System Details
The following commands can be used for enumerating various information about the Operating System that can in turn be used for further exploiting or elevating privileges.
Hostname
The following command can provide info on whether the system is a webserver, database or a domain controller,
hostname
Operating System Version & Architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Firewall Status and Rules
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
Network Details
Its important to note the different NICs, their IP addresses and the various network settings that are configured into the system,
ipconfig /all
route print
netstat -ano
Installed Applications and Patch Levels
wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn
Readable/Writable Files and Directories
accesschk.exe -uws "Everyone" "C:\Program Files"
#Powershell
Get-ChildItem "C:\Program Files" - Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Device Drivers & Kernel Modules
#Powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object
‘Display Name’, ‘Start Mode’, Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
Binaries that Autoelevate
There is a registry setting "AlwaysInstalleElevated" which can allow the current user to run Windows installer packages with elevated privileges. In order to exploit this vulnerability, the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE should have this key enabled.
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
if the setting is enabled, then an MSI can be designed and run to elevate our privileges.
Last updated