refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • Default powershell path
  • Basic
  • Network
  • Juicy Info
  • Reg query passwords in registry
  • Dir search password files
  • Using 'findstr' to find files
  • Juicy files to look

Was this helpful?

  1. Privesc - Windows

Basic checks / powershell

Default powershell path

Powershell default path IMPORTANT: Using SysNative will get us to use the correct Powershell (32bit or 64bit) version, if we do not use absolute path the 32bit powershell will be used instead - this would be cause problems if you are trying to run privesc exploits in powershell later on a 64bit machine.

C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe

Basic

Syntax

Description

systeminfo

System info, os, achitecture

hostname

echo %username%

Hostname/compute rname

net user <username>

Whoami /priv

user privileges

net localgroups

Groups

net localgroup administrators

Admin group users

set

Get-ChildItem Env: | ft Key,Value

Env variables

Get-Process <process name> -FileVersionInfo

Process

Get-ChildItem -Path "C:\Users\Folder" -Recurse -File | Select-String "Password"

Recursive search string

powershell.exe -exec bypass -Command “& command1; command2"}

Powershell execute from cmd

cmd /c "ftp -v -n -s:ftp.txt"

FTP

Network

Syntax

Description

ipconfig /all

Ip address

route print

Route

arp -A

Arp (other machines that ping it)

netstat -ano

Open ports

netsh firewall show state

netsh firewall show config

Check Firewall

Juicy Info

Reg query passwords in registry

# Passwords in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

Dir search password files

# Find writeable files
dir /a-r-d /s /b

# Password files
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
dir /s *pass* == *cred* == *vnc* == *.config*

Using 'findstr' to find files

# findstr syntax
findstr /si password *.xml *.ini *.txt

Juicy files to look

Plaintext or base64 encoded passwords / config files

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml 
%SYSTEMROOT%repairsystem
%SYSTEMROOT%repairSAM
%SYSTEMROOT%repairSAM
%WINDIR%win.ini
%SYSTEMDRIVE%boot.ini
%WINDIR%Panthersysprep.inf
%WINDIR%system32configAppEvent.Evt

Encrypted password in plaintext. Can use PowerSploit's Get-GPPPassword module

Groups.xml

Syntax

Description

PreviousSUIDNextPrivesc Openings

Last updated 4 years ago

Was this helpful?