API tools faq
paste
Guest User

Untitled

a guest
Jun 16th, 2020
84
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.12 KB | None | 0 0
raw download clone embed print report
  1. ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
  2.  Creating Dynamic lists, this could take a while, please wait...
  3.  - Checking if domain...
  4.  - Getting Win32_UserAccount info...
  5.  - Creating current user groups list...
  6.  - Creating active users list...
  7.  - Creating disabled users list...
  8.  - Admin users list...
  9. 
  10. *((,.,/((((((((((((((((((((/, */
  11. ,/*,..*((((((((((((((((((((((((((((((((((,
  12. ,*/((((((((((((((((((/, .*//((//**, .*(((((((*
  13. ((((((((((((((((**********/########## .(* ,(((((((
  14. (((((((((((/********************/####### .(. (((((((
  15. ((((((..******************/@@@@@/***/###### ./(((((((
  16. ,,....********************@@@@@@@@@@(***,#### .//((((((
  17. , ,..********************/@@@@@%@@@@/********##((/ /((((
  18. ..((###########*********/%@@@@@@@@@/************,,..((((
  19. .(##################(/******/@@@@@/***************.. /((
  20. .(#########################(/**********************..*((
  21. .(##############################(/*****************.,(((
  22. .(###################################(/************..(((
  23. .(#######################################(*********..(((
  24. .(#######(,.***.,(###################(..***.*******..(((
  25. .(#######*(#####((##################((######/(*****..(((
  26. .(###################(/***********(##############(...(((
  27. .((#####################/*******(################.((((((
  28. .(((############################################(..((((
  29. ..(((##########################################(..(((((
  30. ....((########################################( .(((((
  31. ......((####################################( .((((((
  32. (((((((((#################################(../((((((
  33. (((((((((/##########################(/..((((((
  34. (((((((((/,. ,*//////*,. ./(((((((((((((((.
  35. (((((((((((((((((((((((((((((/
  36.  
  37. ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
  38.  
  39.  WinPEAS vBETA VERSION, Please if you find any issue let me know in https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues by carlospolop
  40.  
  41.  [+] Leyend:
  42.  Red Indicates a special privilege over an object or something is misconfigured
  43.  Green Indicates that some protection is enabled or something is well configured
  44.  Cyan Indicates active users
  45.  Blue Indicates disabled users
  46.  LightYellow Indicates links
  47.  
  48.  [?] You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
  49.  
  50.  
  51.  ==========================================(System Information)==========================================
  52.  
  53.  [+] Basic System Information(T1082&T1124&T1012&T1497&T1212)
  54.  [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
  55.  Hostname: RetroWeb
  56.  ProductName: Windows Server 2016 Standard
  57.  EditionID: ServerStandard
  58.  ReleaseId: 1607
  59.  BuildBranch: rs1_release
  60.  CurrentMajorVersionNumber: 10
  61.  CurrentVersion: 6.3
  62.  Architecture: AMD64
  63.  ProcessorCount: 1
  64.  SystemLang: en-US
  65.  KeyboardLang: English (United States)
  66.  TimeZone: (UTC-08:00) Pacific Time (US & Canada)
  67.  IsVirtualMachine: False
  68.  Current Time: 6/16/2020 2:36:44 AM
  69.  HighIntegrity: False
  70.  PartOfDomain: False
  71.  Hotfixes: KB3192137, 
  72.  
  73.  [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
  74. OS Build Number: 14393
  75.  [!] CVE-2019-0836 : VULNERABLE
  76.  [>] https://exploit-db.com/exploits/46718
  77.  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
  78.  
  79.  [!] CVE-2019-0841 : VULNERABLE
  80.  [>] https://github.com/rogue-kdc/CVE-2019-0841
  81.  [>] https://rastamouse.me/tags/cve-2019-0841/
  82.  
  83.  [!] CVE-2019-1064 : VULNERABLE
  84.  [>] https://www.rythmstick.net/posts/cve-2019-1064/
  85.  
  86.  [!] CVE-2019-1130 : VULNERABLE
  87.  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
  88.  
  89.  [!] CVE-2019-1253 : VULNERABLE
  90.  [>] https://github.com/padovah4ck/CVE-2019-1253
  91.  
  92.  [!] CVE-2019-1315 : VULNERABLE
  93.  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
  94.  
  95.  [!] CVE-2019-1385 : VULNERABLE
  96.  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg
  97.  
  98.  [!] CVE-2019-1388 : VULNERABLE
  99.  [>] https://github.com/jas502n/CVE-2019-1388
  100.  
