  314. LsaCfgFlagsDefault : 0
  315. SecureBoot : 1
  316. disabledomaincreds : 0
  317. everyoneincludesanonymous : 0
  318. forceguest : 0
  319. restrictanonymous : 0
  320. restrictanonymoussam : 1
  321. fullprivilegeauditing : 80
  322. LsaCfgFlags : 0
  323. LsaPid : 688
  324. ProductType : 6
  325.  
  326. [+] Enumerating NTLM Settings
  327. LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
  328.  
  329.  
  330. NTLM Signing Settings
  331. ClientRequireSigning : False
  332. ClientNegotiateSigning : True
  333. ServerRequireSigning : False
  334. ServerNegotiateSigning : False
  335. LdapSigning : Negotiate signing (Negotiate signing)
  336.  
  337. Session Security
  338. NTLMMinClientSec : 536870912 (Require 128-bit encryption)
  339. NTLMMinServerSec : 536870912 (Require 128-bit encryption)
  340.  
  341.  
  342. NTLM Auditing and Restrictions
  343. InboundRestrictions : (Not defined)
  344. OutboundRestrictions : (Not defined)
  345. InboundAuditing : (Not defined)
  346. OutboundExceptions :
  347.  
  348. [+] Display Local Group Policy settings - local users/machine
  349. Type : user
  350. Display Name : Local Group Policy
  351. Name : Local Group Policy
  352. Extensions : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
  353. File Sys Path : C:\WINDOWS\System32\GroupPolicy\User
  354. Link : Local
  355. GPO Link : Local Machine
  356. Options : All Sections Enabled
  357.  
  358. =================================================================================================
  359.  
  360.  
  361. [+] Checking AppLocker effective policy
  362. AppLockerPolicy version: 1
  363. listing rules:
  364.  
  365.  
  366. [X] Exception: Object reference not set to an instance of an object.
  367.  
  368. [+] Enumerating Printers (WMI)
  369. Name: Microsoft XPS Document Writer
  370. Status: Unknown
  371. Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
  372. Is default: False
  373. Is network printer: False
  374.  
  375. =================================================================================================
  376.  
  377. Name: Microsoft Print to PDF
  378. Status: Unknown
  379. Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
  380. Is default: True
  381. Is network printer: False
  382.  
  383. =================================================================================================
  384.  
  385. Name: Fax
  386. Status: Unknown
  387. Sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
  388. Is default: False
  389. Is network printer: False
  390.  
  391. =================================================================================================
  392.  
  393.  
  394. [+] Enumerating Named Pipes
  395. Name Sddl
  396.  
  397. eventlog O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
  398.  
  399. ROUTER O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
  400.  
  401. SearchTextHarvester O:SYG:SYD:P(D;;FA;;;NU)(D;;FA;;;BG)(A;;FR;;;IU)(A;;FA;;;SY)(A;;FA;;;BA)
  402.  
  403. vgauth-service O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
  404.  
  405.  
  406. [+] Enumerating AMSI registered providers
  407. Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
  408. Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2102.4-0\MpOav.dll"
  409.  
  410. =================================================================================================
  411.  
  412.  
  413. [+] Enumerating Sysmon configuration
  414. You must be an administrator to run this check
  415.  
  416. [+] Enumerating Sysmon process creation logs (1)
  417. You must be an administrator to run this check
  418.  
  419. [+] Installed .NET versions
  420.  
  421. CLR Versions
  422. 4.0.30319
  423.  
  424. .NET Versions
  425. 4.8.04084
  426.  
  427. .NET & AMSI (Anti-Malware Scan Interface) support
  428. .NET version supports AMSI : True
  429. OS supports AMSI : True
  430. [!] The highest .NET version is enrolled in AMSI!
  431.  
  432.  
  433. ==============================(Interesting Events information)==============================
  434.  
  435. [+] Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials
  436.  
  437. You must be an administrator to run this check
  438.  
  439. [+] Printing Account Logon Events (4624) for the last 10 days.
  440.  
  441. You must be an administrator to run this check
  442.  
  443. [+] Process creation events - searching logs (EID 4688) for sensitive data.
  444.  
  445. You must be an administrator to run this check
  446.  
  447. [+] PowerShell events - script block logs (EID 4104) - searching for sensitive data.
  448.  
  449.  
  450. [+] Displaying Power off/on events for last 5 days
  451.  
  452. 5/29/2021 8:39:28 AM : Startup
  453.  
  454.  
  455. ===========================================(Users Information)===========================================
  456.  
  457. [+] Users
  458. [?] Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
  459. Current user: jason
  460. Current groups: Domain Users, Everyone, Users, Interactive, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
  461. =================================================================================================
  462.  
  463. ATOM\Administrator: Built-in account for administering the computer/domain
  464. |->Groups: Administrators
  465. |->Password: CanChange-NotExpi-Req
  466.  
  467. ATOM\DefaultAccount(Disabled): A user account managed by the system.
  468. |->Groups: System Managed Accounts Group
  469. |->Password: CanChange-NotExpi-NotReq
  470.  
  471. ATOM\Guest: Built-in account for guest access to the computer/domain
  472. |->Groups: Guests
  473. |->Password: NotChange-NotExpi-NotReq
  474.  
  475. ATOM\jason
  476. |->Groups: Users
  477. |->Password: CanChange-NotExpi-Req
  478.  
  479. ATOM\WDAGUtilityAccount(Disabled): A user account managed and used by the system for Windows Defender Application Guard scenarios.
  480. |->Password: CanChange-Expi-Req
  481.  
  482.  
  483. [+] Current User Idle Time
  484. Current User : ATOM\jason
  485. Idle Time : 02h:46m:08s:672ms
  486.  
  487. [+] Display Tenant information (DsRegCmd.exe /status)
  488. Tenant is NOT Azure AD Joined.
  489.  
  490. [+] Current Token privileges
  491. [?] Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
  492. SeShutdownPrivilege: DISABLED
  493. SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
  494. SeUndockPrivilege: DISABLED
  495. SeIncreaseWorkingSetPrivilege: DISABLED
  496. SeTimeZonePrivilege: DISABLED
  497.  
  498. [+] Clipboard text
  499.  
  500. [+] Logged users
  501. ATOM\Administrator
  502. ATOM\jason
  503.  
  504. [+] Display information about local users
  505. Computer Name : ATOM
  506. User Name : Administrator
  507. User Id : 500
  508. Is Enabled : True
  509. User Type : Administrator
  510. Comment : Built-in account for administering the computer/domain
  511. Last Logon : 5/29/2021 8:40:45 AM
  512. Logons Count : 126
  513. Password Last Set : 3/31/2021 3:03:21 AM
  514.  
  515. =================================================================================================
  516.  
  517. Computer Name : ATOM
  518. User Name : DefaultAccount
  519. User Id : 503
  520. Is Enabled : False
  521. User Type : Guest
  522. Comment : A user account managed by the system.
  523. Last Logon : 1/1/1970 12:00:00 AM
  524. Logons Count : 0
  525. Password Last Set : 1/1/1970 12:00:00 AM
  526.  
  527. =================================================================================================
  528.  
  529. Computer Name : ATOM
  530. User Name : Guest
  531. User Id : 501
  532. Is Enabled : True
  533. User Type : Guest
  534. Comment : Built-in account for guest access to the computer/domain
  535. Last Logon : 5/29/2021 11:21:50 AM
  536. Logons Count : 0
  537. Password Last Set : 1/1/1970 12:00:00 AM
  538.  
  539. =================================================================================================
  540.  
  541. Computer Name : ATOM
  542. User Name : jason
  543. User Id : 1002
  544. Is Enabled : True
  545. User Type : User
  546. Comment :
  547. Last Logon : 5/29/2021 8:40:04 AM
  548. Logons Count : 65
  549. Password Last Set : 3/30/2021 1:14:57 PM
  550.  
  551. =================================================================================================
  552.  
  553. Computer Name : ATOM
  554. User Name : WDAGUtilityAccount
  555. User Id : 504
  556. Is Enabled : False
  557. User Type : Guest
  558. Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
  559. Last Logon : 1/1/1970 12:00:00 AM
  560. Logons Count : 0
  561. Password Last Set : 4/1/2021 3:51:54 AM
  562.  
