WinPEAS Output
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########.((((((((((((
(((((((((((/********************/#######.((((((((((
(((((((.******************/@@@@@/****######.(((((((((
(((((.********************@@@@@@@@@@/***,####.(((((((((
((((.********************/@@@@@%@@@@/********##(((((((((
.((############*********/%@@@@@@@@@/************.(((((((
.(##################(/******/@@@@@/***************.(((((
.(#########################(/**********************.((((
.(##############################(/*****************.((((
.(###################################(/************.((((
.(#######################################(*********.((((
.(#######(,.***.,(###################(..***.*******.((((
.(#######*(#####((##################((######/(*****.((((
.(###################(/***********(##############().((((
.((#####################/*******(################)((((((
.(((############################################).(((((
..(((##########################################).((((((
....((########################################).((((((
......((####################################).(((((((
(((((((((#################################).((((((((
(((((((((/##########################).((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of th
is software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with th
e network owner's permission.
WinPEASng by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Get latest WinPEAS : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
+ You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows/checklist-windows-priv
ilege-escalation
Creating Dynamic lists, this could take a while, please wait...
- Loading YAML definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.Checks.Checks.CreateDynamicLists()
- Creating current user groups list...
- Creating active users list (local only)...
[X] Exception: Object reference not set to an instance of an object.
- Creating disabled users list...
[X] Exception: Object reference not set to an instance of an object.
- Admin users list...
[X] Exception: Object reference not set to an instance of an object.
- Creating AppLocker bypass list...
- Creating files/directories list for search...
------------------------------------¦ System Information ¦------------------------------------
+----------¦ Basic System Information
+ Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/wind
ows-local-privilege-escalation#kernel-exploits
[X] Exception: Access denied
[X] Exception: Access denied
[X] Exception: The given key was not present in the dictionary.
+----------¦ Showing All Microsoft Updates
[X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the ICla
ssFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
m
+----------¦ System Last Shutdown Date/time (from Registry)
Last Shutdown Date/time : 10/14/2021 1:27:56 AM
+----------¦ User Environment Variables
+ Check for some passwords or keys in the env variables
COMPUTERNAME: MARKUP
USERPROFILE: C:\Users\daniel
HOMEPATH: \Users\daniel
LOCALAPPDATA: C:\Users\daniel\AppData\Local
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Program Files\OpenSSH-Win64;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\W
indowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;
C:\Users\daniel\AppData\Local\Microsoft\WindowsApps;
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 6
TERM: xterm-256color
ProgramFiles: C:\Program Files
LOGNAME: daniel
HOMEDRIVE: C:
SSH_TTY: windows-pty
TMP: C:\Users\daniel\AppData\Local\Temp
SHELL: c:\windows\system32\cmd.exe
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
APPDATA: C:\Users\daniel\AppData\Roaming
PROCESSOR_REVISION: 5507
USERNAME: daniel
CommonProgramW6432: C:\Program Files\Common Files
HOME: C:\Users\daniel
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
ComSpec: C:\Windows\system32\cmd.exe
USER: daniel
PROMPT: daniel@MARKUP $P$G
SystemDrive: C:
TEMP: C:\Users\daniel\AppData\Local\Temp
PUBLIC: C:\Users\Public
SystemRoot: C:\Windows
NUMBER_OF_PROCESSORS: 2
SSH_CONNECTION: 10.10.14.90 55134 10.129.42.45 22
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
ProgramData: C:\ProgramData
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: WORKGROUP
SSH_CLIENT: 10.10.14.90 55134 22
+----------¦ System Environment Variables
+ Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windo
ws\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 6
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
PROCESSOR_REVISION: 5507
+----------¦ Audit Settings
+ Check what is being logged
Not Found
+----------¦ Audit Policy Settings - Classic & Advanced
+----------¦ WEF Settings
+ Windows Event Forwarding, is interesting to know were are sent the logs
Not Found
+----------¦ LAPS Settings
+ If installed, local administrator password is changed frequently and is restricted by ACL
LAPS Enabled: LAPS not installed
+----------¦ Wdigest
+ If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows/stealing-credenti
als/credentials-protections#wdigest
Wdigest is not enabled
+----------¦ LSA Protection
+ If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by delet
ing the registry key) https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection
LSA Protection is not enabled
+----------¦ Credentials Guard
+ If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows/stealing-credentia
ls/credentials-protections#credential-guard
CredentialGuard is not enabled
+----------¦ Cached Creds
+ If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.x
yz/windows/stealing-credentials/credentials-protections#cached-credentials
cachedlogonscount is 10
+----------¦ Enumerating saved credentials in Registry (CurrentPass)
+----------¦ AV Information
[X] Exception: Invalid namespace
No AV was detected!!
