ÉÍÍÍÍÍÍÍÍÍ͹ Checking AlwaysInstallElevated È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated AlwaysInstallElevated isn't available ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate LSA settings - auth packages included auditbasedirectories : 0 auditbaseobjects : 0 Bounds : 00-30-00-00-00-20-00-00 crashonauditfail : 0 fullprivilegeauditing : 00 LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : "" Notification Packages : rassfm,scecli Authentication Packages : msv1_0 LsaPid : 628 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 7 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating NTLM Settings LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default) NTLM Signing Settings ClientRequireSigning : False ClientNegotiateSigning : True ServerRequireSigning : True ServerNegotiateSigning : True LdapSigning : Negotiate signing (Negotiate signing) Session Security NTLMMinClientSec : 536870912 (Require 128-bit encryption) NTLMMinServerSec : 536870912 (Require 128-bit encryption) NTLM Auditing and Restrictions InboundRestrictions : (Not defined) OutboundRestrictions : (Not defined) InboundAuditing : (Not defined) OutboundExceptions : ÉÍÍÍÍÍÍÍÍÍ͹ Display Local Group Policy settings - local users/machine ÉÍÍÍÍÍÍÍÍÍ͹ Checking AppLocker effective policy AppLockerPolicy version: 1 listing rules: ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Printers (WMI) ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes Name CurrentUserPerms Sddl eventlog Everyone [WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122) ROUTER Everyone [WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY) RpcProxy\49673 Everyone [WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA) RpcProxy\593 Everyone [WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080) vgauth-service Everyone [WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA) ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating AMSI registered providers Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE} Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpOav.dll" ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon configuration You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon process creation logs (1) You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Installed .NET versions ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Printing Account Logon Events (4624) for the last 10 days. You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Process creation events - searching logs (EID 4688) for sensitive data. You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data. [X] Exception: Attempted to perform an unauthorized operation. ÉÍÍÍÍÍÍÍÍÍ͹ Displaying Power off/on events for last 5 days System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode) at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags) at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark) at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName) at winPEAS.Info.EventsInfo.Power.Power.d__0.MoveNext() at winPEAS.Checks.EventsInfo.PowerOnEvents() ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Users È Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups [X] Exception: Object reference not set to an instance of an object. Current user: FSmith Current groups: Domain Users, Everyone, Builtin\Remote Management Users, Users, Builtin\Pre-Windows 2000 Compatible Access, Network, Authenticated Users, This Organization, NTLM Authentication ================================================================================================= Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Current User Idle Time Current User : EGOTISTICALBANK\FSmith Idle Time : 02h:26m:09s:296ms ÉÍÍÍÍÍÍÍÍÍ͹ Display Tenant information (DsRegCmd.exe /status) Tenant is NOT Azure AD Joined. ÉÍÍÍÍÍÍÍÍÍ͹ Current Token privileges È Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED ÉÍÍÍÍÍÍÍÍÍ͹ Clipboard text ÉÍÍÍÍÍÍÍÍÍ͹ Logged users [X] Exception: Access denied Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Display information about local users Computer Name : SAUNA User Name : Administrator User Id : 500 Is Enabled : True User Type : Administrator Comment : Built-in account for administering the computer/domain Last Logon : 7/10/2024 2:16:13 AM Logons Count : 94 Password Last Set : 7/26/2021 9:16:16 AM ================================================================================================= Computer Name : SAUNA User Name : Guest User Id : 501 Is Enabled : False User Type : Guest Comment : Built-in account for guest access to the computer/domain Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/1/1970 12:00:00 AM ================================================================================================= Computer Name : SAUNA User Name : krbtgt User Id : 502 Is Enabled : False User Type : User Comment : Key Distribution Center Service Account Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/22/2020 10:45:30 PM ================================================================================================= Computer Name : SAUNA User Name : HSmith User Id : 1103 Is Enabled : True User Type : User Comment : Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/22/2020 10:54:34 PM ================================================================================================= Computer Name : SAUNA User Name : FSmith User Id : 1105 Is Enabled : True User Type : User Comment : Last Logon : 7/10/2024 3:14:57 AM Logons Count : 13 Password Last Set : 1/23/2020 9:45:19 AM ================================================================================================= Computer Name : SAUNA User Name : svc_loanmgr User Id : 1108 Is Enabled : True User Type : User Comment : Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/24/2020 4:48:31 PM ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Ever logged users [X] Exception: Access denied Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found C:\Users\Administrator C:\Users\All Users C:\Users\Default C:\Users\Default User C:\Users\FSmith : FSmith [AllAccess] C:\Users\Public C:\Users\svc_loanmgr ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials Some AutoLogon credentials were found DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround! ÉÍÍÍÍÍÍÍÍÍ͹ Password Policies È Check for a possible brute-force Domain: Builtin SID: S-1-5-32 MaxPasswordAge: 42.22:47:31.7437440 MinPasswordAge: 00:00:00 MinPasswordLength: 0 PasswordHistoryLength: 0 PasswordProperties: 0 ================================================================================================= Domain: EGOTISTICALBANK SID: S-1-5-21-2966785786-3096785034-1186376766 MaxPasswordAge: 42.00:00:00 MinPasswordAge: 1.00:00:00 MinPasswordLength: 7 PasswordHistoryLength: 24 PasswordProperties: DOMAIN_PASSWORD_COMPLEX ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Print Logon Sessions ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Processes -non Microsoft- È Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes [X] Exception: Access denied ÉÍÍÍÍÍÍÍÍÍ͹ Vulnerable Leaked Handlers È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation È Getting Leaked Handlers, it might take some time... ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ [X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges. ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft- È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services [X] Exception: Access denied @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot ================================================================================================= @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot ================================================================================================= @bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service(Windows (R) Win 7 DDK provider - @bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service)[C:\Windows\System32\drivers\bcmfn2.sys] - System ================================================================================================= @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(QLogic Corporation - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver)[System32\drivers\bxfcoe.sys] - Boot ================================================================================================= @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(QLogic Corporation - @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver)[System32\drivers\bxois.sys] - Boot ================================================================================================= @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System ================================================================================================= @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i63x64.sys] - System ================================================================================================= @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(QLogic Corporation - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot ================================================================================================= @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver(Intel Corporation - @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_GPIO.sys] - System ================================================================================================= @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver(Intel Corporation - @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_I2C.sys] - System ================================================================================================= @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot ================================================================================================= @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot ================================================================================================= @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System ================================================================================================= @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System ================================================================================================= @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System ================================================================================================= @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD(Cavium, Inc. - @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD)[System32\drivers\qevbda.sys] - Boot ================================================================================================= @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver(Cavium, Inc. - @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver)[System32\drivers\qefcoe.sys] - Boot ================================================================================================= @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver(QLogic Corporation - @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver)[System32\drivers\qeois.sys] - Boot ================================================================================================= @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[System32\drivers\ql2300i.sys] - Boot ================================================================================================= @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot ================================================================================================= @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot ================================================================================================= OpenSSH Authentication Agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Manual Agent to hold private keys used for public key authentication. ================================================================================================= @usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System ================================================================================================= @usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System ================================================================================================= VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload Alias Manager and Ticket Service ================================================================================================= @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service(VMware, Inc. - @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Autoload @oem8.inf,%VM3DSERVICE_DESCRIPTION%;Helps VMware SVGA driver by collecting and conveying user mode information ================================================================================================= @oem9.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(VMware, Inc. - @oem9.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot ================================================================================================= Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload Driver to provide enhanced memory management of this virtual machine. ================================================================================================= @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System ================================================================================================= VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload Provides support for synchronizing objects between the host and guest operating systems. ================================================================================================= @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device)[C:\Windows\System32\drivers\vmusbmouse.sys] - System ================================================================================================= @oem4.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver(VMware, Inc. - @oem4.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver)[C:\Windows\System32\drivers\vmxnet3.sys] - System ================================================================================================= vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[system32\DRIVERS\vsock.sys] - Boot vSockets Driver ================================================================================================= @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot ================================================================================================= @%SystemRoot%\System32\drivers\vwifibus.sys,-257(@%SystemRoot%\System32\drivers\vwifibus.sys,-257)[C:\Windows\System32\drivers\vwifibus.sys] - System @%SystemRoot%\System32\drivers\vwifibus.sys,-258 ================================================================================================= @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System ================================================================================================= @winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System @winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices ================================================================================================= @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Modifiable Services È Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services You cannot modify any service ÉÍÍÍÍÍÍÍÍÍ͹ Looking if you can modify any service registry È Check if you can modify the registry of a service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions [-] Looks like you cannot change the registry of any service... ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking) È Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking C:\Windows\system32 C:\Windows C:\Windows\System32\Wbem C:\Windows\System32\WindowsPowerShell\v1.0\ C:\Windows\System32\OpenSSH\ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Current Active Window Application [X] Exception: Object reference not set to an instance of an object. ÉÍÍÍÍÍÍÍÍÍ͹ Installed Applications --Via Program Files/Uninstall registry-- È Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software C:\Program Files\Common Files C:\Program Files\desktop.ini C:\Program Files\internet explorer C:\Program Files\Uninstall Information C:\Program Files\VMware C:\Program Files\Windows Defender C:\Program Files\Windows Defender Advanced Threat Protection C:\Program Files\Windows Mail C:\Program Files\Windows Media Player C:\Program Files\Windows Multimedia Platform C:\Program Files\windows nt C:\Program Files\Windows Photo Viewer C:\Program Files\Windows Portable Devices C:\Program Files\Windows Security C:\Program Files\Windows Sidebar C:\Program Files\WindowsApps C:\Program Files\WindowsPowerShell ÉÍÍÍÍÍÍÍÍÍ͹ Autorun Applications È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries Error getting autoruns from WMIC: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC() RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key: SecurityHealth Folder: C:\Windows\system32 File: C:\Windows\system32\SecurityHealthSystray.exe ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key: VMware VM3DService Process Folder: C:\Windows\system32 File: C:\Windows\system32\vm3dservice.exe -u ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key: VMware User Process Folder: C:\Program Files\VMware\VMware Tools File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Key: Common Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Key: Common Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Key: Userinit Folder: C:\Windows\system32 File: C:\Windows\system32\userinit.exe, ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Key: Shell Folder: None (PATH Injection) File: explorer.exe ================================================================================================= RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot Key: AlternateShell Folder: None (PATH Injection) File: cmd.exe ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers Key: Adobe Type Manager Folder: None (PATH Injection) File: atmfd.dll ================================================================================================= RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers Key: Adobe Type Manager Folder: None (PATH Injection) File: atmfd.