  101.  [!] CVE-2019-1405 : VULNERABLE
  102.  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  103.  
  104.  Finished. Found 9 potential vulnerabilities.
  105.  
  106.  [+] PowerShell Settings()
  107.  PowerShell v2 Version: 2.0
  108.  PowerShell v5 Version: 5.1.14393.0
  109.  Transcription Settings: 
  110.  Module Logging Settings: 
  111.  Scriptblock Logging Settings: 
  112.  
  113.  [+] Audit Settings(T1012)
  114.  [?] Check what is being logged 
  115.  Not Found
  116.  
  117.  [+] WEF Settings(T1012)
  118.  [?] Windows Event Forwarding, is interesting to know were are sent the logs 
  119.  Not Found
  120.  
  121.  [+] LAPS Settings(T1012)
  122.  [?] If installed, local administrator password is changed frequently and is restricted by ACL 
  123.  LAPS Enabled: LAPS not installed
  124.  
  125.  [+] Wdigest()
  126.  [?] If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest
  127.  Wdigest is not enabled
  128.  
  129.  [+] LSA Protection()
  130.  [?] If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection
  131.  LSA Protection is not enabled
  132.  
  133.  [+] Credentials Guard()
  134.  [?] If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard
  135.  CredentialGuard is not enabled
  136.  
  137.  [+] Cached Creds()
  138.  [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
  139.  cachedlogonscount is 10
  140.  
  141.  [+] User Environment Variables()
  142.  [?] Check for some passwords or keys in the env variables 
  143.  COMPUTERNAME: RETROWEB
  144.  USERPROFILE: C:\Users\Wade
  145.  HOMEPATH: \Users\Wade
  146.  LOCALAPPDATA: C:\Users\Wade\AppData\Local
  147.  PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
  148.  PROCESSOR_ARCHITECTURE: AMD64
  149.  Path: C:\Program Files (x86)\PHP\v7.1;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\MySQL\MySQL Server 5.1\bin;C:\Users\Wade\AppData\Local\Microsoft\WindowsApps;
  150.  CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
  151.  ProgramFiles(x86): C:\Program Files (x86)
  152.  PROCESSOR_LEVEL: 6
  153.  LOGONSERVER: \\RETROWEB
  154.  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
  155.  HOMEDRIVE: C:
  156.  SystemRoot: C:\Windows
  157.  SESSIONNAME: RDP-Tcp#21
  158.  ALLUSERSPROFILE: C:\ProgramData
  159.  PUBLIC: C:\Users\Public
  160.  APPDATA: C:\Users\Wade\AppData\Roaming
  161.  PROCESSOR_REVISION: 3f02
  162.  USERNAME: Wade
  163.  CommonProgramW6432: C:\Program Files\Common Files
  164.  CommonProgramFiles: C:\Program Files\Common Files
  165.  CLIENTNAME: illusive
  166.  OS: Windows_NT
  167.  USERDOMAIN_ROAMINGPROFILE: RETROWEB
  168.  PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 63 Stepping 2, GenuineIntel
  169.  ComSpec: C:\Windows\system32\cmd.exe
  170.  PROMPT: $P$G
  171.  SystemDrive: C:
  172.  TEMP: C:\Users\Wade\AppData\Local\Temp\2
  173.  ProgramFiles: C:\Program Files
  174.  NUMBER_OF_PROCESSORS: 1
  175.  TMP: C:\Users\Wade\AppData\Local\Temp\2
  176.  ProgramData: C:\ProgramData
  177.  ProgramW6432: C:\Program Files
  178.  windir: C:\Windows
  179.  USERDOMAIN: RETROWEB
  180.  
  181.  [+] System Environment Variables()
  182.  [?] Check for some passwords or keys in the env variables 
  183.  ComSpec: C:\Windows\system32\cmd.exe
  184.  OS: Windows_NT
  185.  Path: C:\Program Files (x86)\PHP\v7.1;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\MySQL\MySQL Server 5.1\bin
  186.  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
  187.  PROCESSOR_ARCHITECTURE: AMD64
  188.  PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
  189.  TEMP: C:\Windows\TEMP
  190.  TMP: C:\Windows\TEMP
  191.  USERNAME: SYSTEM
  192.  windir: C:\Windows
  193.  NUMBER_OF_PROCESSORS: 1
  194.  PROCESSOR_LEVEL: 6
  195.  PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 63 Stepping 2, GenuineIntel
  196.  PROCESSOR_REVISION: 3f02
  197.  
  198.  [+] HKCU Internet Settings(T1012)
  199.  DisableCachingOfSSLPages: 0
  200.  IE5_UA_Backup_Flag: 5.0
  201.  PrivacyAdvanced: 1
  202.  SecureProtocols: 2688
  203.  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  204.  CertificateRevocation: 1
  205.  ZonesSecurityUpgrade: System.Byte[]
  206.  WarnonZoneCrossing: 0
  207.  EnableNegotiate: 1
  208.  MigrateProxy: 1
  209.  ProxyEnable: 0
  210.  SyncMode5: 0
  211.  
  212.  [+] HKLM Internet Settings(T1012)
  213.  ActiveXCache: C:\Windows\Downloaded Program Files
  214.  CodeBaseSearchPath: CODEBASE
  215.  EnablePunycode: 1
  216.  MinorVersion: 0
  217.  WarnOnIntranet: 1
  218.  
  219.  [+] Drives Information(T1120)
  220.  [?] Remember that you should search more info inside the other drives 
  221. C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 29 GB)(Permissions: Users [AppendData/CreateDirectories])
  222.  
  223.  [+] AV Information(T1063)
  224.  [X] Exception: Invalid class 
  225.  No AV was detected!!
  226.  Not Found
  227.  
  228.  [+] UAC Status(T1012)
  229.  [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
  230.  ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
  231.  EnableLUA: 1
  232.  LocalAccountTokenFilterPolicy: 
  233.  FilterAdministratorToken: 0
  234.  [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
  235. [-] Only the RID-500 local admin account can be used for lateral movement.
  236.  
  237.  
  238.  ===========================================(Users Information)===========================================
  239.  
  240.  [+] Users(T1087&T1069&T1033)
  241.  [?] Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
  242. Current user: [1:35mWade
  243. Current groups: Domain Users, Everyone, Builtin\Remote Desktop Users, Users, Remote Interactive Logon, Interactive, Authenticated Users, This Organization, Local account, Local, NTLM Authentication
  244.  =================================================================================================
  245.  
  246. [1:35mRETROWEB\Administrator: Built-in account for administering the computer/domain
  247. |->Groups: Administrators
  248. |->Password: CanChange-Expi-Req
  249.  
  250. [1:35mRETROWEB\DefaultAccount(Disabled): A user account managed by the system.
  251. |->Groups: System Managed Accounts Group
  252. |->Password: CanChange-NotExpi-NotReq
  253.  
  254. [1:35mRETROWEB\Guest(Disabled): Built-in account for guest access to the computer/domain
  255. |->Groups: Guests
  256. |->Password: NotChange-NotExpi-NotReq
  257.  
  258. [1:35mRETROWEB\[1:35mWade
  259. |->Groups: Remote Desktop Users,Users
  260. |->Password: CanChange-NotExpi-Req
  261.  
  262.  
  263.  [+] Current Token privileges(T1134)
  264.  [?] Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
  265.  SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
  266.  SeIncreaseWorkingSetPrivilege: DISABLED
  267.  
  268.  [+] Clipboard text(T1134)
  269. 
  270.  
  271.  [+] Logged users(T1087&T1033)
  272. [1:35mRETROWEB\[1:35mWade
  273.  
  274.  [+] RDP Sessions(T1087&T1033)
  275.  SessID pSessionName pUserName pDomainName State SourceIP
  276. 2 RDP-Tcp#25 [1:35mWade [1:35mRETROWEB Active 10.8.10.136
  277.  
  278.  [+] Ever logged users(T1087&T1033)
  279. [1:35mRETROWEB\Administrator
  280. [1:35mRETROWEB\[1:35mWade
  281.  
  282.  [+] Looking for AutoLogon credentials(T1012)
  283.  Not Found
  284.  
  285.  [+] Home folders found(T1087&T1083&T1033)
  286.  C:\Users\Administrator
  287.  C:\Users\All Users
  288.  C:\Users\Default : Users [AppendData/CreateDirectories WriteData/CreateFiles]10.10.212.180
  289.  C:\Users\Default User
  290.  C:\Users\Public : Interactive [WriteData/CreateFiles]
  291.  C:\Users\Wade
  292.  
  293.  [+] Password Policies(T1201)
  294.  [?] Check for a possible brute-force 
  295.  Domain: Builtin
  296.  SID: S-1-5-32
  297.  MaxPasswordAge: 42.22:47:31.7437440
  298.  MinPasswordAge: 00:00:00
  299.  MinPasswordLength: 0
  300.  PasswordHistoryLength: 0
  301.  PasswordProperties: 0
  302.  =================================================================================================
  303.  