Not Found
+----------¦ Windows Defender configuration
Local Settings
Group Policy Settings
+----------¦ UAC Status
+ If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/win
dows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy: 1
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 1.
[+] Any local account can be used for lateral movement.
+----------¦ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\daniel\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_hi
story.txt
PS history size: 1955B
+----------¦ Enumerating PowerShell Session Settings using the registry
You must be an administrator to run this check
+----------¦ PS default transcripts history
+ Read the PS history inside these files (if any)
+----------¦ HKCU Internet Settings
DisableCachingOfSSLPages: 0
IE5_UA_Backup_Flag: 5.0
PrivacyAdvanced: 1
SecureProtocols: 2688
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation: 1
ZonesSecurityUpgrade: System.Byte[]
+----------¦ HKLM Internet Settings
EnablePunycode: 1
+----------¦ Drives Information
+ Remember that you should search more info inside the other drives
A:\ (Type: Removable)
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 6 GB)(Permissions: Users [AppendData/CreateDirectories])
+----------¦ Checking WSUS
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
Not Found
+----------¦ Checking AlwaysInstallElevated
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated isn't available
+----------¦ Enumerate LSA settings - auth packages included
auditbasedirectories : 0
auditbaseobjects : 0
Bounds : 00-30-00-00-00-20-00-00
crashonauditfail : 0
fullprivilegeauditing : 00
LimitBlankPasswordUse : 1
NoLmHash : 1
Security Packages : ""
Notification Packages : scecli
Authentication Packages : msv1_0
SecureBoot : 1
LsaPid : 644
LsaCfgFlagsDefault : 0
ProductType : 7
disabledomaincreds : 0
everyoneincludesanonymous : 0
forceguest : 0
restrictanonymous : 0
restrictanonymoussam : 1
+----------¦ Enumerating NTLM Settings
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
NTLM Signing Settings
ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : False
ServerNegotiateSigning : False
LdapSigning : Negotiate signing (Negotiate signing)
Session Security
NTLMMinClientSec : 536870912 (Require 128-bit encryption)
NTLMMinServerSec : 536870912 (Require 128-bit encryption)
NTLM Auditing and Restrictions
InboundRestrictions : (Not defined)
OutboundRestrictions : (Not defined)
InboundAuditing : (Not defined)
OutboundExceptions :
+----------¦ Display Local Group Policy settings - local users/machine
+----------¦ Checking AppLocker effective policy
AppLockerPolicy version: 1
listing rules:
+----------¦ Enumerating Printers (WMI)
+----------¦ Enumerating Named Pipes
Name Sddl
eventlog O:LSG:LSD:P(A;;0x12
019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
vgauth-service O:BAG:SYD:P(A;;0x12
019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
+----------¦ Enumerating AMSI registered providers
Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2106.6-0\MpOav.dll"
=================================================================================================
+----------¦ Enumerating Sysmon configuration
You must be an administrator to run this check
+----------¦ Enumerating Sysmon process creation logs (1)
You must be an administrator to run this check
+----------¦ Installed .NET versions
------------------------------------¦ Interesting Events information ¦------------------------------------
0m
+----------¦ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext cred
entials
You must be an administrator to run this check
+----------¦ Printing Account Logon Events (4624) for the last 10 days.
You must be an administrator to run this check
+----------¦ Process creation events - searching logs (EID 4688) for sensitive data.
You must be an administrator to run this check
+----------¦ PowerShell events - script block logs (EID 4104) - searching for sensitive data.
[X] Exception: Attempted to perform an unauthorized operation.
+----------¦ Displaying Power off/on events for last 5 days
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)
at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName)
at winPEAS.Info.EventsInfo.Power.Power.<GetPowerEventInfos>d__0.MoveNext()
at winPEAS.Checks.EventsInfo.PowerOnEvents()
------------------------------------¦ Users Information ¦------------------------------------
+----------¦ Users
+ Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows/windows-local-privi
lege-escalation#users-and-groups
[X] Exception: Object reference not set to an instance of an object.
