Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
- [1;90m Creating Dynamic lists, this could take a while, please wait...[0m
- [1;90m - Checking if domain...[0m
- [1;90m - Getting Win32_UserAccount info...[0m
- [1;90m - Creating current user groups list...[0m
- [1;90m - Creating active users list...[0m
- [1;90m - Creating disabled users list...[0m
- [1;90m - Admin users list...[0m
- [34m
- [1;32m*((,.,/((((((((((((((((((((/, */
- [1;32m,/*,..*((((((((((((((((((((((((((((((((((,
- [1;32m,*/((((((((((((((((((/, .*//((//**, .*(((((((*
- [1;32m(((((((((((((((([34m**********/[1;32m########## [1;32m.(* ,(((((((
- [1;32m(((((((((((/[34m********************/[1;32m####### [1;32m.(. (((((((
- [1;32m((((((..[34m******************[0m/@@@@@/[34m***/[1;32m###### [1;32m./(((((((
- [1;32m,,....[34m********************[0m@@@@@@@@@@[34m(***,[1;32m#### [1;32m.//((((((
- [1;32m, ,..[34m********************[0m/@@@@@%@@@@[34m/********[1;32m##[1;32m((/ /((((
- [1;32m..(([1;32m###########[34m*********[0m/%@@@@@@@@@[34m/************[1;32m,,..((((
- [1;32m.([1;32m##################(/[34m******[0m/@@@@@[34m/***************[1;32m.. /((
- [1;32m.([1;32m#########################(/[34m**********************[1;32m..*((
- [1;32m.([1;32m##############################(/[34m*****************[1;32m.,(((
- [1;32m.([1;32m###################################(/[34m************[1;32m..(((
- [1;32m.([1;32m#######################################([34m*********[1;32m..(((
- [1;32m.([1;32m#######(,.***.,(###################(..***.[34m*******[1;32m..(((
- [1;32m.([1;32m#######*(#####((##################((######/([34m*****[1;32m..(((
- [1;32m.([1;32m###################(/***********(##############([1;32m...(((
- [1;32m.(([1;32m#####################/*******(################[1;32m.((((((
- [1;32m.((([1;32m############################################[1;32m(..((((
- [1;32m..((([1;32m##########################################[1;32m(..(((((
- [1;32m....(([1;32m########################################[1;32m( .(((((
- [1;32m......(([1;32m####################################[1;32m( .((((((
- [1;32m((((((((([1;32m#################################[1;32m(../((((((
- [1;32m(((((((((/[1;32m##########################[1;32m(/..((((((
- [1;32m(((((((((/,. ,*//////*,. ./(((((((((((((((.
- [1;32m(((((((((((((((((((((((((((((/[0m
- [1;33mADVISORY: [34mwinpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
- [33m WinPEAS [1;32mvBETA VERSION, Please if you find any issue let me know in https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues[0m[33m by carlospolop[0m
- [33m [+] [1;32mLeyend:[0m
- [1;31m Red[1;37m Indicates a special privilege over an object or something is misconfigured[0m
- [1;32m Green[1;37m Indicates that some protection is enabled or something is well configured[0m
- [36m Cyan[1;37m Indicates active users[0m
- [34m Blue[1;37m Indicates disabled users[0m
- [1;33m LightYellow[1;37m Indicates links[0m
- [33m [?] [1;34mYou can find a Windows local PE Checklist here: [1;33mhttps://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation[0m
- [1;36m ==========================================([0m[33mSystem Information[1;36m)==========================================[0m
