Basic Methodology

System Information

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

  • tasklist /svc

    • List running services

User Information

whoami
net user <username>
whoami /priv
whoami /groups
net user

Quick Win Tools

  • winpeas (fade the haters, learn about the output and run this to save time!)

  • PowerUp

  • SharpUp

  • Seatbelt

  • accesschk.exe

  • windows exploit suggester ng (less likely on OSCP but use as last-ish resort)

Firewall Info

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Scheduled Tasks

schtasks /query /fo LIST /v

Check Read/Write Permissions on Folders/Files

accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Unmounted Drives

mountvol

AlwaysInstallElevated Check

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

  • If the settings are enabled (REG_DWORD 0x1) then we can craft a MSI and elevate

Password Hunting (Desperate Times)

  • Look for raw passwords in registry

reg query HKLM /f pass /t REG_SZ /s

https://www.praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry/

PreviousWindowsNextUAC Bypass

Last updated