  304.  Domain: [1:35mRETROWEB
  305.  SID: S-1-5-21-3990336274-2859881772-14168232
  306.  MaxPasswordAge: 42.00:00:00
  307.  MinPasswordAge: 00:00:00
  308.  MinPasswordLength: 0
  309.  PasswordHistoryLength: 0
  310.  PasswordProperties: 0
  311.  =================================================================================================
  312.  
  313.  
  314.  
  315.  =======================================(Processes Information)=======================================
  316.  
  317.  [+] Interesting Processes -non Microsoft-(T1010&T1057&T1007)
  318.  [?] Check if any interesting proccesses for memmory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
  319. taskhostw(2472)[C:\Windows\system32\taskhostw.exe] -- POwn:[1:35m Wade
  320. Command Line: taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  321.  =================================================================================================
  322.  
  323. rdpclip(1420)[C:\Windows\System32\rdpclip.exe] -- POwn:[1:35m Wade
  324. Command Line: rdpclip
  325.  =================================================================================================
  326.  
  327. dllhost(1992)[C:\Windows\system32\DllHost.exe] -- POwn:[1:35m Wade
  328. Command Line: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85}
  329.  =================================================================================================
  330.  
  331. RuntimeBroker(868)[C:\Windows\System32\RuntimeBroker.exe] -- POwn:[1:35m Wade
  332. Command Line: C:\Windows\System32\RuntimeBroker.exe -Embedding
  333.  =================================================================================================
  334.  
  335. notepad(2748)[C:\Windows\system32\NOTEPAD.EXE] -- POwn:[1:35m Wade
  336. Command Line: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Wade\Desktop\user.txt.txt
  337.  =================================================================================================
  338.  
  339. conhost(2252)[C:\Windows\system32\conhost.exe] -- POwn:[1:35m Wade
  340. Command Line: \??\C:\Windows\system32\conhost.exe 0x4
  341.  =================================================================================================
  342.  
  343. SearchUI(4212)[C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe] -- POwn:[1:35m Wade
  344. Command Line: "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
  345.  =================================================================================================
  346.  
  347. ShellExperienceHost(1740)[C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe] -- POwn:[1:35m Wade
  348. Command Line: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
  349.  =================================================================================================
  350.  
  351. winPEAS(1648)[C:\Users\Wade\winPEAS.exe] -- POwn:[1:35m Wade -- isDotNet
  352. Command Line: winPEAS.exe
  353.  =================================================================================================
  354.  
  355. svchost(2228)[C:\Windows\system32\svchost.exe] -- POwn:[1:35m Wade
  356. Command Line: C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  357.  =================================================================================================
  358.  
  359. sihost(2328)[C:\Windows\system32\sihost.exe] -- POwn:[1:35m Wade
  360. Command Line: sihost.exe
  361.  =================================================================================================
  362.  
  363. explorer(680)[C:\Windows\Explorer.EXE] -- POwn:[1:35m Wade
  364. Command Line: C:\Windows\Explorer.EXE
  365.  =================================================================================================
  366.  
  367. cmd(2768)[C:\Windows\system32\cmd.exe] -- POwn:[1:35m Wade
  368. Command Line: "C:\Windows\system32\cmd.exe"
  369.  =================================================================================================
  370.  
  371.  
  372.  
  373.  ========================================(Services Information)========================================
  374.  
  375.  [+] Interesting Services -non Microsoft-(T1007)
  376.  [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
  377. AmazonSSMAgent(Amazon SSM Agent)["C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"] - Auto - Running
  378. Amazon SSM Agent
  379.  =================================================================================================
  380.  
  381. AWSLiteAgent(Amazon Inc. - AWS Lite Guest Agent)[C:\Program Files\Amazon\XenTools\LiteAgent.exe] - Auto - Running - No quotes and Space detected
  382. AWS Lite Guest Agent
  383.  =================================================================================================
  384.  
  385. MySQL(MySQL)["C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.1\my.ini" MySQL] - Auto - Running
  386.  =================================================================================================
  387.  
  388. PsShutdownSvc(Systems Internals - PsShutdown)[C:\Windows\PSSDNSVC.EXE] - Manual - Stopped
  389.  =================================================================================================
  390.  
  391.  
  392.  [+] Modifiable Services(T1007)
  393.  [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
  394.  You cannot modify any service
  395.  