- [33m [+] [1;32mBasic System Information[33m([1;90mT1082&T1124&T1012&T1497&T1212[33m)[0m
- [33m [?] [1;34mCheck if the Windows versions is vulnerable to some known exploit [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits[0m
- [1;37m Hostname: [0mRetroWeb
- [1;37m ProductName: [0mWindows Server 2016 Standard
- [1;37m EditionID: [0mServerStandard
- [1;37m ReleaseId: [0m1607
- [1;37m BuildBranch: [0mrs1_release
- [1;37m CurrentMajorVersionNumber: [0m10
- [1;37m CurrentVersion: [0m6.3
- [1;37m Architecture: [0mAMD64
- [1;37m ProcessorCount: [0m1
- [1;37m SystemLang: [0men-US
- [1;37m KeyboardLang: [0mEnglish (United States)
- [1;37m TimeZone: [0m(UTC-08:00) Pacific Time (US & Canada)
- [1;37m IsVirtualMachine: [0mFalse
- [1;37m Current Time: [0m6/16/2020 2:36:44 AM
- [1;37m HighIntegrity: [0mFalse
- [1;37m PartOfDomain: [0mFalse
- [1;37m Hotfixes: [0m[1;32mKB3192137, [0m
- [33m [?] [1;34mWindows vulns search powered by [1;31mWatson[1;34m(https://github.com/rasta-mouse/Watson)[0m
- OS Build Number: 14393
- [1;31m [!] CVE-2019-0836 : VULNERABLE[0m
- [1;31m [>] https://exploit-db.com/exploits/46718[0m
- [1;31m [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/[0m
- [1;31m [!] CVE-2019-0841 : VULNERABLE[0m
- [1;31m [>] https://github.com/rogue-kdc/CVE-2019-0841[0m
- [1;31m [>] https://rastamouse.me/tags/cve-2019-0841/[0m
- [1;31m [!] CVE-2019-1064 : VULNERABLE[0m
- [1;31m [>] https://www.rythmstick.net/posts/cve-2019-1064/[0m
- [1;31m [!] CVE-2019-1130 : VULNERABLE[0m
- [1;31m [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear[0m
- [1;31m [!] CVE-2019-1253 : VULNERABLE[0m
- [1;31m [>] https://github.com/padovah4ck/CVE-2019-1253[0m
- [1;31m [!] CVE-2019-1315 : VULNERABLE[0m
- [1;31m [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html[0m
- [1;31m [!] CVE-2019-1385 : VULNERABLE[0m
- [1;31m [>] https://www.youtube.com/watch?v=K6gHnr-VkAg[0m
- [1;31m [!] CVE-2019-1388 : VULNERABLE[0m
- [1;31m [>] https://github.com/jas502n/CVE-2019-1388[0m
- [1;31m [!] CVE-2019-1405 : VULNERABLE[0m
- [1;31m [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/[0m
- [1;37m Finished. Found [1;31m9[1;37m potential vulnerabilities.[0m
- [33m [+] [1;32mPowerShell Settings[33m([1;90m[33m)[0m
- [1;37m PowerShell v2 Version: [0m2.0
- [1;37m PowerShell v5 Version: [0m5.1.14393.0
- [1;37m Transcription Settings: [0m
- [1;37m Module Logging Settings: [0m
- [1;37m Scriptblock Logging Settings: [0m
- [33m [+] [1;32mAudit Settings[33m([1;90mT1012[33m)[0m
- [33m [?] [1;34mCheck what is being logged [1;33m[0m
- [1;90m Not Found[0m
- [33m [+] [1;32mWEF Settings[33m([1;90mT1012[33m)[0m
- [33m [?] [1;34mWindows Event Forwarding, is interesting to know were are sent the logs [1;33m[0m
- [1;90m Not Found[0m
- [33m [+] [1;32mLAPS Settings[33m([1;90mT1012[33m)[0m
- [33m [?] [1;34mIf installed, local administrator password is changed frequently and is restricted by ACL [1;33m[0m
- [1;37m LAPS Enabled: [0m[0m[1;31mLAPS not installed[0m
- [33m [+] [1;32mWdigest[33m([1;90m[33m)[0m
- [33m [?] [1;34mIf enabled, plain-text crds could be stored in LSASS [1;33mhttps://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest[0m
