PEAS
Confuting an automated enumeration after performing a manual enumeration on the compromised host.
*Evil-WinRM* PS C:\Users\scripting\Documents> upload winPEASx86.exe
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/compromised/winPEASx86.exe to C:\Users\scripting\Documents\winPEASx86.exe
Data: 13541376 bytes of 13541376 bytes copied
Info: Upload successful!/Practice/Compromised/4-Post_Enumeration/attachments/{FE9A8C0E-60CD-4BF4-8F42-466E0AA8F485}.png)
Executing PEAS
ENV
ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables
È Check for some passwords or keys in the env variables
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\scripting\AppData\Local\Microsoft\WindowsApps
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
USERDOMAIN: COMPROMISED
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
DriverData: C:\Windows\System32\Drivers\DriverData
PUBLIC: C:\Users\Public
APPDATA: C:\Users\scripting\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\scripting\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
TMP: C:\Users\SCRIPT~1\AppData\Local\Temp
USERPROFILE: C:\Users\scripting
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 25
ProgramData: C:\ProgramData
COMPUTERNAME: COMPROMISED
PROCESSOR_ARCHITEW6432: AMD64
NUMBER_OF_PROCESSORS: 2
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
SystemRoot: C:\Windows
ComSpec: C:\Windows\system32\cmd.exe
TEMP: C:\Users\SCRIPT~1\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
PROCESSOR_REVISION: 0101
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Users\scripting\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
OS: Windows_NT
USERNAME: scripting
ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101N/A
/Practice/Compromised/4-Post_Enumeration/attachments/{76A1C1D3-5827-410B-B306-3DD1BAF2737B}.png)
UAC
/Practice/Compromised/4-Post_Enumeration/attachments/{39183F09-A913-4B65-BA5B-193BB24A329C}.png)
PowerShell
/Practice/Compromised/4-Post_Enumeration/attachments/{33BDFC8E-5EB7-469D-BA6C-B5E9C805CBAA}.png)
NTLM
/Practice/Compromised/4-Post_Enumeration/attachments/{82375A78-1C28-48F3-BD54-918FED38411D}.png)
Event Log
/Practice/Compromised/4-Post_Enumeration/attachments/{71151377-4C65-4F55-88E4-F5EA76E83DB6}.png)
Token Privileges (scripting)
/Practice/Compromised/4-Post_Enumeration/attachments/{B27C9A01-B39E-4CB4-B972-018E9AACC2E4}.png)
Certificates
/Practice/Compromised/4-Post_Enumeration/attachments/{0641C7E8-13FF-4217-B213-7EDAD3E2B706}.png)