6 box enum iis apppool
PowerUp.ps1
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\WINDOWS\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'
PEAS
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
[>] https://exploit-db.com/exploits/46718
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
[!] CVE-2019-0841 : VULNERABLE
[>] https://github.com/rogue-kdc/CVE-2019-0841
[>] https://rastamouse.me/tags/cve-2019-0841/
[!] CVE-2019-1064 : VULNERABLE
[>] https://www.rythmstick.net/posts/cve-2019-1064/
[!] CVE-2019-1130 : VULNERABLE
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
[!] CVE-2019-1253 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2019-1253
[>] https://github.com/sgabe/CVE-2019-1253
[!] CVE-2019-1315 : VULNERABLE
[>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
[!] CVE-2019-1385 : VULNERABLE
[>] https://www.youtube.com/watch?v=K6gHnr-VkAg
[!] CVE-2019-1388 : VULNERABLE
[>] https://github.com/jas502n/CVE-2019-1388
[!] CVE-2019-1405 : VULNERABLE
[>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
[>] https://github.com/apt69/COMahawk
[!] CVE-2020-0668 : VULNERABLE
[>] https://github.com/itm4n/SysTracingPoc
[!] CVE-2020-0683 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2020-0683
[>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1
[!] CVE-2020-1013 : VULNERABLE
[>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
[*] Finished. Found 12 potential vulnerabilities.
อน Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : SECNOTES
DefaultUserName : tyler
Home folders found
C:\Users\new
C:\Users\newsite : newsite [AllAccess]
C:\Users\tyler
C:\Users\wayne
Modifiable Services
Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
RmSvc: GenericExecute (Start/Stop)
UsoSvc: AllAccess, Start
BcastDVRUserService_4366e: GenericExecute (Start/Stop)
DevicePickerUserSvc_4366e: GenericExecute (Start/Stop)
DevicesFlowUserSvc_4366e: GenericExecute (Start/Stop)
PimIndexMaintenanceSvc_4366e: GenericExecute (Start/Stop)
PrintWorkflowUserSvc_4366e: GenericExecute (Start/Stop)
UnistoreSvc_4366e: GenericExecute (Start/Stop)
UserDataSvc_4366e: GenericExecute (Start/Stop)
WpnUserService_4366e: GenericExecute (Start/Stop)
Installed Applications --Via Program Files/Uninstall registry--
C:\Program Files\MySQL
C:\Program Files\Oracle
C:\Program Files\UNP
Current TCP Listening Ports
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 127.0.0.1 49670 127.0.0.1 49671 Established 2536 mysqld
TCP 127.0.0.1 49671 127.0.0.1 49670 Established 2536 mysqld
Looking for Linux shells/distributions - wsl.exe, bash.exe
C:\Windows\System32\wsl.exe
C:\Windows\System32\bash.exe
Analyzing Windows Files Files (limit 70)
C:\Users\All Users\MySQL\MySQL Server 8.0\my.ini
C:\Users\Default\NTUSER.DAT
C:\Users\newsite\NTUSER.DAT
C:\inetpub\wwwroot\web.config
Last updated