- [1;32m Wdigest is not enabled[0m
- [33m [+] [1;32mLSA Protection[33m([1;90m[33m)[0m
- [33m [?] [1;34mIf enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) [1;33mhttps://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection[0m
- [1;31m LSA Protection is not enabled[0m
- [33m [+] [1;32mCredentials Guard[33m([1;90m[33m)[0m
- [33m [?] [1;34mIf enabled, a driver is needed to read LSASS memory [1;33mhttps://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard[0m
- [1;31m CredentialGuard is not enabled[0m
- [33m [+] [1;32mCached Creds[33m([1;90m[33m)[0m
- [33m [?] [1;34mIf > 0, credentials will be cached in the registry and accessible by SYSTEM user [1;33mhttps://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials[0m
- [1;31m cachedlogonscount is 10[0m
- [33m [+] [1;32mUser Environment Variables[33m([1;90m[33m)[0m
- [33m [?] [1;34mCheck for some passwords or keys in the env variables [1;33m[0m
- [1;37m COMPUTER[0m[1;31mNAME[0m: [0mRETROWEB
- [1;37m USERPROFILE: [0mC:\Users\Wade
- [1;37m HOMEPATH: [0m\Users\Wade
- [1;37m LOCALAPPDATA: [0mC:\Users\Wade\AppData\Local
- [1;37m PSModulePath: [0mC:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
- [1;37m PROCESSOR_ARCHITECTURE: [0mAMD64
- [1;37m Path: [0mC:\Program Files (x86)\PHP\v7.1;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\MySQL\MySQL Server 5.1\bin;C:\Users\Wade\AppData\Local\Microsoft\WindowsApps;
- [1;37m CommonProgramFiles(x86): [0mC:\Program Files (x86)\Common Files
- [1;37m ProgramFiles(x86): [0mC:\Program Files (x86)
- [1;37m PROCESSOR_LEVEL: [0m6
- [1;37m LOGONSERVER: [0m\\RETROWEB
- [1;37m PATHEXT: [0m.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
- [1;37m HOMEDRIVE: [0mC:
- [1;37m SystemRoot: [0mC:\Windows
- [1;37m [0m[1;31mSESSIONNAME[0m: [0mRDP-Tcp#21
- [1;37m ALLUSERSPROFILE: [0mC:\ProgramData
- [1;37m PUBLIC: [0mC:\Users\Public
- [1;37m APPDATA: [0mC:\Users\Wade\AppData\Roaming
- [1;37m PROCESSOR_REVISION: [0m3f02
- [1;37m USER[0m[1;31mNAME[0m: [0mWade
- [1;37m CommonProgramW6432: [0mC:\Program Files\Common Files
- [1;37m CommonProgramFiles: [0mC:\Program Files\Common Files
- [1;37m CLIENT[0m[1;31mNAME[0m: [0millusive
- [1;37m OS: [0mWindows_NT
- [1;37m USERDOMAIN_ROAMINGPROFILE: [0mRETROWEB
- [1;37m PROCESSOR_IDENTIFIER: [0mIntel64 Family 6 Model 63 Stepping 2, GenuineIntel
- [1;37m ComSpec: [0mC:\Windows\system32\cmd.exe
- [1;37m PROMPT: [0m$P$G
- [1;37m SystemDrive: [0mC:
- [1;37m TEMP: [0mC:\Users\Wade\AppData\Local\Temp\2
- [1;37m ProgramFiles: [0mC:\Program Files
- [1;37m NUMBER_OF_PROCESSORS: [0m1
- [1;37m TMP: [0mC:\Users\Wade\AppData\Local\Temp\2
- [1;37m ProgramData: [0mC:\ProgramData
- [1;37m ProgramW6432: [0mC:\Program Files
- [1;37m windir: [0mC:\Windows
- [1;37m USERDOMAIN: [0mRETROWEB
- [33m [+] [1;32mSystem Environment Variables[33m([1;90m[33m)[0m
- [33m [?] [1;34mCheck for some passwords or keys in the env variables [1;33m[0m
- [1;37m ComSpec: [0mC:\Windows\system32\cmd.exe
- [1;37m OS: [0mWindows_NT
- [1;37m Path: [0mC:\Program Files (x86)\PHP\v7.1;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\MySQL\MySQL Server 5.1\bin
- [1;37m PATHEXT: [0m.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