  563. =================================================================================================
  564.  
  565.  
  566. [+] RDP Sessions
  567. SessID pSessionName pUserName pDomainName State SourceIP
  568. 1 Console jason ATOM Active
  569.  
  570. [+] Ever logged users
  571. ATOM\Administrator
  572. ATOM\jason
  573.  
  574. [+] Home folders found
  575. C:\Users\Administrator
  576. C:\Users\All Users
  577. C:\Users\Default
  578. C:\Users\Default User
  579. C:\Users\jason : jason [AllAccess]
  580. C:\Users\Public : Interactive [WriteData/CreateFiles]
  581.  
  582. [+] Looking for AutoLogon credentials
  583. Some AutoLogon credentials were found
  584. DefaultDomainName : ATOM
  585. DefaultUserName : jason
  586.  
  587. [+] Password Policies
  588. [?] Check for a possible brute-force
  589. Domain: Builtin
  590. SID: S-1-5-32
  591. MaxPasswordAge: 42.22:47:31.7437440
  592. MinPasswordAge: 00:00:00
  593. MinPasswordLength: 0
  594. PasswordHistoryLength: 0
  595. PasswordProperties: 0
  596. =================================================================================================
  597.  
  598. Domain: ATOM
  599. SID: S-1-5-21-1199094703-3580107816-3092147818
  600. MaxPasswordAge: 42.00:00:00
  601. MinPasswordAge: 00:00:00
  602. MinPasswordLength: 0
  603. PasswordHistoryLength: 0
  604. PasswordProperties: 0
  605. =================================================================================================
  606.  
  607.  
  608. [+] Print Logon Sessions
  609. Method: WMI
  610. Logon Server:
  611. Logon Server Dns Domain:
  612. Logon Id: 327750
  613. Logon Time:
  614. Logon Type: Interactive
  615. Start Time: 5/29/2021 8:40:04 AM
  616. Domain: ATOM
  617. Authentication Package: NTLM
  618. Start Time: 5/29/2021 8:40:04 AM
  619. User Name: jason
  620. User Principal Name:
  621. User SID:
  622.  
  623. =================================================================================================
  624.  
  625.  
  626.  
  627. =======================================(Processes Information)=======================================
  628.  
  629. [+] Interesting Processes -non Microsoft-
  630. [?] Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
  631. heedv2(4728)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
  632. Permissions: jason [AllAccess]
  633. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
  634. Command Line: "C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=11115843981059573204 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv2\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11115843981059573204 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
  635. =================================================================================================
  636.  
  637. svchost(416)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
  638. Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
  639. =================================================================================================
  640.  
  641. sihost(2564)[C:\WINDOWS\system32\sihost.exe] -- POwn: jason
  642. Command Line: sihost.exe
  643. =================================================================================================
  644.  
  645. heedv1(6868)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
  646. Permissions: jason [AllAccess]
  647. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
  648. Command Line: "C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=1232073659841223713 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv1\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1232073659841223713 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
  649. =================================================================================================
  650.  
  651. svchost(5140)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
  652. Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
  653. =================================================================================================
  654.  
  655. heedv3(3908)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
  656. Permissions: jason [AllAccess]
  657. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
  658. Command Line: "C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe" --type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=17375926803871715330 --lang=en-US --app-path="C:\Users\jason\appdata\Local\programs\heedv3\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=17375926803871715330 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
  659. =================================================================================================
  660.  
  661. conhost(5996)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
  662. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
  663. =================================================================================================
  664.  
  665. heedv2(7284)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
  666. Permissions: jason [AllAccess]
  667. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
  668. Command Line: C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe
  669. =================================================================================================
  670.  
  671. PING(6848)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason
  672. Command Line: ping -n 30 127.0.0.1
  673. =================================================================================================
  674.  
  675. RuntimeBroker(6832)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
  676. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
  677. =================================================================================================
  678.  
  679. vm3dservice(7908)[C:\Windows\System32\vm3dservice.exe] -- POwn: jason
  680. Command Line: "C:\Windows\System32\vm3dservice.exe" -u
  681. =================================================================================================
  682.  
  683. node(2928)[C:\Program Files\nodejs\node.exe] -- POwn: jason
  684. Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client2 -p 8082
  685. =================================================================================================
  686.  
  687. RuntimeBroker(2908)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
  688. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
  689. =================================================================================================
  690.  
  691. powershell(3328)[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: jason
  692. Command Line: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"
  693. =================================================================================================
  694.  
  695. node(2896)[C:\Program Files\nodejs\node.exe] -- POwn: jason
  696. Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client3 -p 8083
  697. =================================================================================================
  698.  
  699. heedv1(4848)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
  700. Permissions: jason [AllAccess]
  701. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
  702. Command Line: "C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14515363457901305326 --mojo-platform-channel-handle=1296 --ignored=" --type=renderer " /prefetch:2
  703. =================================================================================================
  704.  
  705. StartMenuExperienceHost(6756)[C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe] -- POwn: jason
  706. Command Line: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  707. =================================================================================================
  708.  
  709. cmd(7604)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
  710. Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client3 -p 8083
  711. =================================================================================================
  712.  
  713. explorer(1048)[C:\WINDOWS\Explorer.EXE] -- POwn: jason
  714. Command Line: C:\WINDOWS\Explorer.EXE
  715. =================================================================================================
  716.  
  717. powershell(3692)[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: jason
  718. Command Line: powershell
  719. =================================================================================================
  720.  
  721. ShellExperienceHost(8000)[C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe] -- POwn: jason
  722. Command Line: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
  723. =================================================================================================
  724.  
  725. heedv3(7988)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
  726. Permissions: jason [AllAccess]
  727. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
  728. Command Line: "C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16483162655012643694 --mojo-platform-channel-handle=1320 --ignored=" --type=renderer " /prefetch:2
  729. =================================================================================================
  730.  
  731. RuntimeBroker(7112)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
  732. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
  733. =================================================================================================
  734.  
  735. RuntimeBroker(4956)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
  736. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
  737. =================================================================================================
  738.  
  739. conhost(5812)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
  740. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
  741. =================================================================================================
  742.  
  743. winpeas(8828)[C:\Software_Updates\winpeas.exe] -- POwn: jason -- isDotNet
  744. Permissions: jason [AllAccess], Everyone [AllAccess]
  745. Possible DLL Hijacking folder: C:\Software_Updates (Everyone [AllAccess], jason [AllAccess])
  746. Command Line: "C:\Software_Updates\winpeas.exe"
  747. =================================================================================================
  748.  
  749. v'ulnerable-app-setup-1.2.3(6672)[C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe] -- POwn: jason
  750. Possible DLL Hijacking folder: C:\Users\jason\AppData\Roaming\heedv1\__update__ (jason [AllAccess])
  751. Command Line: C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe --updated --force-run
  752. =================================================================================================
  753.  
  754. cmd(7532)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
  755. Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client1 -p 8081
  756. =================================================================================================
  757.  
  758. svchost(6232)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
  759. Command Line: C:\WINDOWS\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
  760. =================================================================================================
  761.  
  762. svchost(8816)[C:\WINDOWS\system32\svchost.exe] -- POwn: jason
  763. Command Line: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
  764. =================================================================================================
  765.  
  766. node(2752)[C:\Program Files\nodejs\node.exe] -- POwn: jason
  767. Command Line: "node" "c:\Users\jason\Downloads\node_modules\.bin\\..\http-server\bin\http-server" c:\software_updates\client1 -p 8081
  768. =================================================================================================
  769.  
  770. heedv2(5764)[C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe] -- POwn: jason
  771. Permissions: jason [AllAccess]
  772. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv2 (jason [AllAccess])
  773. Command Line: "C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=4554134489477886038 --mojo-platform-channel-handle=1308 --ignored=" --type=renderer " /prefetch:2
  774. =================================================================================================
  775.  
  776. ApplicationFrameHost(9200)[C:\WINDOWS\system32\ApplicationFrameHost.exe] -- POwn: jason
  777. Command Line: C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding
  778. =================================================================================================
  779.  
  780. vmtoolsd(7944)[C:\Program Files\VMware\VMware Tools\vmtoolsd.exe] -- POwn: jason
  781. Command Line: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
  782. =================================================================================================
  783.  
