Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • WinPeas
  • Sherlock Script
  • Powersploit - Powerup
  • PrivescCheck
  • Windows Exploit Suggester
  • Just Another Windows Script (JAWS)
  • Rasta Watson
  • PowerUp Script

Was this helpful?

  1. Windows
  2. Windows PE

Finding PE Vulns

PreviousOther PE MethodsNextSeImpersonatePrivilege

Last updated 1 year ago

Was this helpful?

Though some of the fundamentals of finding the right PE method was explained as part of the introductory page, there are a few useful scripts and executables that can come in handy to identify such vulnerabilities quickly. Here is a short list of such tools.

WinPeas

LinPeas is one of the most popular privilege escalation enumeration script that you can find. Running the script outputs the vulnerabilities in colors indicating the most probable to the least probable or not possible ones.

Sherlock Script

Powershell script to find missing software patches for local privilege escalation vulnerabilities.

The script has a bunch of functions to validate different vulnerabilities. You can either call a specific function or apply all functions to find any one of the suscptible vulnerabilities. You can add the line "Find-AllVulns" to the bottom of the powershell script and then execute it to list all vulnerabilities.

Powersploit - Powerup

Similar to Sherlock this is another powershell script that can be used to find privilege escalation vectors that rely on misconfigurations.

The powerup is ported to a C# executable and available through the following link as SharpUp,

PrivescCheck

Yet another powershell script to sniff out misconfiguration in a windows system to exploit it to privilege escalate.

Windows Exploit Suggester

This tool directly compares the patch levels of software withthe Microsoft Vulnerability Database to detect missing patches. It requires the 'systeminfo' command output to compature that with the Microsoft Security Bulletin database.

Just Another Windows Script (JAWS)

Yet another powershell script that identifies potential privilege escalation vectors on Windows.

Rasta Watson

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

PowerUp Script

The powerup script can be used to identify a modifiable binary in a Windows system. It is available within the Kali OS in the following location,

/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1

The script can be downloaded to the Windows system and the following function can be used to identify the modifiable binary,

Get-ModifiableServiceFile

This also has a function to abuse this vulnerability by adding a default user by the name "john" with the password "Password123!" and adding it to the local administrator group. It can also restart the service if sufficient permissions are available.

Install-ServiceBinary -Name 'xyz'
🪟
PEASS-ng/winPEAS at master · carlospolop/PEASS-ngGitHub
GitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.GitHub
PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHub
GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.GitHub
PrivescCheck/PrivescCheck.ps1 at master · itm4n/PrivescCheckGitHub
GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub
Logo
GitHub - 411Hall/JAWS: JAWS - Just Another Windows (Enum) ScriptGitHub
GitHub - rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesGitHub
Logo
Logo
Logo
Logo
Logo
Logo
Logo