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midimapper Folder: None (PATH Injection) File: midimap.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.imaadpcm Folder: None (PATH Injection) File: imaadp32.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.l3acm Folder: C:\Windows\System32 File: C:\Windows\System32\l3codeca.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msadpcm Folder: None (PATH Injection) File: msadp32.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msg711 Folder: None (PATH Injection) File: msg711.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msgsm610 Folder: None (PATH Injection) File: msgsm32.acm ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.i420 Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.iyuv Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.mrle Folder: None (PATH Injection) File: msrle32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.msvc Folder: None (PATH Injection) File: msvidc32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.uyvy Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yuy2 Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvu9 Folder: None (PATH Injection) File: tsbyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvyu Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wavemapper Folder: None (PATH Injection) File: msacm32.drv ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midimapper Folder: None (PATH Injection) File: midimap.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.imaadpcm Folder: None (PATH Injection) File: imaadp32.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.l3acm Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\l3codeca.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msadpcm Folder: None (PATH Injection) File: msadp32.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msg711 Folder: None (PATH Injection) File: msg711.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msgsm610 Folder: None (PATH Injection) File: msgsm32.acm ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.cvid Folder: None (PATH Injection) File: iccvid.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.i420 Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.iyuv Folder: None (PATH Injection) File: iyuv_32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.mrle Folder: None (PATH Injection) File: msrle32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.msvc Folder: None (PATH Injection) File: msvidc32.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.uyvy Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yuy2 Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvu9 Folder: None (PATH Injection) File: tsbyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvyu Folder: None (PATH Injection) File: msyuv.dll ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wavemapper Folder: None (PATH Injection) File: msacm32.drv ================================================================================================= RegPath: HKLM\Software\Classes\htmlfile\shell\open\command Folder: C:\Program Files\Internet Explorer File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected) ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _wow64cpu Folder: None (PATH Injection) File: wow64cpu.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _wowarmhw Folder: None (PATH Injection) File: wowarmhw.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _xtajit Folder: None (PATH Injection) File: xtajit.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: advapi32 Folder: None (PATH Injection) File: advapi32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: clbcatq Folder: None (PATH Injection) File: clbcatq.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: combase Folder: None (PATH Injection) File: combase.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: COMDLG32 Folder: None (PATH Injection) File: COMDLG32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: coml2 Folder: None (PATH Injection) File: coml2.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: DifxApi Folder: None (PATH Injection) File: difxapi.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: gdi32 Folder: None (PATH Injection) File: gdi32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: gdiplus Folder: None (PATH Injection) File: gdiplus.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: IMAGEHLP Folder: None (PATH Injection) File: IMAGEHLP.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: IMM32 Folder: None (PATH Injection) File: IMM32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: kernel32 Folder: None (PATH Injection) File: kernel32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: MSCTF Folder: None (PATH Injection) File: MSCTF.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: MSVCRT Folder: None (PATH Injection) File: MSVCRT.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: NORMALIZ Folder: None (PATH Injection) File: NORMALIZ.