  784. UserOOBEBroker(1400)[C:\Windows\System32\oobe\UserOOBEBroker.exe] -- POwn: jason
  785. Command Line: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
  786. =================================================================================================
  787.  
  788. heedv1(7428)[C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe] -- POwn: jason
  789. Permissions: jason [AllAccess]
  790. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv1 (jason [AllAccess])
  791. Command Line: C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe
  792. =================================================================================================
  793.  
  794. cmd(5256)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason
  795. Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\run.bat"
  796. =================================================================================================
  797.  
  798. heedv3(7400)[C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe] -- POwn: jason
  799. Permissions: jason [AllAccess]
  800. Possible DLL Hijacking folder: C:\Users\jason\appdata\Local\programs\heedv3 (jason [AllAccess])
  801. Command Line: C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe
  802. =================================================================================================
  803.  
  804. PING(4804)[C:\WINDOWS\system32\PING.EXE] -- POwn: jason
  805. Command Line: ping -n 300 127.0.0.1
  806. =================================================================================================
  807.  
  808. taskhostw(5216)[C:\WINDOWS\system32\taskhostw.exe] -- POwn: jason
  809. Command Line: taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  810. =================================================================================================
  811.  
  812. conhost(5980)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
  813. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
  814. =================================================================================================
  815.  
  816. WinStore.App(6064)[C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe] -- POwn: jason
  817. Command Line: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_12101.1001.14.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
  818. =================================================================================================
  819.  
  820. YourPhone(7356)[C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe] -- POwn: jason
  821. Command Line: "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21022.160.0_x64__8wekyb3d8bbwe\YourPhone.exe" -ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca
  822. =================================================================================================
  823.  
  824. SearchApp(7352)[C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe] -- POwn: jason
  825. Command Line: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  826. =================================================================================================
  827.  
  828. cmd(1740)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
  829. Command Line: C:\WINDOWS\system32\cmd.exe /K c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client2 -p 8082
  830. =================================================================================================
  831.  
  832. RuntimeBroker(3460)[C:\Windows\System32\RuntimeBroker.exe] -- POwn: jason
  833. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
  834. =================================================================================================
  835.  
  836. cmd(5180)[C:\WINDOWS\SYSTEM32\cmd.exe] -- POwn: jason
  837. Command Line: C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\jason\appdata\roaming\cache\clean.bat"
  838. =================================================================================================
  839.  
  840. conhost(6472)[C:\WINDOWS\system32\conhost.exe] -- POwn: jason
  841. Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
  842. =================================================================================================
  843.  
  844. cmd(4312)[C:\WINDOWS\system32\cmd.exe] -- POwn: jason
  845. Command Line: cmd
  846. =================================================================================================
  847.  
  848.  
  849.  
  850. ========================================(Services Information)========================================
  851.  
  852. [+] Interesting Services -non Microsoft-
  853. [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
  854. Apache2.4(Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
  855. Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
  856. =================================================================================================
  857.  
  858. Redis(Redis)["C:\Program Files\Redis\redis-server.exe" --service-run "C:\Program Files\Redis\redis.windows-service.conf"] - Auto - Running
  859. This service runs the Redis server
  860. =================================================================================================
  861.  
  862. ssh-agent(OpenSSH Authentication Agent)[C:\WINDOWS\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped
  863. Agent to hold private keys used for public key authentication.
  864. =================================================================================================
  865.  
  866. VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running
  867. Alias Manager and Ticket Service
  868. =================================================================================================
  869.  
  870. vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\WINDOWS\system32\vm3dservice.exe] - Auto - Running
  871. Helps VMware SVGA driver by collecting and conveying user mode information
  872. =================================================================================================
  873.  
  874. VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running
  875. Provides support for synchronizing objects between the host and guest operating systems.
  876. =================================================================================================
  877.  
  878.  
  879. [+] Modifiable Services
  880. [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
  881. You cannot modify any service
  882.  
  883. [+] Looking if you can modify any service registry
  884. [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions
  885. [-] Looks like you cannot change the registry of any service...
  886.  
  887. [+] Checking write permissions in PATH folders (DLL Hijacking)
  888. [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
  889. C:\WINDOWS\system32
  890. C:\WINDOWS
  891. C:\WINDOWS\System32\Wbem
  892. C:\WINDOWS\System32\WindowsPowerShell\v1.0\
  893. C:\Program Files\nodejs\
  894. C:\WINDOWS\System32\OpenSSH\
  895.  
  896.  
  897. ====================================(Applications Information)====================================
  898.  
  899. [+] Current Active Window Application
  900. Heed
  901.  
  902. [+] Installed Applications --Via Program Files/Uninstall registry--
  903. [?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
  904. C:\Program Files\Common Files
  905. C:\Program Files\CUAssistant
  906. C:\Program Files\desktop.ini
  907. C:\Program Files\Internet Explorer
  908. C:\Program Files\Microsoft Update Health Tools
  909. C:\Program Files\ModifiableWindowsApps
  910. C:\Program Files\nodejs
  911. C:\Program Files\Redis
  912. C:\Program Files\rempl
  913. C:\Program Files\Uninstall Information
  914. C:\Program Files\VMware
  915. C:\Program Files\Windows Defender
  916. C:\Program Files\Windows Defender Advanced Threat Protection
  917. C:\Program Files\Windows Mail
  918. C:\Program Files\Windows Media Player
  919. C:\Program Files\Windows Multimedia Platform
  920. C:\Program Files\Windows NT
  921. C:\Program Files\Windows Photo Viewer
  922. C:\Program Files\Windows Portable Devices
  923. C:\Program Files\Windows Security
  924. C:\Program Files\Windows Sidebar
  925. C:\Program Files\WindowsApps
  926. C:\Program Files\WindowsPowerShell
  927. C:\xampp
  928.  
  929.  
  930. [+] Autorun Applications
  931. [?] Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
  932.  
  933. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  934. Key: SecurityHealth
  935. Folder: C:\WINDOWS\system32
  936. File: C:\WINDOWS\system32\SecurityHealthSystray.exe
  937. =================================================================================================
  938.  
  939.  
  940. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  941. Key: WindowsDefender
  942. Folder: C:\Program Files\Windows Defender
  943. File: C:\Program Files\Windows Defender\MSASCuiL.exe (Unquoted and Space detected)
  944. =================================================================================================
  945.  
  946.  
  947. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  948. Key: VMware VM3DService Process
  949. Folder: C:\WINDOWS\system32
  950. File: C:\WINDOWS\system32\vm3dservice.exe -u
  951. =================================================================================================
  952.  
  953.  
  954. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  955. Key: VMware User Process
  956. Folder: C:\Program Files\VMware\VMware Tools
  957. File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)
  958. =================================================================================================
  959.  
  960.  
  961. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  962. Key: Common Startup
  963. Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
  964. =================================================================================================
  965.  
  966.  
  967. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  968. Key: Common Startup
  969. Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
  970. =================================================================================================
  971.  
  972.  
  973. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  974. Key: Userinit
  975. Folder: C:\Windows\system32
  976. File: C:\Windows\system32\userinit.exe,
  977. =================================================================================================
  978.  
  979.  
  980. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  981. Key: Shell
  982. Folder: None (PATH Injection)
  983. File: explorer.exe
  984. =================================================================================================
  985.  
  986.  
  987. RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
  988. Key: AlternateShell
  989. Folder: None (PATH Injection)
  990. File: cmd.exe
  991. =================================================================================================
  992.  
  993.  
  994. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
  995. Key: Adobe Type Manager
  996. Folder: None (PATH Injection)
  997. File: atmfd.dll
  998. =================================================================================================
  999.  
  1000.  
  1001. RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
  1002. Key: Adobe Type Manager
  1003. Folder: None (PATH Injection)
  1004. File: atmfd.dll
  1005. =================================================================================================
  1006.  
  1007.  
  1008. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1009. Key: aux
  1010. Folder: None (PATH Injection)
  1011. File: wdmaud.drv
  1012. =================================================================================================
  1013.  
  1014.  
  1015. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1016. Key: midi
  1017. Folder: None (PATH Injection)
  1018. File: wdmaud.drv
  1019. =================================================================================================
  1020.  
  1021.  