- [1;37m PROCESSOR_ARCHITECTURE: [0mAMD64
- [1;37m PSModulePath: [0mC:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
- [1;37m TEMP: [0mC:\Windows\TEMP
- [1;37m TMP: [0mC:\Windows\TEMP
- [1;37m USER[0m[1;31mNAME[0m: [0mSYSTEM
- [1;37m windir: [0mC:\Windows
- [1;37m NUMBER_OF_PROCESSORS: [0m1
- [1;37m PROCESSOR_LEVEL: [0m6
- [1;37m PROCESSOR_IDENTIFIER: [0mIntel64 Family 6 Model 63 Stepping 2, GenuineIntel
- [1;37m PROCESSOR_REVISION: [0m3f02
- [33m [+] [1;32mHKCU Internet Settings[33m([1;90mT1012[33m)[0m
- [1;37m DisableCachingOfSSLPages: [0m0
- [1;37m IE5_UA_Backup_Flag: [0m5.0
- [1;37m PrivacyAdvanced: [0m1
- [1;37m SecureProtocols: [0m2688
- [1;37m User Agent: [0mMozilla/4.0 (compatible; MSIE 8.0; Win32)
- [1;37m CertificateRevocation: [0m1
- [1;37m ZonesSecurityUpgrade: [0mSystem.Byte[]
- [1;37m WarnonZoneCrossing: [0m0
- [1;37m EnableNegotiate: [0m1
- [1;37m MigrateProxy: [0m1
- [1;37m ProxyEnable: [0m0
- [1;37m SyncMode5: [0m0
- [33m [+] [1;32mHKLM Internet Settings[33m([1;90mT1012[33m)[0m
- [1;37m ActiveXCache: [0mC:\Windows\Downloaded Program Files
- [1;37m CodeBaseSearchPath: [0mCODEBASE
- [1;37m EnablePunycode: [0m1
- [1;37m MinorVersion: [0m0
- [1;37m WarnOnIntranet: [0m1
- [33m [+] [1;32mDrives Information[33m([1;90mT1120[33m)[0m
- [33m [?] [1;34mRemember that you should search more info inside the other drives [1;33m[0m
- C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 29 GB)([0m[1;31mPermissions: Users [AppendData/CreateDirectories])[0m
- [33m [+] [1;32mAV Information[33m([1;90mT1063[33m)[0m
- [1;90m [X] Exception: Invalid class [0m
- [1;31m No AV was detected!![0m
- [1;90m Not Found[0m
- [33m [+] [1;32mUAC Status[33m([1;90mT1012[33m)[0m
- [33m [?] [1;34mIf you are in the Administrators group check how to bypass the UAC [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access[0m
- [1;37m ConsentPromptBehaviorAdmin: [0m5 - [0m[1;31mPromptForNonWindowsBinaries[0m
- [1;37m EnableLUA: [0m1
- [1;37m LocalAccountTokenFilterPolicy: [0m
- [1;37m FilterAdministratorToken: [0m0
- [1;32m [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
- [-] Only the RID-500 local admin account can be used for lateral movement.[0m
- [1;36m ===========================================([0m[33mUsers Information[1;36m)===========================================[0m
- [33m [+] [1;32mUsers[33m([1;90mT1087&T1069&T1033[33m)[0m
- [33m [?] [1;34mCheck if you have some admin equivalent privileges [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups[0m
- Current user: [0m[36m[0m[1:35mWade[0m[0m
- Current groups: Domain Users, Everyone, Builtin\[0m[1;31m[0m[1;31mRemote [0m[0mDesktop Users, Users, [0m[1;31m[0m[1;31mRemote [0m[0mInteractive Logon, Interactive, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
- [1;90m =================================================================================================[0m
- [0m[1:35mRETROWEB[0m\[0m[1;31mAdministrator[0m: Built-in account for administering the computer/domain
- |->Groups: [0m[1;31mAdministrator[0ms
- |->Password: CanChange-Expi-Req
- [0m[1:35mRETROWEB[0m\[0m[34mDefaultAccount[0m([0m[34mDisabled[0m): A user account managed by the system.