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: NSI Folder: None (PATH Injection) File: NSI.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: ole32 Folder: None (PATH Injection) File: ole32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: OLEAUT32 Folder: None (PATH Injection) File: OLEAUT32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: PSAPI Folder: None (PATH Injection) File: PSAPI.DLL ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: rpcrt4 Folder: None (PATH Injection) File: rpcrt4.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: sechost Folder: None (PATH Injection) File: sechost.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: Setupapi Folder: None (PATH Injection) File: Setupapi.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHCORE Folder: None (PATH Injection) File: SHCORE.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHELL32 Folder: None (PATH Injection) File: SHELL32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHLWAPI Folder: None (PATH Injection) File: SHLWAPI.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: user32 Folder: None (PATH Injection) File: user32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: WLDAP32 Folder: None (PATH Injection) File: WLDAP32.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: wow64 Folder: None (PATH Injection) File: wow64.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: wow64win Folder: None (PATH Injection) File: wow64win.dll ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: WS2_32 Folder: None (PATH Injection) File: WS2_32.dll ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} Key: StubPath Folder: \ FolderPerms: Users [AppendData/CreateDirectories] File: /UserInstall ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Key: StubPath Folder: C:\Windows\system32 File: C:\Windows\system32\unregmp2.exe /FirstLogon ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} Key: StubPath Folder: None (PATH Injection) File: U ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\ie4uinit.exe -UserConfig ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenAdmin ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenUser ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Key: StubPath Folder: C:\Windows\system32 File: C:\Windows\system32\unregmp2.exe /FirstLogon ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Key: StubPath Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} Key: StubPath Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\iesetup.dll,IEHardenAdmin ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} Key: StubPath Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\iesetup.dll,IEHardenUser ================================================================================================= Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) ================================================================================================= Folder: C:\windows\tasks FolderPerms: Authenticated Users [WriteData/CreateFiles] ================================================================================================= Folder: C:\windows\system32\tasks FolderPerms: Authenticated Users [WriteData/CreateFiles] ================================================================================================= Folder: C:\windows File: C:\windows\system.ini ================================================================================================= Folder: C:\windows File: C:\windows\win.ini ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft-- È Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries ÉÍÍÍÍÍÍÍÍÍ͹ Device Drivers --Non Microsoft-- È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qevbda.sys NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys VMware vSockets Service - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64 bit x64 [Broadcom]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qeois.sys QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qefcoe.sys QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.16.0 build-14217867 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Network Shares [X] Exception: Access denied ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate Network Mapped Drives (WMI) ÉÍÍÍÍÍÍÍÍÍ͹ Host File ÉÍÍÍÍÍÍÍÍÍ͹ Network Ifaces and known hosts È The masks are only for the IPv4 addresses Ethernet0 2[00:50:56:B9:A0:1A]: 10.10.10.175, fe80::412c:b3bf:22f7:c83c%7, dead:beef::412c:b3bf:22f7:c83c, dead:beef::1b9 / 255.255.255.0 Gateways: 10.10.10.2, fe80::250:56ff:feb9:6def%7 DNSs: 8.8.8.8 Known hosts: 10.10.10.2 00-50-56-B9-6D-EF Dynamic 10.10.10.255 FF-FF-FF-FF-FF-FF Static 224.0.0.22 01-00-5E-00-00-16 Static 224.0.0.251 01-00-5E-00-00-FB Static 224.0.0.252 01-00-5E-00-00-FC Static Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0 DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1 Known hosts: 224.0.0.22 00-00-00-00-00-00 Static ÉÍÍÍÍÍÍÍÍÍ͹ Current TCP Listening Ports È Check for services restricted from the outside Enumerating IPv4 connections Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 88 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 135 0.0.0.0 0 Listening 880 svchost TCP 0.0.0.0 389 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 464 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 593 0.0.0.0 0 Listening 880 svchost TCP 0.0.0.0 636 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 3268 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 3269 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 9389 0.0.0.0 0 Listening 2692 Microsoft.ActiveDirectory.WebServices TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 49664 0.0.0.0 0 Listening 476 wininit TCP 0.0.0.0 49665 0.0.0.0 0 Listening 1068 svchost TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1464 svchost TCP 0.0.0.0 49667 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 