  1022. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1023. Key: midimapper
  1024. Folder: None (PATH Injection)
  1025. File: midimap.dll
  1026. =================================================================================================
  1027.  
  1028.  
  1029. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1030. Key: mixer
  1031. Folder: None (PATH Injection)
  1032. File: wdmaud.drv
  1033. =================================================================================================
  1034.  
  1035.  
  1036. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1037. Key: msacm.imaadpcm
  1038. Folder: None (PATH Injection)
  1039. File: imaadp32.acm
  1040. =================================================================================================
  1041.  
  1042.  
  1043. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1044. Key: msacm.msadpcm
  1045. Folder: None (PATH Injection)
  1046. File: msadp32.acm
  1047. =================================================================================================
  1048.  
  1049.  
  1050. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1051. Key: msacm.msg711
  1052. Folder: None (PATH Injection)
  1053. File: msg711.acm
  1054. =================================================================================================
  1055.  
  1056.  
  1057. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1058. Key: msacm.msgsm610
  1059. Folder: None (PATH Injection)
  1060. File: msgsm32.acm
  1061. =================================================================================================
  1062.  
  1063.  
  1064. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1065. Key: vidc.i420
  1066. Folder: None (PATH Injection)
  1067. File: iyuv_32.dll
  1068. =================================================================================================
  1069.  
  1070.  
  1071. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1072. Key: vidc.iyuv
  1073. Folder: None (PATH Injection)
  1074. File: iyuv_32.dll
  1075. =================================================================================================
  1076.  
  1077.  
  1078. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1079. Key: vidc.mrle
  1080. Folder: None (PATH Injection)
  1081. File: msrle32.dll
  1082. =================================================================================================
  1083.  
  1084.  
  1085. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1086. Key: vidc.msvc
  1087. Folder: None (PATH Injection)
  1088. File: msvidc32.dll
  1089. =================================================================================================
  1090.  
  1091.  
  1092. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1093. Key: vidc.uyvy
  1094. Folder: None (PATH Injection)
  1095. File: msyuv.dll
  1096. =================================================================================================
  1097.  
  1098.  
  1099. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1100. Key: vidc.yuy2
  1101. Folder: None (PATH Injection)
  1102. File: msyuv.dll
  1103. =================================================================================================
  1104.  
  1105.  
  1106. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1107. Key: vidc.yvu9
  1108. Folder: None (PATH Injection)
  1109. File: tsbyuv.dll
  1110. =================================================================================================
  1111.  
  1112.  
  1113. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1114. Key: vidc.yvyu
  1115. Folder: None (PATH Injection)
  1116. File: msyuv.dll
  1117. =================================================================================================
  1118.  
  1119.  
  1120. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1121. Key: wave
  1122. Folder: None (PATH Injection)
  1123. File: wdmaud.drv
  1124. =================================================================================================
  1125.  
  1126.  
  1127. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1128. Key: wavemapper
  1129. Folder: None (PATH Injection)
  1130. File: msacm32.drv
  1131. =================================================================================================
  1132.  
  1133.  
  1134. RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  1135. Key: msacm.l3acm
  1136. Folder: C:\Windows\System32
  1137. File: C:\Windows\System32\l3codeca.acm
  1138. =================================================================================================
  1139.  
  1140.  
  1141. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1142. Key: aux
  1143. Folder: None (PATH Injection)
  1144. File: wdmaud.drv
  1145. =================================================================================================
  1146.  
  1147.  
  1148. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1149. Key: midi
  1150. Folder: None (PATH Injection)
  1151. File: wdmaud.drv
  1152. =================================================================================================
  1153.  
  1154.  
  1155. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1156. Key: midimapper
  1157. Folder: None (PATH Injection)
  1158. File: midimap.dll
  1159. =================================================================================================
  1160.  
  1161.  
  1162. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1163. Key: mixer
  1164. Folder: None (PATH Injection)
  1165. File: wdmaud.drv
  1166. =================================================================================================
  1167.  
  1168.  
  1169. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1170. Key: msacm.imaadpcm
  1171. Folder: None (PATH Injection)
  1172. File: imaadp32.acm
  1173. =================================================================================================
  1174.  
  1175.  
  1176. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1177. Key: msacm.msadpcm
  1178. Folder: None (PATH Injection)
  1179. File: msadp32.acm
  1180. =================================================================================================
  1181.  
  1182.  
  1183. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1184. Key: msacm.msg711
  1185. Folder: None (PATH Injection)
  1186. File: msg711.acm
  1187. =================================================================================================
  1188.  
  1189.  
  1190. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1191. Key: msacm.msgsm610
  1192. Folder: None (PATH Injection)
  1193. File: msgsm32.acm
  1194. =================================================================================================
  1195.  
  1196.  
  1197. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1198. Key: vidc.cvid
  1199. Folder: None (PATH Injection)
  1200. File: iccvid.dll
  1201. =================================================================================================
  1202.  
  1203.  
  1204. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1205. Key: vidc.i420
  1206. Folder: None (PATH Injection)
  1207. File: iyuv_32.dll
  1208. =================================================================================================
  1209.  
  1210.  
  1211. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1212. Key: vidc.iyuv
  1213. Folder: None (PATH Injection)
  1214. File: iyuv_32.dll
  1215. =================================================================================================
  1216.  
  1217.  
  1218. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1219. Key: vidc.mrle
  1220. Folder: None (PATH Injection)
  1221. File: msrle32.dll
  1222. =================================================================================================
  1223.  
  1224.  
  1225. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1226. Key: vidc.msvc
  1227. Folder: None (PATH Injection)
  1228. File: msvidc32.dll
  1229. =================================================================================================
  1230.  
  1231.  
  1232. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1233. Key: vidc.uyvy
  1234. Folder: None (PATH Injection)
  1235. File: msyuv.dll
  1236. =================================================================================================
  1237.  
  1238.  
  1239. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1240. Key: vidc.yuy2
  1241. Folder: None (PATH Injection)
  1242. File: msyuv.dll
  1243. =================================================================================================
  1244.  
  1245.  
  1246. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1247. Key: vidc.yvu9
  1248. Folder: None (PATH Injection)
  1249. File: tsbyuv.dll
  1250. =================================================================================================
  1251.  
  1252.  
  1253. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1254. Key: vidc.yvyu
  1255. Folder: None (PATH Injection)
  1256. File: msyuv.dll
  1257. =================================================================================================
  1258.  
  1259.  
  1260. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1261. Key: wave
  1262. Folder: None (PATH Injection)
  1263. File: wdmaud.drv
  1264. =================================================================================================
  1265.  
  1266.  
  1267. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1268. Key: wavemapper
  1269. Folder: None (PATH Injection)
  1270. File: msacm32.drv
  1271. =================================================================================================
  1272.  
  1273.  
  1274. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  1275. Key: msacm.l3acm
  1276. Folder: C:\Windows\SysWOW64
  1277. File: C:\Windows\SysWOW64\l3codeca.acm
  1278. =================================================================================================
  1279.  
  1280.  
  1281. RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
  1282. Folder: C:\Program Files\Internet Explorer
  1283. File: C:\Program Files\Internet Explorer\IEXPLORE.EXE %1 (Unquoted and Space detected)
  1284. =================================================================================================
  1285.  
  1286.  
  1287. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1288. Key: _wowarmhw
  1289. Folder: None (PATH Injection)
  1290. File: wowarmhw.dll
  1291. =================================================================================================
  1292.  
  1293.  
  1294. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1295. Key: _xtajit
  1296. Folder: None (PATH Injection)
  1297. File: xtajit.dll
  1298. =================================================================================================
  1299.  
  1300.  
  1301. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1302. Key: advapi32
  1303. Folder: None (PATH Injection)
  1304. File: advapi32.dll
  1305. =================================================================================================
  1306.  
  1307.  
  1308. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1309. Key: clbcatq
  1310. Folder: None (PATH Injection)
  1311. File: clbcatq.dll
  1312. =================================================================================================
  1313.  
  1314.  
  1315. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1316. Key: combase
  1317. Folder: None (PATH Injection)
  1318. File: combase.dll
  1319. =================================================================================================
  1320.  
  1321.  
  1322. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1323. Key: COMDLG32
  1324. Folder: None (PATH Injection)
  1325. File: COMDLG32.dll
  1326. =================================================================================================
  1327.  