Current user: daniel
Current groups: Domain Users, Everyone, Web Admins, Builtin\Remote Management Users, Users, Network, Authenticated Users, This
Organization, Local account, NTLM Authentication
=================================================================================================
Not Found
+----------¦ Current User Idle Time
Current User : MARKUP\daniel
Idle Time : 01h:54m:58s:312ms
+----------¦ Display Tenant information (DsRegCmd.exe /status)
+----------¦ Current Token privileges
+ Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-l
ocal-privilege-escalation#token-manipulation
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+----------¦ Clipboard text
+----------¦ Logged users
[X] Exception: Access denied
Not Found
+----------¦ Display information about local users
Computer Name : MARKUP
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 4/19/2022 12:13:22 PM
Logons Count : 58
Password Last Set : 3/5/2020 10:55:19 AM
=================================================================================================
Computer Name : MARKUP
User Name : daniel
User Id : 1000
Is Enabled : True
User Type : User
Comment :
Last Logon : 4/19/2022 12:13:31 PM
Logons Count : 74
Password Last Set : 4/21/2020 5:09:42 AM
=================================================================================================
Computer Name : MARKUP
User Name : DefaultAccount
User Id : 503
Is Enabled : False
User Type : Guest
Comment : A user account managed by the system.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
Computer Name : MARKUP
User Name : Guest
User Id : 501
Is Enabled : False
User Type : Guest
Comment : Built-in account for guest access to the computer/domain
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
Computer Name : MARKUP
User Name : WDAGUtilityAccount
User Id : 504
Is Enabled : False
User Type : Guest
Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
+----------¦ RDP Sessions
Not Found
+----------¦ Ever logged users
[X] Exception: Access denied
Not Found
+----------¦ Home folders found
C:\Users\Administrator
C:\Users\All Users
C:\Users\daniel : daniel [AllAccess]
C:\Users\Default
C:\Users\Default User
C:\Users\Public
+----------¦ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultUserName : Administrator
DefaultPassword : Yhk}QE&j<3M
+----------¦ Password Policies
+ Check for a possible brute-force
Domain: Builtin
SID: S-1-5-32
MaxPasswordAge: 42.22:47:31.7437440
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: 0
=================================================================================================
Domain: MARKUP
SID: S-1-5-21-103432172-3528565615-2854469147
MaxPasswordAge: 42.00:00:00
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: DOMAIN_PASSWORD_COMPLEX
=================================================================================================
+----------¦ Print Logon Sessions
------------------------------------¦ Processes Information ¦------------------------------------
+----------¦ Interesting Processes -non Microsoft-
+ Check if any interesting processes for memory dump or if you could overwrite some binary running https://b
ook.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
[X] Exception: Access denied
------------------------------------¦ Services Information ¦------------------------------------
[X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
+----------¦ Interesting Services -non Microsoft-
+ Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths h
ttps://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
[X] Exception: Access denied
@arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_S
erviceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot
=================================================================================================
@netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adap
ter VBD)[System32\drivers\bxvbda.sys] - Boot
=================================================================================================
@bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(QLogic Corporation - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload
driver)[System32\drivers\bxfcoe.sys] - Boot
=================================================================================================
@bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(QLogic Corporation - @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI D
river)[System32\drivers\bxois.sys] - Boot
=================================================================================================
@cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio V
irtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System
=================================================================================================
@net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @ne
t1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System3
2\drivers\e1i63x64.sys] - System
=================================================================================================
@netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(QLogic Corporation - @netevbda.inf,%vbd_srv_desc%;QLogic
10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot
=================================================================================================
@iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDe
sc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot
=================================================================================================
@iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Int
el RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot
=================================================================================================
@mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mel
lanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System
=================================================================================================
@mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox
ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System
=================================================================================================
mysql(mysql)[C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql] - Autoload -
[1;31mNo quotes and Space detected
File Permissions: daniel [AllAccess]
Possible DLL Hijacking in binary folder: C:\xampp\mysql\bin (daniel [AllAccess], Users [AppendData/CreateDirectori
es WriteData/CreateFiles])
=================================================================================================
@mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)
[C:\Windows\System32\drivers\ndfltr.sys] - System
=================================================================================================
@netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD(Cavium, Inc. - @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ether
net VBD)[System32\drivers\qevbda.sys] - Boot
=================================================================================================
@qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver(Cavium, Inc. - @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver)[Sy
stem32\drivers\qefcoe.sys] - Boot
=================================================================================================
@qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver(QLogic Corporation - @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver)[
[0mSystem32\drivers\qeois.sys] - Boot
=================================================================================================
@ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @ql2300.inf,%ql2
300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[System32\drivers\ql2300i.sys] - Boot
=================================================================================================
@ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDes
c%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot
=================================================================================================
@qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.
DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot
=================================================================================================
@netgrea.inf,%Svc-Mp-Gre-DispName%;WAN Miniport (GRE)(@netgrea.inf,%Svc-Mp-Gre-DispName%;WAN Miniport (GRE))[C:\Wi
ndows\System32\drivers\rasgre.sys] - System
@netgrea.inf,%Svc-Mp-Gre-DispName%;WAN Miniport (GRE)
=================================================================================================
OpenSSH Authentication Agent(OpenSSH Authentication Agent)["C:\Program Files\OpenSSH-Win64\ssh-agent.exe"] - S
ystem
Agent to hold private keys used for public key authentication.
=================================================================================================
OpenSSH SSH Server(OpenSSH SSH Server)["C:\Program Files\OpenSSH-Win64\sshd.exe"] - Autoload
SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure net
work.
=================================================================================================
@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\
Windows\System32\drivers\USBSTOR.SYS] - System
=================================================================================================
@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI C
ompliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System
=================================================================================================
VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\
VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload
Alias Manager and Ticket Service
=================================================================================================
@oem6.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service(VMware, Inc. - @oem6.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA
Helper Service)[C:\Windows\system32\vm3dservice.exe] - Autoload
@oem6.inf,%VM3DSERVICE_DESCRIPTION%;Helps VMware SVGA driver by collecting and conveying user mode information
=================================================================================================
@oem0.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(VMware, Inc. - @oem0.inf,%loc.vmciServiceDisplayName%;VMware VM
CI Bus Driver)[System32\drivers\vmci.sys] - Boot
=================================================================================================
Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autolo
ad
Driver to provide enhanced memory management of this virtual machine.
=================================================================================================
@oem5.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem5.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[
;32mC:\Windows\System32\drivers\vmmouse.sys] - System
=================================================================================================
VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload
Provides support for synchronizing objects between the host and guest operating systems.
=================================================================================================
@oem4.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem4.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing D
evice)[C:\Windows\System32\drivers\vmusbmouse.sys] - System
=================================================================================================
@oem2.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver(VMware, Inc. - @oem2.inf,%loc.vmxnet3.ndis6.Dis
pName%;vmxnet3 NDIS 6 Ethernet Adapter Driver)[C:\Windows\System32\drivers\vmxnet3.sys] - System
=================================================================================================
vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interfa
ce Sockets driver)[system32\DRIVERS\vsock.sys] - Boot
vSockets Driver
=================================================================================================
@vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.De
viceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot
=================================================================================================
@mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:
\Windows\System32\drivers\winmad.sys] - System
=================================================================================================
@winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers
\WinUSB.SYS] - System
@winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices
=================================================================================================
@mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[
[1;32mC:\Windows\System32\drivers\winverbs.sys] - System
=================================================================================================
+----------¦ Modifiable Services
+ Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
#services
You cannot modify any service
+----------¦ Looking if you can modify any service registry
+ Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privil
ege-escalation#services-registry-permissions
[-] Looks like you cannot change the registry of any service...
+----------¦ Checking write permissions in PATH folders (DLL Hijacking)
+ Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows/windows-local-privilege-escala
tion#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
------------------------------------¦ Applications Information ¦------------------------------------
+----------¦ Current Active Window Application
[X] Exception: Object reference not set to an instance of an object.
