TamaGorengs Notes
  • πŸ‘¨β€πŸ’»Whoami
  • πŸ—ΊοΈActive Directory
    • Active Directory Enumeration
    • AD Reconnaissance
      • LDAP
    • Movement
      • Kerberos
        • ASREProast
        • Pass The Hash
        • Pass The Ticket
        • Overpass The Hash
      • Credential
        • Dumping
          • DCSync
      • WMI and WinRM
    • Active Directory Certificate Services (ADCS)
  • πŸͺŸWindows
    • Windows Privilege Escalation
      • WinPrivEsc Enumeration
      • Leveraging Windows Services
      • Abusing Other Windows Components
    • RDP
  • 🐧Linux
    • Linux Privilege Escalation
      • LinuxPrivEsc Enumeration
      • Exposed Confidential Information
      • Insecure File Permissions
      • Insecure System Components
  • πŸ•ΈοΈWeb Application
    • SQL Injection
    • Cross-Site Scripting (XSS)
  • Group 1
    • Client-Side Attacks
      • Windows Library Files
      • Exploiting Microsoft Office
  • Thick Client
    • Thick Client Pentest
    • Thick Client Pentest Methodology
Powered by GitBook
On this page
  • Situational Awareness
  • Enumerate User
  • Enumerate Hostname
  • Enumerate Network
  • Installed Application
  • Process
  • Hidden in Plain View
  • PowerShell History
  • Automated Tools

Was this helpful?

  1. Windows
  2. Windows Privilege Escalation

WinPrivEsc Enumeration

Situational Awareness

  • After compromising a machine, this the information we need to gather that can help us to Privilege Escalate

- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes

Enumerate User

Using CMD

whoami
whoami /groups
whoami /priv

Using Powershell

Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember $user
Get-LocalGroup $groupname

Enumerate Hostname

systeminfo

Enumerate Network

ipconfig /all
route print

netstat -ano
-a : display all active TCP Connections
-n : disable name resolution
-o : show process id

Installed Application

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Process

Get-Process

Hidden in Plain View

  • User might put Information in open directory that anyone can access

PowerShell History

  • We can get interesting information from PowerShell

Get list of command executed in the past

Get-History

Clear-History just clear PowerShell own history but not PSReadline. We can grab it using below command.

(Get-PSReadlineOption).HistorySavePath

Automated Tools

  • winPeas

  • PowerView

  • JAWS

PreviousWindows Privilege EscalationNextLeveraging Windows Services

Last updated 4 months ago

Was this helpful?

πŸͺŸ