  1328.  
  1329. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1330. Key: coml2
  1331. Folder: None (PATH Injection)
  1332. File: coml2.dll
  1333. =================================================================================================
  1334.  
  1335.  
  1336. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1337. Key: DifxApi
  1338. Folder: None (PATH Injection)
  1339. File: difxapi.dll
  1340. =================================================================================================
  1341.  
  1342.  
  1343. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1344. Key: gdi32
  1345. Folder: None (PATH Injection)
  1346. File: gdi32.dll
  1347. =================================================================================================
  1348.  
  1349.  
  1350. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1351. Key: gdiplus
  1352. Folder: None (PATH Injection)
  1353. File: gdiplus.dll
  1354. =================================================================================================
  1355.  
  1356.  
  1357. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1358. Key: IMAGEHLP
  1359. Folder: None (PATH Injection)
  1360. File: IMAGEHLP.dll
  1361. =================================================================================================
  1362.  
  1363.  
  1364. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1365. Key: IMM32
  1366. Folder: None (PATH Injection)
  1367. File: IMM32.dll
  1368. =================================================================================================
  1369.  
  1370.  
  1371. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1372. Key: kernel32
  1373. Folder: None (PATH Injection)
  1374. File: kernel32.dll
  1375. =================================================================================================
  1376.  
  1377.  
  1378. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1379. Key: MSCTF
  1380. Folder: None (PATH Injection)
  1381. File: MSCTF.dll
  1382. =================================================================================================
  1383.  
  1384.  
  1385. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1386. Key: MSVCRT
  1387. Folder: None (PATH Injection)
  1388. File: MSVCRT.dll
  1389. =================================================================================================
  1390.  
  1391.  
  1392. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1393. Key: NORMALIZ
  1394. Folder: None (PATH Injection)
  1395. File: NORMALIZ.dll
  1396. =================================================================================================
  1397.  
  1398.  
  1399. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1400. Key: NSI
  1401. Folder: None (PATH Injection)
  1402. File: NSI.dll
  1403. =================================================================================================
  1404.  
  1405.  
  1406. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1407. Key: ole32
  1408. Folder: None (PATH Injection)
  1409. File: ole32.dll
  1410. =================================================================================================
  1411.  
  1412.  
  1413. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1414. Key: OLEAUT32
  1415. Folder: None (PATH Injection)
  1416. File: OLEAUT32.dll
  1417. =================================================================================================
  1418.  
  1419.  
  1420. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1421. Key: PSAPI
  1422. Folder: None (PATH Injection)
  1423. File: PSAPI.DLL
  1424. =================================================================================================
  1425.  
  1426.  
  1427. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1428. Key: rpcrt4
  1429. Folder: None (PATH Injection)
  1430. File: rpcrt4.dll
  1431. =================================================================================================
  1432.  
  1433.  
  1434. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1435. Key: sechost
  1436. Folder: None (PATH Injection)
  1437. File: sechost.dll
  1438. =================================================================================================
  1439.  
  1440.  
  1441. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1442. Key: Setupapi
  1443. Folder: None (PATH Injection)
  1444. File: Setupapi.dll
  1445. =================================================================================================
  1446.  
  1447.  
  1448. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1449. Key: SHCORE
  1450. Folder: None (PATH Injection)
  1451. File: SHCORE.dll
  1452. =================================================================================================
  1453.  
  1454.  
  1455. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1456. Key: SHELL32
  1457. Folder: None (PATH Injection)
  1458. File: SHELL32.dll
  1459. =================================================================================================
  1460.  
  1461.  
  1462. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1463. Key: SHLWAPI
  1464. Folder: None (PATH Injection)
  1465. File: SHLWAPI.dll
  1466. =================================================================================================
  1467.  
  1468.  
  1469. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1470. Key: user32
  1471. Folder: None (PATH Injection)
  1472. File: user32.dll
  1473. =================================================================================================
  1474.  
  1475.  
  1476. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1477. Key: WLDAP32
  1478. Folder: None (PATH Injection)
  1479. File: WLDAP32.dll
  1480. =================================================================================================
  1481.  
  1482.  
  1483. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1484. Key: wow64
  1485. Folder: None (PATH Injection)
  1486. File: wow64.dll
  1487. =================================================================================================
  1488.  
  1489.  
  1490. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1491. Key: wow64win
  1492. Folder: None (PATH Injection)
  1493. File: wow64win.dll
  1494. =================================================================================================
  1495.  
  1496.  
  1497. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1498. Key: WS2_32
  1499. Folder: None (PATH Injection)
  1500. File: WS2_32.dll
  1501. =================================================================================================
  1502.  
  1503.  
  1504. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1505. Key: _Wow64
  1506. Folder: None (PATH Injection)
  1507. File: Wow64.dll
  1508. =================================================================================================
  1509.  
  1510.  
  1511. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1512. Key: _Wow64cpu
  1513. Folder: None (PATH Injection)
  1514. File: Wow64cpu.dll
  1515. =================================================================================================
  1516.  
  1517.  
  1518. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1519. Key: _Wow64win
  1520. Folder: None (PATH Injection)
  1521. File: Wow64win.dll
  1522. =================================================================================================
  1523.  
  1524.  
  1525. RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  1526. Key: LPK
  1527. Folder: None (PATH Injection)
  1528. File: LPK.dll
  1529. =================================================================================================
  1530.  
  1531.  
  1532. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
  1533. Key: StubPath
  1534. Folder: \
  1535. FolderPerms: Authenticated Users [AppendData/CreateDirectories]
  1536. File: /UserInstall
  1537. =================================================================================================
  1538.  
  1539.  
  1540. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
  1541. Key: StubPath
  1542. Folder: C:\WINDOWS\system32
  1543. File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon
  1544. =================================================================================================
  1545.  
  1546.  
  1547. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
  1548. Key: StubPath
  1549. Folder: None (PATH Injection)
  1550. File: U
  1551. =================================================================================================
  1552.  
  1553.  
  1554. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
  1555. Key: StubPath
  1556. Folder: C:\Windows\System32
  1557. File: C:\Windows\System32\ie4uinit.exe -UserConfig
  1558. =================================================================================================
  1559.  
  1560.  
  1561. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
  1562. Key: StubPath
  1563. Folder: C:\Windows\System32
  1564. File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
  1565. =================================================================================================
  1566.  
  1567.  
  1568. RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
  1569. Key: StubPath
  1570. Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\Installer
  1571. File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\Installer\setup.exe --configure-user-settings --verbose-logging --system-level --msedge (Unquoted and Space detected)
  1572. =================================================================================================
  1573.  
  1574.  
  1575. RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
  1576. Key: StubPath
  1577. Folder: C:\WINDOWS\system32
  1578. File: C:\WINDOWS\system32\unregmp2.exe /FirstLogon
  1579. =================================================================================================
  1580.  
  1581.  
  1582. RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
  1583. Key: StubPath
  1584. Folder: C:\Windows\SysWOW64
  1585. File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
  1586. =================================================================================================
  1587.  
  1588.  
  1589. RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
  1590. Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO
  1591. File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected)
  1592. =================================================================================================
  1593.  
  1594.  
  1595. RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
  1596. Folder: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO
  1597. File: C:\Program Files (x86)\Microsoft\Edge\Application\89.0.774.75\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected)
  1598. =================================================================================================
  1599.  
  1600.  
  1601. Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  1602. File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
  1603. =================================================================================================
  1604.  
  1605.  
  1606. Folder: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  1607. FolderPerms: jason [AllAccess]
  1608. File: C:\Users\jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
  1609. FilePerms: jason [AllAccess]
  1610. =================================================================================================
  1611.  
  1612.  
  1613. Folder: C:\windows\tasks
  1614. FolderPerms: Authenticated Users [WriteData/CreateFiles]
  1615. =================================================================================================
  1616.  
  1617.  
  1618. Folder: C:\windows\system32\tasks
  1619. FolderPerms: Authenticated Users [WriteData/CreateFiles]
  1620. =================================================================================================
  1621.  
  1622.  
  1623. Folder: C:\windows
  1624. File: C:\windows\system.ini
  1625. =================================================================================================
  1626.  
  1627.  