+----------¦ Installed Applications --Via Program Files/Uninstall registry--
+ Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-esc
alation#software
C:\Program Files\common files
C:\Program Files\desktop.ini
C:\Program Files\internet explorer
C:\Program Files\OpenSSH-Win64
C:\Program Files\PackageManagement
C:\Program Files\Uninstall Information
C:\Program Files\VMware
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell
C:\xampp(daniel [AllAccess], Users [AppendData/CreateDirectories WriteData/CreateFiles])
+----------¦ Autorun Applications
+ Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and
binaries indicated there) https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with
-autorun-binaries
Error getting autoruns from WMIC: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected
0m)
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected
0m)
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Userinit
Folder: C:\Windows\system32
File: C:\Windows\system32\userinit.exe,
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Shell
Folder: None (PATH Injection)
File: explorer.exe
=================================================================================================
RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Key: AlternateShell
Folder: None (PATH Injection)
File: cmd.exe
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================
RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wow64cpu
Folder: None (PATH Injection)
File: wow64cpu.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wowarmhw
Folder: None (PATH Injection)
File: wowarmhw.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _xtajit
Folder: None (PATH Injection)
File: xtajit.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: advapi32
Folder: None (PATH Injection)
File: advapi32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: clbcatq
Folder: None (PATH Injection)
File: clbcatq.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: combase
Folder: None (PATH Injection)
File: combase.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: COMDLG32
Folder: None (PATH Injection)
File: COMDLG32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: coml2
Folder: None (PATH Injection)
File: coml2.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: DifxApi
Folder: None (PATH Injection)
File: difxapi.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdi32
Folder: None (PATH Injection)
File: gdi32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdiplus
Folder: None (PATH Injection)
File: gdiplus.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMAGEHLP
Folder: None (PATH Injection)
File: IMAGEHLP.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMM32
Folder: None (PATH Injection)
File: IMM32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: kernel32
Folder: None (PATH Injection)
File: kernel32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSCTF
Folder: None (PATH Injection)
File: MSCTF.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSVCRT
Folder: None (PATH Injection)
File: MSVCRT.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NORMALIZ
Folder: None (PATH Injection)
File: NORMALIZ.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NSI
Folder: None (PATH Injection)
File: NSI.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: ole32
Folder: None (PATH Injection)
File: ole32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: OLEAUT32
Folder: None (PATH Injection)
File: OLEAUT32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: PSAPI
Folder: None (PATH Injection)
File: PSAPI.DLL
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: rpcrt4
Folder: None (PATH Injection)
File: rpcrt4.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: sechost
Folder: None (PATH Injection)
File: sechost.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: Setupapi
Folder: None (PATH Injection)
File: Setupapi.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHCORE
Folder: None (PATH Injection)
File: SHCORE.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHELL32
Folder: None (PATH Injection)
File: SHELL32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHLWAPI
Folder: None (PATH Injection)
File: SHLWAPI.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: user32
Folder: None (PATH Injection)
File: user32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WLDAP32
Folder: None (PATH Injection)
File: WLDAP32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64
Folder: None (PATH Injection)
File: wow64.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64win
Folder: None (PATH Injection)
File: wow64win.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WS2_32
Folder: None (PATH Injection)
File: WS2_32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Key: StubPath
Folder: None (PATH Injection)
File: U
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscori
es.dll,Install
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF708
20}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscori
es.dll,Install
=================================================================================================
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space
detected)
=================================================================================================
Folder: C:\windows\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows
File: C:\windows\system.ini
=================================================================================================
Folder: C:\windows
File: C:\windows\win.ini
=================================================================================================
+----------¦ Scheduled Applications --Non Microsoft--
+ Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-p
rivilege-escalation/privilege-escalation-with-autorun-binaries
+----------¦ Device Drivers --Non Microsoft--
+ Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows/windows-lo
cal-privilege-escalation#vulnerable-drivers
QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
[0m
QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.
sys
QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qevbda.sys
VMware vSockets Service - 9.8.17.0 build-16460229 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock
.sys
VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vm
ci.sys
Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\i
aStorV.sys
LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ls
i_sss.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\Syste
m32\drivers\bfadi.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\Syste
m32\drivers\bfadfcoei.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\S
ystemRoot\System32\drivers\elxfcoe.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64 bit x64 [Broadcom]: \\.\GLOBALROOT
\SystemRoot\System32\drivers\elxstor.sys
QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qeois.sys
[0m
QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\driv
ers\ql2300i.sys
QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\dr
ivers\ql40xx2i.sys
QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers
\qlfcoei.sys
Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\Sys
tem32\drivers\cht4sx64.sys
LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sy
s
Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System3
2\drivers\amdsbs.sys
Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
m
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\I
tSas35i.sys
LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ls
i_sas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_
sas2i.sys
MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\
drivers\megasas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\l
si_sas3i.sys
MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\
drivers\MegaSas2i.sys
MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\
drivers\megasas35i.sys
MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megas
r.sys
Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\
mvumis.sys
NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.