- |->Groups: System Managed Accounts Group
- |->Password: CanChange-[0m[1;31mNotExpi[0m-NotReq
- [0m[1:35mRETROWEB[0m\[0m[34mGuest[0m([0m[34mDisabled[0m): Built-in account for guest access to the computer/domain
- |->Groups: [0m[34mGuest[0ms
- |->Password: [0m[1;31mNotChange[0m-[0m[1;31mNotExpi[0m-NotReq
- [0m[1:35mRETROWEB[0m\[0m[36m[0m[1:35mWade[0m[0m
- |->Groups: [0m[1;31mRemote [0mDesktop Users,Users
- |->Password: CanChange-[0m[1;31mNotExpi[0m-Req
- [33m [+] [1;32mCurrent Token privileges[33m([1;90mT1134[33m)[0m
- [33m [?] [1;34mCheck if you can escalate privilege using some enabled token [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation[0m
- [1;37m SeChangeNotifyPrivilege: [0mSE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
- [1;37m SeIncreaseWorkingSetPrivilege: [0mDISABLED
- [33m [+] [1;32mClipboard text[33m([1;90mT1134[33m)[0m
- [1;31m[0m
- [33m [+] [1;32mLogged users[33m([1;90mT1087&T1033[33m)[0m
- [0m[1:35mRETROWEB[0m\[0m[36m[0m[1:35mWade[0m[0m
- [33m [+] [1;32mRDP Sessions[33m([1;90mT1087&T1033[33m)[0m
- [1;90m SessID pSessionName pUserName pDomainName State SourceIP[0m
- 2 RDP-Tcp#25 [0m[36m[0m[1:35mWade[0m[0m [0m[1:35mRETROWEB[0m Active 10.8.10.136
- [33m [+] [1;32mEver logged users[33m([1;90mT1087&T1033[33m)[0m
- [0m[1:35mRETROWEB[0m\[0m[1;31mAdministrator[0m
- [0m[1:35mRETROWEB[0m\[0m[36m[0m[1:35mWade[0m[0m
- [33m [+] [1;32mLooking for AutoLogon credentials[33m([1;90mT1012[33m)[0m
- [1;90m Not Found[0m
- [33m [+] [1;32mHome folders found[33m([1;90mT1087&T1083&T1033[33m)[0m
- [1;32m C:\Users\Administrator[0m
- [1;32m C:\Users\All Users[0m
- [1;31m C:\Users\Default : Users [AppendData/CreateDirectories WriteData/CreateFiles][0m10.10.212.180
- [1;32m C:\Users\Default User[0m
- [1;31m C:\Users\Public : Interactive [WriteData/CreateFiles][0m
- [1;32m C:\Users\Wade[0m
- [33m [+] [1;32mPassword Policies[33m([1;90mT1201[33m)[0m
- [33m [?] [1;34mCheck for a possible brute-force [1;33m[0m
- [1;37m Domain: [0mBuiltin
- [1;37m SID: [0mS-1-5-32
- [1;37m MaxPasswordAge: [0m42.22:47:31.7437440
- [1;37m MinPasswordAge: [0m00:00:00
- [1;37m MinPasswordLength: [0m0
- [1;37m PasswordHistoryLength: [0m0
- [1;37m PasswordProperties: [0m0
- [1;90m =================================================================================================[0m
- [1;37m Domain: [0m[0m[1:35mRETROWEB[0m
- [1;37m SID: [0mS-1-5-21-3990336274-2859881772-14168232
- [1;37m MaxPasswordAge: [0m42.00:00:00
- [1;37m MinPasswordAge: [0m00:00:00
- [1;37m MinPasswordLength: [0m0
- [1;37m PasswordHistoryLength: [0m0
- [1;37m PasswordProperties: [0m0
- [1;90m =================================================================================================[0m
- [1;36m =======================================([0m[33mProcesses Information[1;36m)=======================================[0m
- [33m [+] [1;32mInteresting Processes -non Microsoft-[33m([1;90mT1010&T1057&T1007[33m)[0m
- [33m [?] [1;34mCheck if any interesting proccesses for memmory dump or if you could overwrite some binary running [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes[0m
- taskhostw(2472)[[0m[1;32mC:\Windows\system32\taskhostw.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
- [1;90m =================================================================================================[0m
- rdpclip(1420)[[0m[1;32mC:\Windows\System32\rdpclip.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: rdpclip
- [1;90m =================================================================================================[0m
- dllhost(1992)[[0m[1;32mC:\Windows\system32\DllHost.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: [0m[1;32mC:\Windows\system32\DllHost.exe [0m/Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85}
- [1;90m =================================================================================================[0m
- RuntimeBroker(868)[[0m[1;32mC:\Windows\System32\RuntimeBroker.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: [0m[1;32mC:\Windows\System32\RuntimeBroker.exe [0m-Embedding
- [1;90m =================================================================================================[0m
- notepad(2748)[[0m[1;32mC:\Windows\system32\NOTEPAD.EXE][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Wade\Desktop\user.txt.txt
- [1;90m =================================================================================================[0m
- conhost(2252)[[0m[1;32mC:\Windows\system32\conhost.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: \??\[0m[1;32mC:\Windows\system32\conhost.exe [0m0x4
- [1;90m =================================================================================================[0m
- SearchUI(4212)[[0m[1;32mC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
- [1;90m =================================================================================================[0m
- ShellExperienceHost(1740)[[0m[1;32mC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
- [1;90m =================================================================================================[0m
- winPEAS(1648)[[0m[1;32mC:\Users\Wade\winPEAS.exe][0m -- POwn:[0m[1:35m Wade[0m -- isDotNet
- [1;37mCommand Line: winPEAS.exe
- [1;90m =================================================================================================[0m
- svchost(2228)[[0m[1;32mC:\Windows\system32\svchost.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: [0m[1;32mC:\Windows\system32\svchost.exe [0m-k UnistackSvcGroup