  1628. Folder: C:\windows
  1629. File: C:\windows\win.ini
  1630. =================================================================================================
  1631.  
  1632.  
  1633. Key: From WMIC
  1634. Folder: C:\WINDOWS\system32
  1635. File: C:\WINDOWS\system32\SecurityHealthSystray.exe
  1636. =================================================================================================
  1637.  
  1638.  
  1639. Key: From WMIC
  1640. Folder: C:\Program Files\Windows Defender
  1641. File: C:\Program Files\Windows Defender\MSASCuiL.exe
  1642. =================================================================================================
  1643.  
  1644.  
  1645. Key: From WMIC
  1646. Folder: C:\WINDOWS\system32
  1647. File: C:\WINDOWS\system32\vm3dservice.exe -u
  1648. =================================================================================================
  1649.  
  1650.  
  1651. Key: From WMIC
  1652. Folder: C:\Program Files\VMware\VMware Tools
  1653. File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr
  1654. =================================================================================================
  1655.  
  1656.  
  1657. [+] Scheduled Applications --Non Microsoft--
  1658. [?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
  1659. (ATOM\Administrator) SoftwareUpdates: C:\Users\jason\appdata\roaming\cache\run.bat
  1660. Permissions file: jason [WriteData/CreateFiles AllAccess]
  1661. Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
  1662. Trigger: At log on of ATOM\jason
  1663.  
  1664. =================================================================================================
  1665.  
  1666. (ATOM\Administrator) UpdateServer: C:\Users\jason\appdata\roaming\cache\http-server.bat
  1667. Permissions file: jason [WriteData/CreateFiles AllAccess]
  1668. Permissions folder(DLL Hijacking): jason [WriteData/CreateFiles AllAccess]
  1669. Trigger: At log on of ATOM\jason
  1670.  
  1671. =================================================================================================
  1672.  
  1673.  
  1674. [+] Device Drivers --Non Microsoft--
  1675. [?] Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers
  1676. QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
  1677. QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
  1678. VMware vSockets Service - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
  1679. NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys
  1680. VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys
  1681. Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys
  1682. VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys
  1683. LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
  1684. AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys
  1685. Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
  1686. AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys
  1687. Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
  1688. Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys
  1689. LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys
  1690. Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys
  1691. Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys
  1692. LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
  1693. MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys
  1694. MEGASAS RAID Controller Driver for Windows - 6.714.20.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
  1695. MEGASAS RAID Controller Driver for Windows - 7.710.10.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys
  1696. MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys
  1697. Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys
  1698. NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys
  1699. MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys
  1700. MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys
  1701. Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys
  1702. Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys
  1703. VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys
  1704. Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys
  1705. Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys
  1706. Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1015 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys
  1707. PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
  1708. Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
  1709. SmartRAID, SmartHBA PQI Storport Driver - 1.50.1.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys
  1710. VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmusbmouse.sys
  1711. VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
  1712. VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys
  1713. VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys
  1714. VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys
  1715. VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys
  1716.  
  1717.  
  1718. =========================================(Network Information)=========================================
  1719.  
  1720. [+] Network Shares
  1721. ADMIN$ (Path: C:\WINDOWS)
  1722. C$ (Path: C:\)
  1723. IPC$ (Path: )
  1724. Software_Updates (Path: C:\Software_Updates) -- Permissions: AllAccess
  1725.  
  1726. [+] Enumerate Network Mapped Drives (WMI)
  1727.  
  1728. [+] Host File
  1729.  
  1730. [+] Network Ifaces and known hosts
  1731. [?] The masks are only for the IPv4 addresses
  1732. Ethernet0[00:50:56:B9:57:45]: 10.10.10.237, fe80::d8d6:9e76:e070:89e3%6, dead:beef::25ba:42d2:1e11:4c29, dead:beef::d8d6:9e76:e070:89e3 / 255.255.255.0
  1733. Gateways: 10.10.10.2, fe80::250:56ff:feb9:188e%6
  1734. DNSs: 1.1.1.1
  1735. Known hosts:
  1736. 10.10.10.2 00-50-56-B9-18-8E Dynamic
  1737. 10.10.10.255 FF-FF-FF-FF-FF-FF Static
  1738. 224.0.0.22 01-00-5E-00-00-16 Static
  1739. 224.0.0.251 01-00-5E-00-00-FB Static
  1740. 224.0.0.252 01-00-5E-00-00-FC Static
  1741. 239.255.255.250 01-00-5E-7F-FF-FA Static
  1742.  
  1743. Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
  1744. DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
  1745. Known hosts:
  1746. 224.0.0.22 00-00-00-00-00-00 Static
  1747. 239.255.255.250 00-00-00-00-00-00 Static
  1748.  
  1749.  
  1750. [+] Current TCP Listening Ports
  1751. [?] Check for services restricted from the outside
  1752. Enumerating IPv4 connections
  1753.  
  1754. Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
  1755.  
  1756. TCP 0.0.0.0 80 0.0.0.0 0 Listening 2668 httpd
  1757. TCP 0.0.0.0 135 0.0.0.0 0 Listening 916 svchost
  1758. TCP 0.0.0.0 443 0.0.0.0 0 Listening 2668 httpd
  1759. TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
  1760. TCP 0.0.0.0 5040 0.0.0.0 0 Listening 5668 svchost
  1761. TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
  1762. TCP 0.0.0.0 6379 0.0.0.0 0 Listening 7792 redis-server
  1763. TCP 0.0.0.0 8081 0.0.0.0 0 Listening 2752 C:\Program Files\nodejs\node.exe
  1764. TCP 0.0.0.0 8082 0.0.0.0 0 Listening 2928 C:\Program Files\nodejs\node.exe
  1765. TCP 0.0.0.0 8083 0.0.0.0 0 Listening 2896 C:\Program Files\nodejs\node.exe
  1766. TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
  1767. TCP 0.0.0.0 49664 0.0.0.0 0 Listening 688 lsass
  1768. TCP 0.0.0.0 49665 0.0.0.0 0 Listening 532 wininit
  1769. TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1100 svchost
  1770. TCP 0.0.0.0 49667 0.0.0.0 0 Listening 1500 svchost
  1771. TCP 0.0.0.0 49668 0.0.0.0 0 Listening 2216 spoolsv
  1772. TCP 0.0.0.0 49669 0.0.0.0 0 Listening 672 services
  1773. TCP 10.10.10.237 139 0.0.0.0 0 Listening 4 System
  1774. TCP 10.10.10.237 445 10.10.16.210 57882 Established 4 System
  1775. TCP 10.10.10.237 63651 10.10.16.210 1234 Established 6672 C:\Users\jason\AppData\Roaming\heedv1\__update__\v'ulnerable-app-setup-1.2.3.exe
  1776. TCP 127.0.0.1 8081 127.0.0.1 53213 FIN Wait 2 2752 C:\Program Files\nodejs\node.exe
  1777. TCP 127.0.0.1 8082 127.0.0.1 53211 FIN Wait 2 2928 C:\Program Files\nodejs\node.exe
  1778. TCP 127.0.0.1 8083 127.0.0.1 53212 FIN Wait 2 2896 C:\Program Files\nodejs\node.exe
  1779. TCP 127.0.0.1 53211 127.0.0.1 8082 Close Wait 7284 C:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe
  1780. TCP 127.0.0.1 53212 127.0.0.1 8083 Close Wait 7400 C:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe
  1781. TCP 127.0.0.1 53213 127.0.0.1 8081 Close Wait 7428 C:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe
  1782.  
  1783. Enumerating IPv6 connections
  1784.  
  1785. Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
  1786.  
  1787. TCP [::] 80 [::] 0 Listening 2668 httpd
  1788. TCP [::] 135 [::] 0 Listening 916 svchost
  1789. TCP [::] 443 [::] 0 Listening 2668 httpd
  1790. TCP [::] 445 [::] 0 Listening 4 System
  1791. TCP [::] 5985 [::] 0 Listening 4 System
  1792. TCP [::] 6379 [::] 0 Listening 7792 redis-server
  1793. TCP [::] 47001 [::] 0 Listening 4 System
  1794. TCP [::] 49664 [::] 0 Listening 688 lsass
  1795. TCP [::] 49665 [::] 0 Listening 532 wininit
  1796. TCP [::] 49666 [::] 0 Listening 1100 svchost
  1797. TCP [::] 49667 [::] 0 Listening 1500 svchost
  1798. TCP [::] 49668 [::] 0 Listening 2216 spoolsv
  1799. TCP [::] 49669 [::] 0 Listening 672 services
  1800.  