sys
MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\
drivers\percsas2i.sys
Microsoft® Windows® Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32
\drivers\sisraid4.sys
Promise® SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\driver
s\stexstor.sys
VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sy
s
VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vst
xraid.sys
Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\Sys
tem32\drivers\iaStorAVC.sys
PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\
.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\
drivers\percsas3i.sys
Microsoft® Windows® Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\Syste
m32\drivers\SiSRaid2.sys
SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\dr
ivers\SmartSAMD.sys
QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qefcoe.sys
QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys
[0m
QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys
VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\dr
ivers\vmusbmouse.sys
VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\d
rivers\vmmouse.sys
VMware SVGA 3D - 8.17.02.0012 - build-17216209 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_l
oader.sys
VMware SVGA 3D - 8.17.02.0012 - build-17216209 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.s
ys
VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoo
t\System32\drivers\vmxnet3.sys
VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVER
S\vmmemctl.sys
------------------------------------¦ Network Information ¦------------------------------------
+----------¦ Network Shares
[X] Exception: Access denied
+----------¦ Enumerate Network Mapped Drives (WMI)
+----------¦ Host File
+----------¦ Network Ifaces and known hosts
+ The masks are only for the IPv4 addresses
Ethernet0 2[00:50:56:96:AF:3C]: 10.129.42.45, fe80::6803:c2d5:abaa:8e82%4, dead:beef::6803:c2d5:abaa:8e82 / 255.255.0.0
Gateways: 10.129.0.1, fe80::250:56ff:feb9:51d8%4
DNSs: 1.1.1.1
Known hosts:
10.129.0.1 00-50-56-B9-51-D8 Dynamic
10.129.255.255 FF-FF-FF-FF-FF-FF Static
169.254.255.255 00-00-00-00-00-00 Invalid
224.0.0.22 01-00-5E-00-00-16 Static
224.0.0.251 01-00-5E-00-00-FB Static
224.0.0.252 01-00-5E-00-00-FC Static
255.255.255.255 FF-FF-FF-FF-FF-FF Static
Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
Known hosts:
224.0.0.22 00-00-00-00-00-00 Static
+----------¦ Current TCP Listening Ports
+ Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process
Name
TCP 0.0.0.0 22 0.0.0.0 0 Listening 1604 sshd
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4316 C:\xampp
\apache\bin\httpd.exe
TCP 0.0.0.0 135 0.0.0.0 0 Listening 872 svchost
TCP 0.0.0.0 443 0.0.0.0 0 Listening 4316 C:\xampp
\apache\bin\httpd.exe
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 3306 0.0.0.0 0 Listening 1648 mysqld
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0 Listening 484 wininit
TCP 0.0.0.0 49665 0.0.0.0 0 Listening 1020 svchost
TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1044 svchost
TCP 0.0.0.0 49667 0.0.0.0 0 Listening 624 services
TCP 0.0.0.0 49668 0.0.0.0 0 Listening 644 lsass
TCP 10.129.42.45 22 10.10.14.90 55134 Established 1604 sshd
TCP 10.129.42.45 139 0.0.0.0 0 Listening 4 System
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address Remote Port
State Process ID Process Name
TCP [::] 22 [::] 0
Listening 1604 sshd
TCP [::] 80 [::] 0
Listening 4316 C:\xampp\apache\bin\httpd.exe
TCP [::] 135 [::] 0
Listening 872 svchost
TCP [::] 443 [::] 0
Listening 4316 C:\xampp\apache\bin\httpd.exe
TCP [::] 445 [::] 0
Listening 4 System
TCP [::] 3306 [::] 0
Listening 1648 mysqld
TCP [::] 5985 [::] 0
Listening 4 System
TCP [::] 47001 [::] 0
Listening 4 System
TCP [::] 49664 [::] 0
Listening 484 wininit
TCP [::] 49665 [::] 0
Listening 1020 svchost
TCP [::] 49666 [::] 0
Listening 1044 svchost
TCP [::] 49667 [::] 0
Listening 624 services
TCP [::] 49668 [::] 0
Listening 644 lsass
+----------¦ Current UDP Listening Ports
+ Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP 0.0.0.0 123 *:* 1684 svchost
UDP 0.0.0.0 5353 *:* 1100 svchost
UDP 0.0.0.0 5355 *:* 1100 svchost
UDP 10.129.42.45 137 *:* 4 System
UDP 10.129.42.45 138 *:* 4 System
UDP 127.0.0.1 59914 *:* 2060 svchost
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process N
ame
UDP [::] 123 *:* 1684 svchost
UDP [::] 5353 *:* 1100 svchost
UDP [::] 5355 *:* 1100 svchost
+----------¦ Firewall Rules
+ Showing only DENY rules (too many ALLOW rules always)
Current Profiles: PUBLIC
FirewallEnabled (Domain): True
FirewallEnabled (Private): True
FirewallEnabled (Public): True
DENY rules:
+----------¦ DNS cached --limit 70--
Entry Name Data
[X] Exception: Access denied
+----------¦ Enumerating Internet settings, zone and proxy configuration
General Settings
Hive Key Value
HKCU DisableCachingOfSSLPages 0
HKCU IE5_UA_Backup_Flag 5.0
HKCU PrivacyAdvanced 1
HKCU SecureProtocols 2688
HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
HKCU CertificateRevocation 1