- [1;90m =================================================================================================[0m
- sihost(2328)[[0m[1;32mC:\Windows\system32\sihost.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: sihost.exe
- [1;90m =================================================================================================[0m
- explorer(680)[[0m[1;32mC:\Windows\Explorer.EXE][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: C:\Windows\Explorer.EXE
- [1;90m =================================================================================================[0m
- cmd(2768)[[0m[1;32mC:\Windows\system32\cmd.exe][0m -- POwn:[0m[1:35m Wade[0m
- [1;37mCommand Line: "C:\Windows\system32\cmd.exe"
- [1;90m =================================================================================================[0m
- [1;36m ========================================([0m[33mServices Information[1;36m)========================================[0m
- [33m [+] [1;32mInteresting Services -non Microsoft-[33m([1;90mT1007[33m)[0m
- [33m [?] [1;34mCheck if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services[0m
- AmazonSSMAgent(Amazon SSM Agent)[[0m[1;32m"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"[0m] - Auto - Running
- [1;37mAmazon SSM Agent
- [1;90m =================================================================================================[0m
- AWSLiteAgent(Amazon Inc. - AWS Lite Guest Agent)[[0m[1;31mC:\Program Files\Amazon\XenTools\LiteAgent.exe[0m] - Auto - Running - [0m[1;31mNo quotes and Space detected[0m
- [1;37mAWS Lite Guest Agent
- [1;90m =================================================================================================[0m
- MySQL(MySQL)[[0m[1;32m"C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.1\my.ini" MySQL[0m] - Auto - Running
- [1;90m =================================================================================================[0m
- PsShutdownSvc(Systems Internals - PsShutdown)[[0m[1;32mC:\Windows\PSSDNSVC.EXE[0m] - Manual - Stopped
- [1;90m =================================================================================================[0m
- [33m [+] [1;32mModifiable Services[33m([1;90mT1007[33m)[0m
- [33m [?] [1;34mCheck if you can modify any service [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services[0m
- [1;32m You cannot modify any service[0m
- [33m [+] [1;32mLooking if you can modify any service registry[33m([1;90m[33m)[0m
- [33m [?] [1;34mCheck if you can modify the registry of a service [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions[0m
- [1;32m [-] Looks like you cannot change the registry of any service...[0m
- [33m [+] [1;32mChecking write permissions in PATH folders (DLL Hijacking)[33m([1;90m[33m)[0m
- [33m [?] [1;34mCheck for DLL Hijacking in PATH folders [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking[0m
- [1;32m C:\Program Files (x86)\PHP\v7.1[0m
- [1;32m C:\Windows\system32[0m
- [1;32m C:\Windows[0m
- [1;32m C:\Windows\System32\Wbem[0m
- [1;32m C:\Windows\System32\WindowsPowerShell\v1.0\[0m
- [1;32m C:\Program Files\Microsoft\Web Platform Installer\[0m
- [1;32m C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps[0m
- [1;32m [0m
- [1;32m C:\Program Files\MySQL\MySQL Server 5.1\bin[0m
- [1;36m ====================================([0m[33mApplications Information[1;36m)====================================[0m
- [33m [+] [1;32mCurrent Active Window Application[33m([1;90mT1010&T1518[33m)[0m
- [1;32m Command Prompt - winPEAS.exe [0m
- [33m [+] [1;32mInstalled Applications --Via Program Files/Uninstall registry--[33m([1;90mT1083&T1012&T1010&T1518[33m)[0m
- [33m [?] [1;34mCheck if you can modify installed software [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software[0m
- [1;32m C:\Program Files\Amazon[0m
- [1;32m C:\Program Files\Common Files[0m
- [1;32m C:\Program Files\desktop.ini[0m
- [1;32m C:\Program Files\IIS[0m
- [1;32m C:\Program Files\Internet Explorer[0m
- [1;32m C:\Program Files\Microsoft[0m
- [1;32m C:\Program Files\MySQL[0m
- [1;32m C:\Program Files\Reference Assemblies[0m
- [1;32m C:\Program Files\runphp[0m
- [1;32m C:\Program Files\Uninstall Information[0m
- [1;32m C:\Program Files\Windows Defender[0m
- [1;32m C:\Program Files\Windows Mail[0m
- [1;32m C:\Program Files\Windows Media Player[0m
- [1;32m C:\Program Files\Windows Multimedia Platform[0m
- [1;32m C:\Program Files\Windows NT[0m
- [1;32m C:\Program Files\Windows Photo Viewer[0m
- [1;32m C:\Program Files\Windows Portable Devices[0m
- [1;32m C:\Program Files\Windows Sidebar[0m
- [1;32m C:\Program Files\WindowsApps[0m
- [1;32m C:\Program Files\WindowsPowerShell[0m
- [33m [+] [1;32mAutorun Applications[33m([1;90mT1010[33m)[0m
- [33m [?] [1;34mCheck if you can modify other users AutoRuns binaries [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup[0m
- [1;90mSystem.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
- at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
- at winPEAS.Program.<PrintInfoApplications>g__PrintAutoRuns|44_2()[0m
- [33m [+] [1;32mScheduled Applications --Non Microsoft--[33m([1;90mT1010[33m)[0m
- [33m [?] [1;34mCheck if you can modify other users scheduled binaries [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup[0m
- [1;90mSystem.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233' or one of its dependencies. The system cannot find the file specified.