49673 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 49674 0.0.0.0 0 Listening 628 lsass TCP 0.0.0.0 49675 0.0.0.0 0 Listening 2608 spoolsv TCP 0.0.0.0 49680 0.0.0.0 0 Listening 612 services TCP 0.0.0.0 49724 0.0.0.0 0 Listening 2832 dns TCP 0.0.0.0 49747 0.0.0.0 0 Listening 2796 dfsrs TCP 10.10.10.175 53 0.0.0.0 0 Listening 2832 dns TCP 10.10.10.175 139 0.0.0.0 0 Listening 4 System TCP 10.10.10.175 5985 10.10.14.43 50404 Established 4 System TCP 127.0.0.1 53 0.0.0.0 0 Listening 2832 dns Enumerating IPv6 connections Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name TCP [::] 80 [::] 0 Listening 4 System TCP [::] 88 [::] 0 Listening 628 lsass TCP [::] 135 [::] 0 Listening 880 svchost TCP [::] 389 [::] 0 Listening 628 lsass TCP [::] 445 [::] 0 Listening 4 System TCP [::] 464 [::] 0 Listening 628 lsass TCP [::] 593 [::] 0 Listening 880 svchost TCP [::] 636 [::] 0 Listening 628 lsass TCP [::] 3268 [::] 0 Listening 628 lsass TCP [::] 3269 [::] 0 Listening 628 lsass TCP [::] 5985 [::] 0 Listening 4 System TCP [::] 9389 [::] 0 Listening 2692 Microsoft.ActiveDirectory.WebServices TCP [::] 47001 [::] 0 Listening 4 System TCP [::] 49664 [::] 0 Listening 476 wininit TCP [::] 49665 [::] 0 Listening 1068 svchost TCP [::] 49666 [::] 0 Listening 1464 svchost TCP [::] 49667 [::] 0 Listening 628 lsass TCP [::] 49673 [::] 0 Listening 628 lsass TCP [::] 49674 [::] 0 Listening 628 lsass TCP [::] 49675 [::] 0 Listening 2608 spoolsv TCP [::] 49680 [::] 0 Listening 612 services TCP [::] 49724 [::] 0 Listening 2832 dns TCP [::] 49747 [::] 0 Listening 2796 dfsrs TCP [::1] 53 [::] 0 Listening 2832 dns TCP [::1] 389 [::1] 49716 Established 628 lsass TCP [::1] 49716 [::1] 389 Established 2832 dns TCP [dead:beef::1b9] 53 [::] 0 Listening 2832 dns TCP [dead:beef::412c:b3bf:22f7:c83c] 53 [::] 0 Listening 2832 dns TCP [fe80::412c:b3bf:22f7:c83c%7] 53 [::] 0 Listening 2832 dns TCP [fe80::412c:b3bf:22f7:c83c%7] 389 [fe80::412c:b3bf:22f7:c83c%7] 49723 Established 628 lsass TCP [fe80::412c:b3bf:22f7:c83c%7] 389 [fe80::412c:b3bf:22f7:c83c%7] 49742 Established 628 lsass TCP [fe80::412c:b3bf:22f7:c83c%7] 389 [fe80::412c:b3bf:22f7:c83c%7] 49745 Established 628 lsass TCP [fe80::412c:b3bf:22f7:c83c%7] 49667 [fe80::412c:b3bf:22f7:c83c%7] 49753 Established 628 lsass TCP [fe80::412c:b3bf:22f7:c83c%7] 49667 [fe80::412c:b3bf:22f7:c83c%7] 49777 Established 628 lsass TCP [fe80::412c:b3bf:22f7:c83c%7] 49723 [fe80::412c:b3bf:22f7:c83c%7] 389 Established 2832 dns TCP [fe80::412c:b3bf:22f7:c83c%7] 49742 [fe80::412c:b3bf:22f7:c83c%7] 389 Established 2796 dfsrs TCP [fe80::412c:b3bf:22f7:c83c%7] 49745 [fe80::412c:b3bf:22f7:c83c%7] 389 Established 2796 dfsrs TCP [fe80::412c:b3bf:22f7:c83c%7] 49753 [fe80::412c:b3bf:22f7:c83c%7] 49667 Established 2796 dfsrs TCP [fe80::412c:b3bf:22f7:c83c%7] 49777 [fe80::412c:b3bf:22f7:c83c%7] 49667 Established 628 lsass ÉÍÍÍÍÍÍÍÍÍ͹ Current UDP Listening Ports È Check for services restricted from the outside Enumerating IPv4 connections Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name UDP 0.0.0.0 123 *:* 704 svchost UDP 0.0.0.0 389 *:* 628 lsass UDP 0.0.0.0 5353 *:* 1132 svchost UDP 0.0.0.0 5355 *:* 1132 svchost UDP 10.10.10.175 88 *:* 628 lsass UDP 10.10.10.175 137 *:* 4 System UDP 10.10.10.175 138 *:* 4 System UDP 10.10.10.175 464 *:* 628 lsass UDP 127.0.0.1 49664 *:* 2020 svchost UDP 127.0.0.1 49669 *:* 2692 Microsoft.ActiveDirectory.WebServices UDP 127.0.0.1 49670 *:* 2796 dfsrs UDP 127.0.0.1 49672 *:* 1260 svchost UDP 127.0.0.1 56632 *:* 3644 WmiPrvSE UDP 127.0.0.1 60971 *:* 628 lsass UDP 127.0.0.1 61858 *:* 1344 svchost Enumerating IPv6 connections Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name UDP [::] 123 *:* 704 svchost UDP [::] 389 *:* 628 lsass UDP [::] 5353 *:* 1132 svchost UDP [::] 5355 *:* 1132 svchost UDP [dead:beef::1b9] 88 *:* 628 lsass UDP [dead:beef::1b9] 464 *:* 628 lsass UDP [dead:beef::412c:b3bf:22f7:c83c] 88 *:* 628 lsass UDP [dead:beef::412c:b3bf:22f7:c83c] 464 *:* 628 lsass UDP [fe80::412c:b3bf:22f7:c83c%7] 88 *:* 628 lsass UDP [fe80::412c:b3bf:22f7:c83c%7] 464 *:* 628 lsass ÉÍÍÍÍÍÍÍÍÍ͹ Firewall Rules È Showing only DENY rules (too many ALLOW rules always) Current Profiles: DOMAIN FirewallEnabled (Domain): True FirewallEnabled (Private): True FirewallEnabled (Public): True DENY rules: ÉÍÍÍÍÍÍÍÍÍ͹ DNS cached --limit 70-- Entry Name Data [X] Exception: Access denied ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Internet settings, zone and proxy configuration General Settings Hive Key Value HKCU DisableCachingOfSSLPages 0 HKCU IE5_UA_Backup_Flag 5.0 HKCU PrivacyAdvanced 1 HKCU SecureProtocols 2688 HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32) HKCU CertificateRevocation 1 HKCU ZonesSecurityUpgrade System.Byte[] HKLM ActiveXCache C:\Windows\Downloaded Program Files HKLM CodeBaseSearchPath CODEBASE HKLM EnablePunycode 1 HKLM MinorVersion 0 HKLM WarnOnIntranet 1 Zone Maps No URLs configured Zone Auth Settings No Zone Auth Settings ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Checking Windows Vault È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault [ERROR] Unable to enumerate vaults. Error (0x1061) Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking Credential manager È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string [!