HKCU ZonesSecurityUpgrade System.Byte[]
HKLM EnablePunycode 1
Zone Maps
No URLs configured
Zone Auth Settings
No Zone Auth Settings
------------------------------------¦ Windows Credentials ¦------------------------------------
+----------¦ Checking Windows Vault
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
[0m
[ERROR] Unable to enumerate vaults. Error (0x1061)
Not Found
+----------¦ Checking Credential manager
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault
[0m
[!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
[!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A
specified logon session does not exist. It may already have been terminated'
Please run:
cmdkey /list
+----------¦ Saved RDP connections
Not Found
+----------¦ Remote Desktop Server/Client Settings
RDP Server Settings
Network Level Authentication :
Block Clipboard Redirection :
Block COM Port Redirection :
Block Drive Redirection :
Block LPT Port Redirection :
Block PnP Device Redirection :
Block Printer Redirection :
Allow Smart Card Redirection :
RDP Client Settings
Disable Password Saving : True
Restricted Remote Administration : False
+----------¦ Recently run commands
Not Found
+----------¦ Checking for DPAPI Master Keys
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
Not Found
+----------¦ Checking for DPAPI Credential Files
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
Not Found
+----------¦ Checking for RDCMan Settings Files
+ Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows/windows-local-
privilege-escalation#remote-desktop-credential-manager
Not Found
+----------¦ Looking for Kerberos tickets
+ https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
[X] Exception: Object reference not set to an instance of an object.
Not Found
+----------¦ Looking for saved Wifi credentials
[X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x800
7007E)
Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'
No saved Wifi credentials found
+----------¦ Looking AppCmd.exe
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
Not Found
You must be an administrator to run this check
+----------¦ Looking SSClient.exe
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm
Not Found
+----------¦ Enumerating SSCM - System Center Configuration Manager settings
+----------¦ Enumerating Security Packages Credentials
[X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d535350000300000001000100640000000000000065000000000
000005800000000000000580000000c000c00580000000000000065000000058a80a20a0063450000000fcad2cb0c66a1eb77e31bdd966fa74bd04d0041005200
4b005500500000
------------------------------------¦ Browsers Information ¦------------------------------------
+----------¦ Showing saved credentials for Firefox
Info: if no credentials were listed, you might need to close the browser and try again.
+----------¦ Looking for Firefox DBs
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
Not Found
+----------¦ Looking for GET credentials in Firefox history
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
Not Found
+----------¦ Showing saved credentials for Chrome
Info: if no credentials were listed, you might need to close the browser and try again.
+----------¦ Looking for Chrome DBs
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
Not Found
+----------¦ Looking for GET credentials in Chrome history
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
Not Found
+----------¦ Chrome bookmarks
Not Found
+----------¦ Showing saved credentials for Opera
Info: if no credentials were listed, you might need to close the browser and try again.
+----------¦ Showing saved credentials for Brave Browser
Info: if no credentials were listed, you might need to close the browser and try again.
+----------¦ Showing saved credentials for Internet Explorer (unsupported)
Info: if no credentials were listed, you might need to close the browser and try again.
+----------¦ Current IE tabs
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
[X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. --
-> System.Runtime.InteropServices.COMException: Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))
--- End of inner exception stack trace ---
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModi
fiers, Int32 culture, String[] namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs
, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()
Not Found
+----------¦ Looking for GET credentials in IE history
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
+----------¦ IE favorites
Not Found
------------------------------------¦ Interesting files and registry ¦------------------------------------
0m
+----------¦ Putty Sessions
Not Found
+----------¦ Putty SSH Host keys
Not Found
+----------¦ SSH keys in registry
+ If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xy
z/windows/windows-local-privilege-escalation#ssh-keys-in-registry
Not Found
+----------¦ SuperPutty configuration files
+----------¦ Enumerating Office 365 endpoints synced by OneDrive.
