Basic Methodology

System Information

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

• tasklist /svc

  • List running services

User Information

whoami

net user <username>

whoami /priv

whoami /groups

net user

Quick Win Tools

• winpeas (fade the haters, learn about the output and run this to save time!)

• PowerUp

• SharpUp

• Seatbelt

• accesschk.exe

• windows exploit suggester ng (less likely on OSCP but use as last-ish resort)

Firewall Info

netsh advfirewall show currentprofile

netsh advfirewall firewall show rule name=all

Scheduled Tasks

schtasks /query /fo LIST /v

Check Read/Write Permissions on Folders/Files

accesschk.exe -uws "Everyone" "C:\Program Files"

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Unmounted Drives

mountvol

AlwaysInstallElevated Check

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

• If the settings are enabled (REG_DWORD 0x1) then we can craft a MSI and elevate

Password Hunting (Desperate Times)

• Look for raw passwords in registry

reg query HKLM /f pass /t REG_SZ /s

https://www.praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry/