PEAS
Conducting an automated enumeration after performing a manual enumeration
*Evil-WinRM* PS C:\Users\anirudh\Documents> upload winPEASany.exe
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/vault/winPEASany.exe to C:\Users\anirudh\Documents\winPEASany.exe
Data: 13526356 bytes of 13526356 bytes copied
Info: Upload successful!Delivery complete
/Practice/Vault/4-Post_Enumeration/attachments/Pasted-image-20250501222653.png)
Executing PEAS
ENV
ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables
È Check for some passwords or keys in the env variables
COMPUTERNAME: DC
USERPROFILE: C:\Users\anirudh
HOMEPATH: \Users\anirudh
LOCALAPPDATA: C:\Users\anirudh\AppData\Local
PSModulePath: C:\Users\anirudh\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\anirudh\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
LOGONSERVER: \\DC
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
HOMEDRIVE: C:
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
APPDATA: C:\Users\anirudh\AppData\Roaming
PROCESSOR_REVISION: 0101
USERNAME: anirudh
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
USERDOMAIN_ROAMINGPROFILE: VAULT
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
SystemDrive: C:
TEMP: C:\Users\anirudh\AppData\Local\Temp
ProgramFiles: C:\Program Files
NUMBER_OF_PROCESSORS: 2
TMP: C:\Users\anirudh\AppData\Local\Temp
ProgramData: C:\ProgramData
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: VAULT
PUBLIC: C:\Users\Public
USERDNSDOMAIN: VAULT.OFFSEC
ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101N/A
/Practice/Vault/4-Post_Enumeration/attachments/{A7C60750-AABD-49A8-9F14-BB476E95D1C5}.png)
UAC
/Practice/Vault/4-Post_Enumeration/attachments/{2654C806-E622-4EE6-8E43-DF30A43A4350}.png)
PowerShell
/Practice/Vault/4-Post_Enumeration/attachments/{146EE00A-1415-4855-9503-B52CF3E48646}-1.png)
KrbRelayUp
/Practice/Vault/4-Post_Enumeration/attachments/{900D51B8-6351-4D86-B455-EA24B4AA71D0}.png)
NTLM
/Practice/Vault/4-Post_Enumeration/attachments/{F9AAE6A3-200C-4539-8A99-FF8857F37764}.png)
Token Privileges (anirudh)
/Practice/Vault/4-Post_Enumeration/attachments/{B29108B3-0C9D-432E-87D1-0FA723875F36}.png)
RDP Session
/Practice/Vault/4-Post_Enumeration/attachments/Pasted-image-20250501223400.png)
AutoLogon
/Practice/Vault/4-Post_Enumeration/attachments/{2AC82D20-5A9D-4A9B-A66C-DCB1CE5F7A99}.png)
*Evil-WinRM* PS C:\Users\anirudh\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ VAULT
DefaultUserName REG_SZ anirudh
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x7c3e010d
ShutdownFlags REG_DWORD 0x20a
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ SecureHM
AutoAdminLogon REG_SZ 1
AutoLogonSID REG_SZ S-1-5-21-537427935-490066102-1511301751-1103
LastUsedUsername REG_SZ anirudh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyScheduled Tasks
/Practice/Vault/4-Post_Enumeration/attachments/{962F9860-60F4-4085-8C1D-38DB1FFDF61C}.png)
powershell.exe C:\Users\anirudh\KillExplorer.ps1
/Practice/Vault/4-Post_Enumeration/attachments/{7ADD9618-B7BA-4D09-91BD-6A9270A1F524}.png)
explorer.exe "C:\DocumentsShare"
Windows Vault
/Practice/Vault/4-Post_Enumeration/attachments/{39E2532B-6DB0-4B80-9581-BEC6D0AD1EB5}.png)
adPEAS
*Evil-WinRM* PS C:\Users\anirudh\Documents> upload adPEAS.ps1
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/vault/adPEAS.ps1 to C:\Users\anirudh\Documents\adPEAS.ps1
Data: 4159704 bytes of 4159704 bytes copied
Info: Upload successful!Delivery complete
/Practice/Vault/4-Post_Enumeration/attachments/{922ABB3F-B467-4206-861A-02301F626E5A}.png)
Executing adPEAS
Domain
/Practice/Vault/4-Post_Enumeration/attachments/{62D6F29E-7681-4BFF-9157-FB8D3EE12963}.png)
Add-Computer
/Practice/Vault/4-Post_Enumeration/attachments/{01AD013F-4B31-45D6-86F5-ED032D240903}.png)
PowerUp
*Evil-WinRM* PS C:\Users\anirudh\Documents> upload PowerUp.ps1
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/vault/PowerUp.ps1 to C:\Users\anirudh\Documents\PowerUp.ps1
Data: 800772 bytes of 800772 bytes copied
Info: Upload successful!Delivery complete
*Evil-WinRM* PS C:\Users\anirudh\Documents> . .\PowerUp.ps1
*Evil-WinRM* PS C:\Users\anirudh\Documents> Invoke-AllChecks
Privilege : SeBackupPrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 22880
ProcessId : 2012
Name : 2012
Check : Process Token Privileges
Privilege : SeRestorePrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 22880
ProcessId : 2012
Name : 2012
Check : Process Token Privileges
Access denied
At C:\Users\anirudh\Documents\PowerUp.ps1:2066 char:21
+ $VulnServices = Get-WmiObject -Class win32_service | Where-Object ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Access denied
At C:\Users\anirudh\Documents\PowerUp.ps1:2133 char:5
+ Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At C:\Users\anirudh\Documents\PowerUp.ps1:2189 char:5
+ Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeCo ...
