16 Win priv esc. Situational Awareness Flashcards
What are information a pentest should always get in windows system exploit ? (7)
- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes
What command can be used to obtrain username and hostname
whoami
How get groups user is in ?
whoami /groups
How get other users and groups on the system.
(powershell) Get-LocalUser
How to enumerate the existing groups
(ps) Get-LocalGroup
(ps) net localgroup
let’s review the members of adminteam and Administrators
(ps) Get-LocalGroupMember adminteam
let’s check the operating system, version, and architecture first
(ps) systeminfo
To list all network interfaces, we can use ?
ipconfig /all.
To display the routing table ?
route print
To list all active network connections we can use netstat ?
netstat -ano
We’ll check all installed applications, We can query two registry keys.
Get-ItemProperty “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall*” | select displayname
Get-ItemProperty “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall*” | select displayname
Due to an incomplete or flawed installation process. Therefore
we should always check 32-bit and 64-bit Program Files directories located in C:.
How identify currently running process
Get-Process
Get currently running process and binary filepath
Get-Process | Select-Object Name, Id, @{Name=”Path”;Expression={$_.Path}} | Format-Table -AutoSize
Search for keepass db file
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
