System Details

The following commands can be used for enumerating various information about the Operating System that can in turn be used for further exploiting or elevating privileges.

Hostname

The following command can provide info on whether the system is a webserver, database or a domain controller,

hostname
Operating System Version & Architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Running Processes & Services
tasklist /SVC
Firewall Status and Rules
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
Scheduled Tasks
schtasks /query /fo LIST /v
Network Details

Its important to note the different NICs, their IP addresses and the various network settings that are configured into the system,

Installed Applications and Patch Levels
Readable/Writable Files and Directories
Unmounted Disks
Device Drivers & Kernel Modules
Binaries that Autoelevate

There is a registry setting "AlwaysInstalleElevated" which can allow the current user to run Windows installer packages with elevated privileges. In order to exploit this vulnerability, the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE should have this key enabled.

if the setting is enabled, then an MSI can be designed and run to elevate our privileges.

PreviousPowershell HistoryNextApplications & Services

Last updated

Was this helpful?