  396.  [+] Looking if you can modify any service registry()
  397.  [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions
  398.  [-] Looks like you cannot change the registry of any service...
  399.  
  400.  [+] Checking write permissions in PATH folders (DLL Hijacking)()
  401.  [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
  402.  C:\Program Files (x86)\PHP\v7.1
  403.  C:\Windows\system32
  404.  C:\Windows
  405.  C:\Windows\System32\Wbem
  406.  C:\Windows\System32\WindowsPowerShell\v1.0\
  407.  C:\Program Files\Microsoft\Web Platform Installer\
  408.  C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps
  409.  
  410.  C:\Program Files\MySQL\MySQL Server 5.1\bin
  411.  
  412.  
  413.  ====================================(Applications Information)====================================
  414.  
  415.  [+] Current Active Window Application(T1010&T1518)
  416.  Command Prompt - winPEAS.exe 
  417.  
  418.  [+] Installed Applications --Via Program Files/Uninstall registry--(T1083&T1012&T1010&T1518)
  419.  [?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
  420.  C:\Program Files\Amazon
  421.  C:\Program Files\Common Files
  422.  C:\Program Files\desktop.ini
  423.  C:\Program Files\IIS
  424.  C:\Program Files\Internet Explorer
  425.  C:\Program Files\Microsoft
  426.  C:\Program Files\MySQL
  427.  C:\Program Files\Reference Assemblies
  428.  C:\Program Files\runphp
  429.  C:\Program Files\Uninstall Information
  430.  C:\Program Files\Windows Defender
  431.  C:\Program Files\Windows Mail
  432.  C:\Program Files\Windows Media Player
  433.  C:\Program Files\Windows Multimedia Platform
  434.  C:\Program Files\Windows NT
  435.  C:\Program Files\Windows Photo Viewer
  436.  C:\Program Files\Windows Portable Devices
  437.  C:\Program Files\Windows Sidebar
  438.  C:\Program Files\WindowsApps
  439.  C:\Program Files\WindowsPowerShell
  440.  
  441.  
  442.  [+] Autorun Applications(T1010)
  443.  [?] Check if you can modify other users AutoRuns binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
  444. System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
  445. at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
  446. at winPEAS.Program.<PrintInfoApplications>g__PrintAutoRuns|44_2()
  447.  
  448.  [+] Scheduled Applications --Non Microsoft--(T1010)
  449.  [?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
  450. System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233' or one of its dependencies. The system cannot find the file specified.
  451. File name: 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233'
  452. at winPEAS.ApplicationInfo.GetScheduledAppsNoMicrosoft()
  453. at winPEAS.Program.<PrintInfoApplications>g__PrintScheduled|44_3()
  454.  
  455. WRN: Assembly binding logging is turned OFF.
  456. To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
  457. Note: There is some performance penalty associated with assembly bind failure logging.
  458. To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].
  459. 
  460.  
  461.  
  462.  =========================================(Network Information)=========================================
  463.  
  464.  [+] Network Shares(T1135)
  465. ADMIN$ (Path: C:\Windows)
  466. C$ (Path: C:\)
  467. IPC$ (Path: )
  468.  
  469.  [+] Host File(T1016)
  470.  
  471.  [+] Network Ifaces and known hosts(T1016)
  472.  [?] The masks are only for the IPv4 addresses 
  473.  [X] Exception: The requested protocol has not been configured into the system, or no implementation for it exists
  474. Ethernet[02:E5:9E:80:97:E0]: 10.10.72.132, fe80::590b:7238:4f20:749a%6 / 255.255.0.0
  475. Gateways: 10.10.0.1
  476. DNSs: 10.0.0.2
  477. Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
  478. DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
  479.  
