April 1, 2016 · pentesting privesc

Basic Windows Privilege Escalation

As I have been working through my OSCP course I have had to reference several cheat sheets and blog posts for windows enumeration, and while its not a major inconvenience, I figured I would put what I already knew and what I have found in one location for everyone's benefit. This list is by no means complete and I will update it as I come across more information and from what is contributed in the comments. Note: this is heavily influenced by g0tmilk's Linux Privilege Escalation post, so the overall layout credit goes to him.

Operating System

What version of windows is running? Is it 32 or 64-bit?

ver
systeminfo
more c:\boot.ini
wmic os get osarchitecture

Hostname?

set computername
hostname

What drives are there? Are any being shared?

wmic logicaldisk get caption,description,providername
net share
wmic share
net use

What can the OS variables tell you?

more C:\WINDOWS\System32\drivers\etc\hosts
more C:\WINDOWS\System32\drivers\etc\networks
more C:\Users\username\AppData\Local\Temp
path
echo %path%
set
tree (massive output)
wmic context
wmic bootconfig
wmic environment
wmic loadorder
wmic startup

What patches are installed?

wmic qfe

What services are installed/running?

wmic service
net start
sc query

Network

What is the current network config? What is this machine talking to?

ipconfig /allcompartments /all
getmac
wmic nicconfig get description,IPAddress,MACaddress
route PRINT
netstat -ano
arp -a
nbtstat
wmic nicconfig get macaddress,caption

What is the firewall configuration?

netsh dump
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewallinfo.txt"

Is the machine on a domain?

set userdomain
net view /domain

Installed Software

What software is currently running? What is installed?

tasklist
tasklist /svc
tasklist /fi “pid eq PID”
tasklist /fi “username eq USERNAME”
qprocess
driverquery /v
assoc
wmic sysdriver
wmic product

User Info

Who is logged in? Who is an administrator? Who belongs to what group/domain?

set username
whoami
echo %username%
net users
wmic group
net localgroup
net localgroup administrators
qusers
qwinsta
wmic useraccount

Registry

What is in the registry?

reg query
reg query "HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon" /v LastUsedUsername

Hardware Information

What is installed in this PC?

wmic bios
wmic baseboard get manufacturer
wmic cdrom
wmic cpu list full
wmic csproduct