  1801. [+] Current UDP Listening Ports
  1802. [?] Check for services restricted from the outside
  1803. Enumerating IPv4 connections
  1804.  
  1805. Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
  1806.  
  1807. UDP 0.0.0.0 5050 *:* 5668 svchost
  1808. UDP 0.0.0.0 5353 *:* 1076 svchost
  1809. UDP 0.0.0.0 5355 *:* 1076 svchost
  1810. UDP 10.10.10.237 137 *:* 4 System
  1811. UDP 10.10.10.237 138 *:* 4 System
  1812. UDP 10.10.10.237 1900 *:* 6072 svchost
  1813. UDP 10.10.10.237 62079 *:* 6072 svchost
  1814. UDP 127.0.0.1 1900 *:* 6072 svchost
  1815. UDP 127.0.0.1 62080 *:* 6072 svchost
  1816. UDP 127.0.0.1 64928 *:* 2920 svchost
  1817.  
  1818. Enumerating IPv6 connections
  1819.  
  1820. Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
  1821.  
  1822. UDP [::] 5353 *:* 1076 svchost
  1823. UDP [::] 5355 *:* 1076 svchost
  1824. UDP [::1] 1900 *:* 6072 svchost
  1825. UDP [::1] 62078 *:* 6072 svchost
  1826. UDP [fe80::d8d6:9e76:e070:89e3%6] 1900 *:* 6072 svchost
  1827. UDP [fe80::d8d6:9e76:e070:89e3%6] 62077 *:* 6072 svchost
  1828.  
  1829. [+] Firewall Rules
  1830. [?] Showing only DENY rules (too many ALLOW rules always)
  1831. Current Profiles: PUBLIC
  1832. FirewallEnabled (Domain): True
  1833. FirewallEnabled (Private): True
  1834. FirewallEnabled (Public): True
  1835. DENY rules:
  1836. (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:*
  1837. Node.js: Server-side JavaScript
  1838. (4)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:*
  1839. Node.js: Server-side JavaScript
  1840. (2)redis-server[C:\redis\redis-server.exe]: DENY UDP IN from *:* --> *:*
  1841. redis-server
  1842. (2)redis-server[C:\redis\redis-server.exe]: DENY TCP IN from *:* --> *:*
  1843. redis-server
  1844. (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY TCP IN from *:* --> *:*
  1845. Node.js: Server-side JavaScript
  1846. (2)Node.js: Server-side JavaScript[C:\program files\nodejs\node.exe]: DENY UDP IN from *:* --> *:*
  1847. Node.js: Server-side JavaScript
  1848.  
  1849. [+] DNS cached --limit 70--
  1850. Entry Name Data
  1851.  
  1852. [+] Enumerating Internet settings, zone and proxy configuration
  1853. General Settings
  1854. Hive Key Value
  1855. HKCU CertificateRevocation 1
  1856. HKCU DisableCachingOfSSLPages 0
  1857. HKCU IE5_UA_Backup_Flag 5.0
  1858. HKCU PrivacyAdvanced 1
  1859. HKCU SecureProtocols 2688
  1860. HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  1861. HKCU ZonesSecurityUpgrade System.Byte[]
  1862. HKCU WarnonZoneCrossing 0
  1863. HKCU EnableNegotiate 1
  1864. HKCU MigrateProxy 1
  1865. HKCU ProxyEnable 0
  1866. HKLM ActiveXCache C:\Windows\Downloaded Program Files
  1867. HKLM CodeBaseSearchPath CODEBASE
  1868. HKLM EnablePunycode 1
  1869. HKLM MinorVersion 0
  1870. HKLM WarnOnIntranet 1
  1871.  
  1872. Zone Maps
  1873. No URLs configured
  1874.  
  1875. Zone Auth Settings
  1876. No Zone Auth Settings
  1877.  
  1878.  
  1879. =========================================(Windows Credentials)=========================================
  1880.  
  1881. [+] Checking Windows Vault
  1882. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
  1883. Not Found
  1884.  
  1885. [+] Checking Credential manager
  1886. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
  1887. [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
  1888.  
  1889.  
  1890. Username: ATOM\jason
  1891. Password: kidvscat_electron_@123
  1892. Target: ATOM\jason
  1893. PersistenceType: Enterprise
  1894. LastWriteTime: 3/31/2021 2:53:49 AM
  1895.  
  1896. =================================================================================================
  1897.  
  1898.  
  1899. [+] Saved RDP connections
  1900. Not Found
  1901.  
  1902. [+] Remote Desktop Server/Client Settings
  1903. RDP Server Settings
  1904. Network Level Authentication :
  1905. Block Clipboard Redirection :
  1906. Block COM Port Redirection :
  1907. Block Drive Redirection :
  1908. Block LPT Port Redirection :
  1909. Block PnP Device Redirection :
  1910. Block Printer Redirection :
  1911. Allow Smart Card Redirection :
  1912.  
  1913. RDP Client Settings
  1914. Disable Password Saving : True
  1915. Restricted Remote Administration : False
  1916.  
  1917. [+] Recently run commands
  1918. a: cmd\1
  1919. MRUList: acdb
  1920. b: compmgmt.msc\1
  1921. c: appwiz.cpl\1
  1922. d: control panel\1
  1923.  
  1924. [+] Checking for DPAPI Master Keys
  1925. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
  1926. MasterKey: C:\Users\jason\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199094703-3580107816-3092147818-1002\a96996a9-5aec-4f82-a145-68ee2de5ea3f
  1927. Accessed: 5/29/2021 8:40:50 AM
  1928. Modified: 3/30/2021 1:17:16 PM
  1929. =================================================================================================
  1930.  
  1931.  
  1932. [+] Checking for DPAPI Credential Files
  1933. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
  1934. CredFile: C:\Users\jason\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
  1935. Description: Local Credential Data
  1936.  
  1937. MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f
  1938. Accessed: 5/29/2021 11:00:35 AM
  1939. Modified: 4/6/2021 7:25:24 PM
  1940. Size: 11184
  1941. =================================================================================================
  1942.  
  1943. CredFile: C:\Users\jason\AppData\Roaming\Microsoft\Credentials\9F6E8E76E5D3AE66EB8D50DDC3B0A7EC
  1944. Description: Enterprise Credential Data
  1945.  
  1946. MasterKey: a96996a9-5aec-4f82-a145-68ee2de5ea3f
  1947. Accessed: 5/29/2021 11:00:35 AM
  1948. Modified: 3/31/2021 2:53:49 AM
  1949. Size: 490
  1950. =================================================================================================
  1951.  
  1952. [i] Follow the provided link for further instructions in how to decrypt the creds file
  1953.  
  1954. [+] Checking for RDCMan Settings Files
  1955. [?] Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
  1956. Not Found
  1957.  
  1958. [+] Looking for Kerberos tickets
  1959. [?] https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
  1960. Not Found
  1961.  
  1962. [+] Looking for saved Wifi credentials
  1963. [X] Exception: The service has not been started
  1964.  
  1965. [+] Looking AppCmd.exe
  1966. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
  1967. Not Found
  1968. You must be an administrator to run this check
  1969.  
  1970. [+] Looking SSClient.exe
  1971. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm
  1972. Not Found
  1973.  
  1974. [+] Enumerating SSCM - System Center Configuration Manager settings
  1975.  
  1976. [+] Enumerating Security Packages Credentials
  1977. Version: NetNTLMv2
  1978. Hash: jason::ATOM:1122334455667788:a4855cc92d76c6dcaff4bd6554268141:01010000000000001e4fb40fb854d701001901727b5b4d4c00000000080030003000000000000000000000000020000015718f51208716144f38c738968a3b193a582aba1e9cd3687494144057e021bc0a00100000000000000000000000000000000000090000000000000000000000
  1979.  
  1980. =================================================================================================
  1981.  
  1982.  
  1983.  
  1984. ========================================(Browsers Information)========================================
  1985.  
  1986. [+] Showing saved credentials for Firefox
  1987. Info: if no credentials were listed, you might need to close the browser and try again.
  1988.  
  1989. [+] Looking for Firefox DBs
  1990. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
  1991. Not Found
  1992.  
  1993. [+] Looking for GET credentials in Firefox history
  1994. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
  1995. Not Found
  1996.  
  1997. [+] Showing saved credentials for Chrome
  1998. Info: if no credentials were listed, you might need to close the browser and try again.
  1999.  
  2000. [+] Looking for Chrome DBs
  2001. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
  2002. Not Found
  2003.  
  2004. [+] Looking for GET credentials in Chrome history
  2005. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
  2006. Not Found
  2007.  
  2008. [+] Chrome bookmarks
  2009. Not Found
  2010.  
  2011. [+] Showing saved credentials for Opera
  2012. Info: if no credentials were listed, you might need to close the browser and try again.
  2013.  
  2014. [+] Showing saved credentials for Brave Browser
  2015. Info: if no credentials were listed, you might need to close the browser and try again.
  2016.  
  2017. [+] Showing saved credentials for Internet Explorer (unsupported)
  2018. Info: if no credentials were listed, you might need to close the browser and try again.
  2019.  
  2020. [+] Current IE tabs
  2021. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
  2022. Not Found
  2023.  
  2024. [+] Looking for GET credentials in IE history
  2025. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
  2026.  
  2027. [+] IE favorites
  2028. http://go.microsoft.com/fwlink/p/?LinkId=255142
  2029.  
  2030.  
  2031. ==============================(Interesting files and registry)==============================
  2032.  
  2033. [+] Putty Sessions
  2034. Not Found
  2035.  
  2036. [+] Putty SSH Host keys
  2037. Not Found
  2038.  
  2039. [+] SSH keys in registry
  2040. [?] If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry
  2041. Not Found
  2042.  
  2043. [+] SuperPutty configuration files
  2044.  
  2045. [+] Enumerating Office 365 endpoints synced by OneDrive.
  2046.  
  2047. SID: S-1-5-19
  2048. =================================================================================================
  2049.  
  2050. SID: S-1-5-20
  2051. =================================================================================================
  2052.  
  2053. SID: S-1-5-21-1199094703-3580107816-3092147818-1002
  2054. =================================================================================================
  2055.  
  2056. SID: S-1-5-21-1199094703-3580107816-3092147818-500
  2057. =================================================================================================
  2058.  
  2059. SID: S-1-5-18
  2060. =================================================================================================
  2061.  
  2062.  
  2063. [+] Cloud Credentials
  2064. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
  2065. Not Found
  2066.  
  2067. [+] Unattend Files
  2068.  
  2069. [+] Looking for common SAM & SYSTEM backups
  2070.  
  2071. [+] Looking for McAfee Sitelist.xml Files
  2072.  
  2073. [+] Cached GPP Passwords
  2074.  
  2075. [+] Looking for possible regs with creds
  2076. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry
  2077. Not Found
  2078. Not Found
  2079. Not Found
  2080. Not Found
  2081.  
  2082. [+] Looking for possible password files in users homes
  2083. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
  2084. C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
  2085.  
  2086. [+] Searching for Oracle SQL Developer config files
  2087.  
  2088.  
  2089. [+] Slack files & directories
  2090. note: check manually if something is found
  2091.  
  2092. [+] Looking for LOL Binaries and Scripts (can be slow)
  2093. [?] https://lolbas-project.github.io/
  2094. [!] Check skipped, if you want to run it, please specify '-lolbas' argument
  2095.  
  2096. [+] Enumerating Outlook download files
  2097.  
  2098.  
  2099. [+] Enumerating machine and user certificate files
  2100.  
  2101.  
  2102. [+] Searching known files that can contain creds in home
  2103. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
  2104. C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlskey.der
  2105. C:\Users\jason\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\dtlscert.der
  2106. C:\Users\jason\NTUSER.DAT
  2107.  
  2108. [+] Looking for documents --limit 100--
  2109. C:\Users\jason\Downloads\PortableKanban\User Guide.pdf
  2110. C:\Users\jason\Documents\UAT_Testing_Procedures.pdf
  2111.  
  2112. [+] Office Most Recent Files -- limit 50
  2113.  
  2114. Last Access Date User Application Document
  2115.  
  2116. [+] Recent files --limit 70--
  2117. Not Found
  2118.  
  2119. [+] Looking inside the Recycle Bin for creds files
  2120. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
  2121. Not Found
  2122.  
  2123. [+] Searching hidden files or folders in C:\Users home (can be slow)
  2124.  
  2125. C:\Users\All Users\ntuser.pol
  2126. C:\Users\jason\AppData\Local\Temp\BITE0BD.tmp
  2127. C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
  2128. C:\Users\jason\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
  2129. C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2
  2130. C:\Users\jason\AppData\Local\Packages\Windows.ContactSupport_cw5n1h2txyewy\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG1
  2131.  
  2132. [+] Searching interesting files in other users home directories (can be slow)
  2133.  
  2134. Checking folder: c:\users\administrator
  2135.  
  2136. =================================================================================================
  2137.  
  2138.  
  2139. [+] Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
  2140. File Permissions "C:\Software_Updates\winpeas.exe": jason [AllAccess],Everyone [AllAccess]
  2141. File Permissions "C:\Users\jason\Downloads\PortableKanban\PortableKanban.exe": jason [AllAccess]
  2142. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\opener.ps1": jason [AllAccess]
  2143. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mkdirp.ps1": jason [AllAccess]
  2144. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\mime.ps1": jason [AllAccess]
  2145. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\http-server.ps1": jason [AllAccess]
  2146. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\hs.ps1": jason [AllAccess]
  2147. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\he.ps1": jason [AllAccess]
  2148. File Permissions "C:\Users\jason\Downloads\node_modules\.bin\ecstatic.ps1": jason [AllAccess]
  2149. File Permissions "C:\Users\jason\Desktop\windowstempwinPEAS.bat": jason [AllAccess]
  2150. File Permissions "C:\Users\jason\AppData\Roaming\heedv3\__installer.exe": jason [AllAccess]
  2151. File Permissions "C:\Users\jason\AppData\Roaming\heedv2\__installer.exe": jason [AllAccess]
  2152. File Permissions "C:\Users\jason\AppData\Roaming\heedv1\__installer.exe": jason [AllAccess]
  2153. File Permissions "C:\Users\jason\AppData\Roaming\cache\run.bat": jason [WriteData/CreateFiles AllAccess]
  2154. File Permissions "C:\Users\jason\AppData\Roaming\cache\http-server.bat": jason [WriteData/CreateFiles AllAccess]
  2155. File Permissions "C:\Users\jason\AppData\Roaming\cache\clean.bat": jason [WriteData/CreateFiles AllAccess]
  2156. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\Uninstall heedv3.exe": jason [AllAccess]
  2157. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\heedv3.exe": jason [AllAccess]
  2158. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv3\resources\elevate.exe": jason [AllAccess]
  2159. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\Uninstall heedv2.exe": jason [AllAccess]
  2160. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\heedv2.exe": jason [AllAccess]
  2161. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv2\resources\elevate.exe": jason [AllAccess]
  2162. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\Uninstall heedv1.exe": jason [AllAccess]
  2163. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\heedv1.exe": jason [AllAccess]
  2164. File Permissions "C:\Users\jason\AppData\Local\Programs\heedv1\resources\elevate.exe": jason [AllAccess]
  2165. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Skype.exe": jason [AllAccess]
  2166. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python3.exe": jason [AllAccess]
  2167. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\python.exe": jason [AllAccess]
  2168. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe": jason [AllAccess]
  2169. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe": jason [AllAccess]
  2170. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe": jason [AllAccess]
  2171. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.SkypeApp_kzf8qxf38zg5c\Skype.exe": jason [AllAccess]
  2172. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe": jason [AllAccess]
  2173. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe": jason [AllAccess]
  2174. File Permissions "C:\Users\jason\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe": jason [AllAccess]
  2175.  
  2176. [+] Looking for Linux shells/distributions - wsl.exe, bash.exe
  2177.  
RAW Paste Data