Windows-PrivEsc

Run Auto scripts
1. Start with PowerUP/SharpUP
2. winpeas.exe cmd wait
3. seatbelt.exe
4. run jaws
System Infomation Figure Out unsername, groups, OS, & Kernel Versions
1. whoami /priv & net user <username> #to get user and group info
2. OS INFO systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
3. Scheduled task
  1. schtasks /query /fo LIST /v
4. running services
  1. net start
stored credentials
1. Password Mining
  1. #find the string 'password' in all files of certain file type
  2. findstr /si password *.txt
  3. findstr /si password *.xml
  4. findstr /si password *.ini
  5. #Find all these strings in config files.
  6. dir /s *pass* == *cred* == *vnc* == *.config*
  7. # Find all passwords in all files.
  8. findstr /spin "password" *.*
  9. findstr /spin "password" *.*
  10. findstr /si password *.txt
  11. dir /s *password*
Try Quick Wins First
1. Service exploits
  1. Unquoted Service Path
  2. Mod binary Service Path
  3. named pipes
  4. DLL Hijacking
2. Registry exploits
  1. Alway Ekevvated
  2. password can be found here to
3. GUI & startup apps
4. Sceudled tasks
5. Installed apps
  1. Unattended Installs
6. Admin Processes
  1. find version and seach for exploit
Find a writable folder
1. # Default writable folders C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\drivers\color C:\Windows\Tasks C:\windows\tracing1
READ ALL THE ENUMERATION and add investigation points based on the findings.
Look for installed programs in C:\ & Program Files
1. c:\
2. C:\users\public
Non standard windows services
1. service binary permissions
2. service config permissions
3. Install the service in local VM if possible
4. Procmon.exe
  1. .dll loads from insecure directories
    1. .exe loads from insecure directory
Interesting files available to user
Review Scan data if you can't find anything again