- File name: 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233'
- at winPEAS.ApplicationInfo.GetScheduledAppsNoMicrosoft()
- at winPEAS.Program.<PrintInfoApplications>g__PrintScheduled|44_3()
- WRN: Assembly binding logging is turned OFF.
- To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
- Note: There is some performance penalty associated with assembly bind failure logging.
- To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].
- [0m
- [1;36m =========================================([0m[33mNetwork Information[1;36m)=========================================[0m
- [33m [+] [1;32mNetwork Shares[33m([1;90mT1135[33m)[0m
- [0m[1;32mADMIN$[0m ([1;37mPath: C:\Windows[0m)
- [0m[1;32mC$[0m ([1;37mPath: C:\[0m)
- [0m[1;32mIPC$[0m ([1;37mPath: [0m)
- [33m [+] [1;32mHost File[33m([1;90mT1016[33m)[0m
- [33m [+] [1;32mNetwork Ifaces and known hosts[33m([1;90mT1016[33m)[0m
- [33m [?] [1;34mThe masks are only for the IPv4 addresses [1;33m[0m
- [1;90m [X] Exception: The requested protocol has not been configured into the system, or no implementation for it exists[0m
- Ethernet[02:E5:9E:80:97:E0]: 10.10.72.132, fe80::590b:7238:4f20:749a%6 / 255.255.0.0
- [1;37mGateways: [0m10.10.0.1
- [1;37mDNSs: [0m10.0.0.2
- Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
- [1;37mDNSs: [0mfec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
- [33m [+] [1;32mCurrent Listening Ports[33m([1;90mT1049&T1049[33m)[0m
- [33m [?] [1;34mCheck for services restricted from the outside [1;33m[0m
- Proto Local Address Foreing Address State
- TCP 0.0.0.0:80 Listening
- TCP 0.0.0.0:135 Listening
- TCP 0.0.0.0:445 Listening
- TCP 0.0.0.0:3306 Listening
- TCP 0.0.0.0:3389 Listening
- TCP 0.0.0.0:5985 Listening
- TCP 0.0.0.0:47001 Listening
- TCP 0.0.0.0:49664 Listening
- TCP 0.0.0.0:49665 Listening
- TCP 0.0.0.0:49666 Listening
- TCP 0.0.0.0:49668 Listening
- TCP 0.0.0.0:49669 Listening
- TCP 0.0.0.0:49670 Listening
- TCP 10.10.72.132:139 Listening
- TCP [::]:80 Listening
- TCP [::]:135 Listening
- TCP [::]:445 Listening
- TCP [::]:3389 Listening
- TCP [::]:5985 Listening
- TCP [::]:47001 Listening
- TCP [::]:49664 Listening
- TCP [::]:49665 Listening
- TCP [::]:49666 Listening
- TCP [::]:49668 Listening
- TCP [::]:49669 Listening
- TCP [::]:49670 Listening
- UDP 0.0.0.0:123 Listening
- UDP 0.0.0.0:500 Listening
- UDP 0.0.0.0:3389 Listening
- UDP 0.0.0.0:4500 Listening
- UDP 0.0.0.0:5050 Listening
- UDP 0.0.0.0:5353 Listening
- UDP 0.0.0.0:5355 Listening
- UDP 10.10.72.132:137 Listening
- UDP 10.10.72.132:138 Listening
- UDP 10.10.72.132:1900 Listening
- UDP 10.10.72.132:54146 Listening
- UDP [0m[1;31m127.0.0.1[0m:1900 Listening
- UDP [0m[1;31m127.0.0.1[0m:54147 Listening
- UDP [::]:123 Listening
- UDP [::]:500 Listening
- UDP [::1]:1900 Listening
- UDP [::1]:54145 Listening
- UDP [fe80::590b:7238:4f20:749a%6]:1900 Listening
- UDP [fe80::590b:7238:4f20:749a%6]:54144 Listening