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated' Please run: cmdkey /list ÉÍÍÍÍÍÍÍÍÍ͹ Saved RDP connections Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Remote Desktop Server/Client Settings RDP Server Settings Network Level Authentication : Block Clipboard Redirection : Block COM Port Redirection : Block Drive Redirection : Block LPT Port Redirection : Block PnP Device Redirection : Block Printer Redirection : Allow Smart Card Redirection : RDP Client Settings Disable Password Saving : True Restricted Remote Administration : False ÉÍÍÍÍÍÍÍÍÍ͹ Recently run commands Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Master Keys È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi MasterKey: C:\Users\FSmith\AppData\Roaming\Microsoft\Protect\S-1-5-21-2966785786-3096785034-1186376766-1105\ca6bc5b5-57d3-4f19-9f5a-3016d1e57c8f Accessed: 1/24/2020 6:30:19 AM Modified: 1/24/2020 6:30:19 AM ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Credential Files È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking for RDCMan Settings Files È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Kerberos tickets È https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88 [X] Exception: Object reference not set to an instance of an object. Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for saved Wifi credentials [X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E) Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh' No saved Wifi credentials found ÉÍÍÍÍÍÍÍÍÍ͹ Looking AppCmd.exe È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Looking SSClient.exe È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating SSCM - System Center Configuration Manager settings ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Security Packages Credentials [X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d535350000300000001000100620000000000000063000000000000005800000000000000580000000a000a00580000000000000063000000058a80a20a0063450000000f9a33ac956ddf84bef114ca0e1a943f2c5300410055004e00410000 ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Firefox Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Firefox DBs È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Firefox history È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Chrome Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Chrome DBs È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Chrome history È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Chrome bookmarks Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Opera Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Brave Browser Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Internet Explorer (unsupported) Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Current IE tabs È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history [X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A) --- End of inner exception stack trace --- at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs() Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in IE history È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history ÉÍÍÍÍÍÍÍÍÍ͹ IE history -- limit 50 http://go.microsoft.com/fwlink/p/?LinkId=255141 ÉÍÍÍÍÍÍÍÍÍ͹ IE favorites Not Found ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Putty Sessions Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Putty SSH Host keys Not Found ÉÍÍÍÍÍÍÍÍÍ͹ SSH keys in registry È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry Not Found ÉÍÍÍÍÍÍÍÍÍ͹ SuperPutty configuration files ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Office 365 endpoints synced by OneDrive. SID: S-1-5-19 ================================================================================================= SID: S-1-5-20 ================================================================================================= SID: S-1-5-21-2966785786-3096785034-1186376766-1105 ================================================================================================= SID: S-1-5-18 ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Cloud Credentials È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Unattend Files ÉÍÍÍÍÍÍÍÍÍ͹ Looking for common SAM & SYSTEM backups ÉÍÍÍÍÍÍÍÍÍ͹ Looking for McAfee Sitelist.xml Files ÉÍÍÍÍÍÍÍÍÍ͹ Cached GPP Passwords ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible regs with creds È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry Not Found Not Found Not Found Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible password files in users homes È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml ÉÍÍÍÍÍÍÍÍÍ͹ Searching for Oracle SQL Developer config files ÉÍÍÍÍÍÍÍÍÍ͹ Slack files & directories note: check manually if something is found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for LOL Binaries and Scripts (can be slow) È https://lolbas-project.github.io/ [!] Check skipped, if you want to run it, please specify '-lolbas' argument ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Outlook download files ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating machine and user certificate files ÉÍÍÍÍÍÍÍÍÍ͹ Searching known files that can contain creds in home È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files ÉÍÍÍÍÍÍÍÍÍ͹ Looking for documents --limit 100-- Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Office Most Recent Files -- limit 50 Last Access Date User Application Document ÉÍÍÍÍÍÍÍÍÍ͹ Recent files --limit 70-- Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow) C:\Users\Default C:\Users\All Users C:\Users\All Users\ntuser.pol C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\utne7z\FileCache_DrvDeviceCapabilites C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\_common C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6 C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\do_not_delete_folders C:\Users\Default User C:\Users\Default C:\Users\All Users ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow) [X] Exception: Object reference not set to an instance of an object. ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow) ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Linux shells/distributions - wsl.exe, bash.exe ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ File Analysis ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Found Windows Files File: C:\Users\All Users\USOShared\Logs\System File: C:\Program Files\Common Files\system File: C:\Program Files (x86)\Common Files\system File: C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\_common\wording\Aficio SP 8300DN\index.dat File: C:\Users\Default\NTUSER.DAT File: C:\Users\FSmith\NTUSER.DAT ÉÍÍÍÍÍÍÍÍÍ͹ Found Other Windows Files File: C:\Users\All Users\USOShared\Logs\System File: C:\Program Files\Common Files\system File: C:\Program Files (x86)\Common Files\system ÉÍÍÍÍÍÍÍÍÍ͹ Found Database Files File: C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db File: C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db File: C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-SumoLogic Access ID Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml: ynchronization C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml: ynchronization ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Confluent Access Token & Secret Key Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingdelegate C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponse C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingteamcall ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Etsy Access Token Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponsegroupcal ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Mattermost Access Token Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml: oegankelijkheidsinstelling ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Plaid Client ID Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponsegroupcal ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Plaid Secret key Regexes C:\Users\FSmith\Desktop\user.txt: 2ade61d19d77597409e8944ab552d7 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Travis CI Access Token Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponsegroupc ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Authorization Basic Regexes C:\inetpub\wwwroot\w3layouts-license.txt: basic Mobiles C:\inetpub\wwwroot\w3layouts-license.txt: basic mobile C:\inetpub\wwwroot\w3layouts-license.txt: basic mobile ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Adafruit API Key Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Base32 Regexes C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: SOFTWARE C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: PROVIDED C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: INCLUDIN C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: LIABILIT C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: SOFTWARE ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Nytimes Access Token Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Kucoin Secret Key Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-MojoAuth API Key Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sendbird Access ID Regexes C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Gitter Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Launchdarkly Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Netlify Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Okta Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 881983098579336348622705268271807846252714 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 111599284431783897149652717794162909166762 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-RapidAPI Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 88198309857933634862270526827180784625271411676638 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 11159928443178389714965271779416290916676213355865 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Bittrex Access Key and Access Key Regexes C:\Users\FSmith\Desktop\user.txt: 2ade61d19d77597409e8944ab552d749 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Coinbase Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Droneci Access Token Regexes C:\Users\FSmith\Desktop\user.txt: 2ade61d19d77597409e8944ab552d749 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Flickr Access Token Regexes C:\Users\FSmith\Desktop\user.txt: 2ade61d19d77597409e8944ab552d749 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Freshbooks Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Hubspot API Key Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml: "6b594c27-b3ee-45ff-812e-686be66532ce" ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Kucoin Access Token Regexes C:\Users\FSmith\Desktop\user.txt: 2ade61d19d77597409e8944a ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-ORB Intelligence Access Key Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml: "6b594c27-b3ee-45ff-812e-686be66532ce" ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sendbird Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sentry Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-SumoLogic Access Token Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905 ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-URLScan API Key Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml: "6b594c27-b3ee-45ff-812e-686be66532ce" ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Zendesk Secret Key Regexes C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527 C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667 ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Emails Regexes C:\inetpub\wwwroot\single.html: example@email.com C:\inetpub\wwwroot\single.html: info@example.com ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Config Secrets Regexes C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1: $env: ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-IPs Regexes C:\Users\All Users\Microsoft\Windows\OneSettings\CTAC.json: 1.0.0.0 ÉÍÍÍÍÍÍÍÍÍ͹ Found Raw Hashes-md5 Regexes C:\Users\FSmith\Desktop\user.txt: 2ade61d19d77597409e8944ab552d749 /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @hacktricks_live | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/