6 box enum iis apppool

PowerUp.ps1

[*] Checking service permissions...
ServiceName   : UsoSvc
Path          : C:\WINDOWS\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'

PEAS

[*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

 [!] CVE-2019-0841 : VULNERABLE
  [>] https://github.com/rogue-kdc/CVE-2019-0841
  [>] https://rastamouse.me/tags/cve-2019-0841/

 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253
  [>] https://github.com/sgabe/CVE-2019-1253

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc

 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
[*] Finished. Found 12 potential vulnerabilities.

อน Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  SECNOTES
    DefaultUserName               :  tyler
	
Home folders found
C:\Users\new
C:\Users\newsite : newsite [AllAccess]
C:\Users\tyler
C:\Users\wayne

Modifiable Services
 Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
    RmSvc: GenericExecute (Start/Stop)
    UsoSvc: AllAccess, Start
    BcastDVRUserService_4366e: GenericExecute (Start/Stop)
    DevicePickerUserSvc_4366e: GenericExecute (Start/Stop)
    DevicesFlowUserSvc_4366e: GenericExecute (Start/Stop)
    PimIndexMaintenanceSvc_4366e: GenericExecute (Start/Stop)
    PrintWorkflowUserSvc_4366e: GenericExecute (Start/Stop)
    UnistoreSvc_4366e: GenericExecute (Start/Stop)
    UserDataSvc_4366e: GenericExecute (Start/Stop)
    WpnUserService_4366e: GenericExecute (Start/Stop)

Installed Applications --Via Program Files/Uninstall registry--
    C:\Program Files\MySQL
    C:\Program Files\Oracle
    C:\Program Files\UNP

Current TCP Listening Ports
  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name
  TCP        127.0.0.1             49670         127.0.0.1             49671           Established       2536            mysqld
  TCP        127.0.0.1             49671         127.0.0.1             49670           Established       2536            mysqld
  
Looking for Linux shells/distributions - wsl.exe, bash.exe
    C:\Windows\System32\wsl.exe
    C:\Windows\System32\bash.exe

Analyzing Windows Files Files (limit 70)
    C:\Users\All Users\MySQL\MySQL Server 8.0\my.ini
    C:\Users\Default\NTUSER.DAT
    C:\Users\newsite\NTUSER.DAT
    C:\inetpub\wwwroot\web.config

Last updated