  480.  [+] Current Listening Ports(T1049&T1049)
  481.  [?] Check for services restricted from the outside 
  482. Proto Local Address Foreing Address State
  483. TCP 0.0.0.0:80 Listening
  484. TCP 0.0.0.0:135 Listening
  485. TCP 0.0.0.0:445 Listening
  486. TCP 0.0.0.0:3306 Listening
  487. TCP 0.0.0.0:3389 Listening
  488. TCP 0.0.0.0:5985 Listening
  489. TCP 0.0.0.0:47001 Listening
  490. TCP 0.0.0.0:49664 Listening
  491. TCP 0.0.0.0:49665 Listening
  492. TCP 0.0.0.0:49666 Listening
  493. TCP 0.0.0.0:49668 Listening
  494. TCP 0.0.0.0:49669 Listening
  495. TCP 0.0.0.0:49670 Listening
  496. TCP 10.10.72.132:139 Listening
  497. TCP [::]:80 Listening
  498. TCP [::]:135 Listening
  499. TCP [::]:445 Listening
  500. TCP [::]:3389 Listening
  501. TCP [::]:5985 Listening
  502. TCP [::]:47001 Listening
  503. TCP [::]:49664 Listening
  504. TCP [::]:49665 Listening
  505. TCP [::]:49666 Listening
  506. TCP [::]:49668 Listening
  507. TCP [::]:49669 Listening
  508. TCP [::]:49670 Listening
  509. UDP 0.0.0.0:123 Listening
  510. UDP 0.0.0.0:500 Listening
  511. UDP 0.0.0.0:3389 Listening
  512. UDP 0.0.0.0:4500 Listening
  513. UDP 0.0.0.0:5050 Listening
  514. UDP 0.0.0.0:5353 Listening
  515. UDP 0.0.0.0:5355 Listening
  516. UDP 10.10.72.132:137 Listening
  517. UDP 10.10.72.132:138 Listening
  518. UDP 10.10.72.132:1900 Listening
  519. UDP 10.10.72.132:54146 Listening
  520. UDP 127.0.0.1:1900 Listening
  521. UDP 127.0.0.1:54147 Listening
  522. UDP [::]:123 Listening
  523. UDP [::]:500 Listening
  524. UDP [::1]:1900 Listening
  525. UDP [::1]:54145 Listening
  526. UDP [fe80::590b:7238:4f20:749a%6]:1900 Listening
  527. UDP [fe80::590b:7238:4f20:749a%6]:54144 Listening
  528.  
  529.  [+] Firewall Rules(T1016)
  530.  [?] Showing only DENY rules (too many ALLOW rules always) 
  531. Current Profiles: PUBLIC
  532. FirewallEnabled (Domain): True
  533. FirewallEnabled (Private): True
  534. FirewallEnabled (Public): True
  535.  DENY rules:
  536.  
  537.  [+] DNS cached --limit 70--(T1016)
  538.  Entry Name Data
  539. ctldl.windowsupdate.com ctldl.windowsupdate.com ...download.windowsupdate.nsatc.net
  540. ctldl.windowsupdate.com ...download.windowsupdate.nsatc.net ...load.windowsupdate.com.hwcdn.net
  541. ctldl.windowsupdate.com ...load.windowsupdate.com.hwcdn.net cds.d2s7q6s2.hwcdn.net
  542. ctldl.windowsupdate.com cds.d2s7q6s2.hwcdn.net 205.185.216.42
  543. ctldl.windowsupdate.com cds.d2s7q6s2.hwcdn.net 205.185.216.10
  544. isatap.eu-west-1.compute.internal
  545. wpad
  546.  
  547.  
  548.  =========================================(Windows Credentials)=========================================
  549.  
  550.  [+] Checking Windows Vault()
  551.  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
  552.  Not Found
  553.  
  554.  [+] Checking Credential manager()
  555.  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
  556.  This function is not yet implemented.
  557.  [i] If you want to list credentials inside Credential Manager use 'cmdkey /list'
  558.  
  559.  [+] Saved RDP connections()
  560.  Not Found
  561.  
  562.  [+] Recently run commands()
  563.  Not Found
  564.  
  565.  [+] PS default transcripts history()
  566.  [i] Read the PS histpry inside these files (if any)
  567.  
  568.  [+] Checking for DPAPI Master Keys()
  569.  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
  570.  MasterKey: C:\Users\Wade\AppData\Roaming\Microsoft\Protect\S-1-5-21-3990336274-2859881772-14168232-1000\2f832476-be18-4d7a-b68c-ee13c54ce5d4
  571.  Accessed: 12/8/2019 4:33:49 PM
  572.  Modified: 12/8/2019 4:33:49 PM
  573.  =================================================================================================
  574.  
  575.  MasterKey: C:\Users\Wade\AppData\Roaming\Microsoft\Protect\S-1-5-21-3990336274-2859881772-14168232-1000\575fc23d-2de5-4181-a94e-d3661656aa5c
  576.  Accessed: 4/23/2020 10:25:20 AM
  577.  Modified: 4/23/2020 10:25:20 AM
  578.  =================================================================================================
  579.  
  580.  
  581.  [+] Checking for Credential Files()
  582.  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
  583.  CredFile: C:\Users\Wade\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
  584.  Description: Local Credential Data
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!