- Find running services
sc query state= all
sc query state= all | find "SERVICE_NAME" - Started windows Service - net start
- List of running processes with user
tasklist /v /fi "username ne djndfj" //(where djndfj is a user that does not exists.)
tasklist /v /fi "username ne djndfj" | find /i "system" // process running with system privileges. - Read files - type <filename>
- Create file echo "text" > path/filename
- version - ver
- environment variables - set
- File permissions- cacls <filename>
- Lateral recon - ARP cache
ARP -A - Scheduled tasks- schtasks /query /fo LIST /v
- process with service- tasklist /SVC
- determine which Services can be modified by any authenticated user - accesschk.exe -uwcqv "Authenticated Users" * /accepteula
- to list all unquoted service paths - wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Reference:
http://www.fuzzysecurity.com/tutorials/16.html
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
VizSec
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
VizSec
No comments:
Post a Comment