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
ModifiablePath : C:\Users\anirudh\AppData\Local\Microsoft\WindowsApps
IdentityReference : VAULT\anirudh
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\anirudh\AppData\Local\Microsoft\WindowsApps
Name : C:\Users\anirudh\AppData\Local\Microsoft\WindowsApps
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\anirudh\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
DefaultDomainName : VAULT
DefaultUserName : anirudh
DefaultPassword : SecureHM
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
Check : Registry Autologons
TaskName : Killexplorer
TaskFilePath : @{ModifiablePath=C:\Users\anirudh\KillExplorer.ps1; IdentityReference=VAULT\anirudh; Permissions=System.Object[]}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><TimeTrigger><Repetition><Interval>PT5M</Interval><StopAtDurationEnd>false</StopAtDurationEnd></Repetition><StartBoundary>2021-11-19T01:05:00</StartBoundary><Enab
led>true</Enabled></TimeTrigger></Triggers>
Name : Killexplorer
Check : Modifiable Scheduled Task Files
TaskName : ShareCheck
TaskFilePath : @{ModifiablePath=C:\DocumentsShare; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><TimeTrigger><Repetition><Interval>PT1M</Interval><StopAtDurationEnd>false</StopAtDurationEnd></Repetition><StartBoundary>2021-11-19T01:05:00</StartBoundary><Enab
led>true</Enabled></TimeTrigger></Triggers>
Name : ShareCheck
Check : Modifiable Scheduled Task Files
TaskName : ShareCheck
TaskFilePath : @{ModifiablePath=C:\DocumentsShare; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><TimeTrigger><Repetition><Interval>PT1M</Interval><StopAtDurationEnd>false</StopAtDurationEnd></Repetition><StartBoundary>2021-11-19T01:05:00</StartBoundary><Enab
led>true</Enabled></TimeTrigger></Triggers>
Name : ShareCheck
Check : Modifiable Scheduled Task Files
TaskName : Server Initial Configuration Task
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><BootTrigger /></Triggers>
Name : Server Initial Configuration Task
Check : Modifiable Scheduled Task Files
TaskName : Server Initial Configuration Task
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><BootTrigger /></Triggers>
Name : Server Initial Configuration Task
Check : Modifiable Scheduled Task Files
TaskName : Proxy
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><BootTrigger id="AutochkProxy"><Delay>PT30M</Delay></BootTrigger></Triggers>
Name : Proxy
Check : Modifiable Scheduled Task Files
TaskName : Proxy
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><BootTrigger id="AutochkProxy"><Delay>PT30M</Delay></BootTrigger></Triggers>
Name : Proxy
Check : Modifiable Scheduled Task Files
TaskName : SpaceManagerTask
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
TaskTrigger : <Triggers
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><BootTrigger><Enabled>false</Enabled><Delay>PT2M</Delay></BootTrigger><WnfStateChangeTrigger><StateName>7510BCA33E1E8702</StateName></WnfStateChangeTrigger></Triggers>
Name : SpaceManagerTask
Check : Modifiable Scheduled Task Files
TaskName : SpaceManagerTask
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
TaskTrigger : <Triggers
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><BootTrigger><Enabled>false</Enabled><Delay>PT2M</Delay></BootTrigger><WnfStateChangeTrigger><StateName>7510BCA33E1E8702</StateName></WnfStateChangeTrigger></Triggers>
Name : SpaceManagerTask
Check : Modifiable Scheduled Task Files
TaskName : Recovery-Check
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><LogonTrigger /></Triggers>
Name : Recovery-Check
Check : Modifiable Scheduled Task Files
TaskName : Recovery-Check
TaskFilePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
TaskTrigger : <Triggers xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><LogonTrigger /></Triggers>
Name : Recovery-Check
Check : Modifiable Scheduled Task Files