- [33m [+] [1;32mFirewall Rules[33m([1;90mT1016[33m)[0m
- [33m [?] [1;34mShowing only DENY rules (too many ALLOW rules always) [1;33m[0m
- Current Profiles: PUBLIC
- FirewallEnabled (Domain): [0m[1;32mTrue[0m
- FirewallEnabled (Private): [0m[1;32mTrue[0m
- FirewallEnabled (Public): [0m[1;32mTrue[0m
- [1;90m DENY rules:[0m
- [33m [+] [1;32mDNS cached --limit 70--[33m([1;90mT1016[33m)[0m
- [1;90m Entry Name Data[0m
- ctldl.windowsupdate.com ctldl.windowsupdate.com ...download.windowsupdate.nsatc.net
- ctldl.windowsupdate.com ...download.windowsupdate.nsatc.net ...load.windowsupdate.com.hwcdn.net
- ctldl.windowsupdate.com ...load.windowsupdate.com.hwcdn.net cds.d2s7q6s2.hwcdn.net
- ctldl.windowsupdate.com cds.d2s7q6s2.hwcdn.net 205.185.216.42
- ctldl.windowsupdate.com cds.d2s7q6s2.hwcdn.net 205.185.216.10
- isatap.eu-west-1.compute.internal
- wpad
- [1;36m =========================================([0m[33mWindows Credentials[1;36m)=========================================[0m
- [33m [+] [1;32mChecking Windows Vault[33m([1;90m[33m)[0m
- [33m [?] [1;34m [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault[0m
- [1;90m Not Found[0m
- [33m [+] [1;32mChecking Credential manager[33m([1;90m[33m)[0m
- [33m [?] [1;34m [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault[0m
- [1;90m This function is not yet implemented.[0m
- [33m [i] [1;34mIf you want to list credentials inside Credential Manager use 'cmdkey /list'[0m
- [33m [+] [1;32mSaved RDP connections[33m([1;90m[33m)[0m
- [1;90m Not Found[0m
- [33m [+] [1;32mRecently run commands[33m([1;90m[33m)[0m
- [1;90m Not Found[0m
- [33m [+] [1;32mPS default transcripts history[33m([1;90m[33m)[0m
- [33m [i] [1;34mRead the PS histpry inside these files (if any)[0m
- [33m [+] [1;32mChecking for DPAPI Master Keys[33m([1;90m[33m)[0m
- [33m [?] [1;34m [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi[0m
- [1;37m MasterKey: [0mC:\Users\Wade\AppData\Roaming\Microsoft\Protect\S-1-5-21-3990336274-2859881772-14168232-1000\2f832476-be18-4d7a-b68c-ee13c54ce5d4
- [1;37m Accessed: [0m12/8/2019 4:33:49 PM
- [1;37m Modified: [0m12/8/2019 4:33:49 PM
- [1;90m =================================================================================================[0m
- [1;37m MasterKey: [0mC:\Users\Wade\AppData\Roaming\Microsoft\Protect\S-1-5-21-3990336274-2859881772-14168232-1000\575fc23d-2de5-4181-a94e-d3661656aa5c
- [1;37m Accessed: [0m4/23/2020 10:25:20 AM
- [1;37m Modified: [0m4/23/2020 10:25:20 AM
- [1;90m =================================================================================================[0m
- [33m [+] [1;32mChecking for Credential Files[33m([1;90m[33m)[0m
- [33m [?] [1;34m [1;33mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi[0m
- [1;37m CredFile: [0mC:\Users\Wade\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
- [1;37m Description: [0mLocal Credential Data
Add Comment
Please, Sign In to add comment