SID: S-1-5-19
=================================================================================================
SID: S-1-5-20
=================================================================================================
SID: S-1-5-21-103432172-3528565615-2854469147-1000
=================================================================================================
SID: S-1-5-21-103432172-3528565615-2854469147-500
=================================================================================================
SID: S-1-5-18
=================================================================================================
+----------¦ Cloud Credentials
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Not Found
+----------¦ Unattend Files
+----------¦ Looking for common SAM & SYSTEM backups
+----------¦ Looking for McAfee Sitelist.xml Files
+----------¦ Cached GPP Passwords
+----------¦ Looking for possible regs with creds
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry
Not Found
Not Found
Not Found
Not Found
+----------¦ Looking for possible password files in users homes
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
+----------¦ Searching for Oracle SQL Developer config files
+----------¦ Slack files & directories
note: check manually if something is found
+----------¦ Looking for LOL Binaries and Scripts (can be slow)
+ https://lolbas-project.github.io/
[!] Check skipped, if you want to run it, please specify '-lolbas' argument
+----------¦ Enumerating Outlook download files
+----------¦ Enumerating machine and user certificate files
+----------¦ Searching known files that can contain creds in home
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
+----------¦ Looking for documents --limit 100--
Not Found
+----------¦ Office Most Recent Files -- limit 50
Last Access Date User Application Document
+----------¦ Recent files --limit 70--
Not Found
+----------¦ Looking inside the Recycle Bin for creds files
+ https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Not Found
+----------¦ Searching hidden files or folders in C:\Users home (can be slow)
C:\Users\Default User
C:\Users\Default
C:\Users\All Users
+----------¦ Searching interesting files in other users home directories (can be slow)
[X] Exception: Object reference not set to an instance of an object.
+----------¦ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
m
File Permissions "C:\xampp\src\xampp-usb-lite\setup_xampp.bat": daniel [AllAccess]
File Permissions "C:\xampp\src\xampp-usb-lite\make-usb-xampp.bat": daniel [AllAccess]
File Permissions "C:\xampp\src\xampp-nsi-installer\xa-icons\portcheck.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\phpunit.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\phpdbg.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\php.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\php-win.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\php-cgi.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\pecl.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\peardev.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\pear.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\pciconf.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\pci.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\deplister.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\phpdbg.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\php.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\php-win.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\php-cgi.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\windowsXamppPhp\deplister.exe": daniel [AllAccess]
File Permissions "C:\xampp\php\scripts\pciconf.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\scripts\compatinfo.bat": daniel [AllAccess]
File Permissions "C:\xampp\php\extras\openssl\openssl.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\resetroot.bat": daniel [AllAccess]
File Permissions "C:\xampp\mysql\mysql_uninstallservice.bat": daniel [AllAccess]
File Permissions "C:\xampp\mysql\mysql_installservice.bat": daniel [AllAccess]
File Permissions "C:\xampp\mysql\scripts\ctl.bat": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\sst_dump.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\replace.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\perror.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\my_print_defaults.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_upgrade_wizard.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_upgrade_service.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_upgrade.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_tzinfo_to_sql.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_plugin.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_ldb.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql_install_db.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqlslap.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqlshow.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqlimport.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqldump.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqld.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqlcheck.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqlbinlog.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysqladmin.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mysql.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\myisam_ftdump.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\myisampack.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\myisamlog.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\myisamchk.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mbstream.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\mariabackup.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\innochecksum.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\aria_read_log.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\aria_pack.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\aria_ftdump.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\aria_dump_log.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql\bin\aria_chk.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\makecert.bat": daniel [AllAccess]
File Permissions "C:\xampp\apache\apache_uninstallservice.bat": daniel [AllAccess]
File Permissions "C:\xampp\apache\apache_installservice.bat": daniel [AllAccess]
File Permissions "C:\xampp\apache\scripts\ctl.bat": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\wintty.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\rotatelogs.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\pv.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\openssl.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\logresolve.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\httxt2dbm.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\httpd.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\htpasswd.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\htdigest.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\htdbm.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\htcacheclean.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\curl.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\ApacheMonitor.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\abs.exe": daniel [AllAccess]
File Permissions "C:\xampp\apache\bin\ab.exe": daniel [AllAccess]
File Permissions "C:\xampp\xampp_stop.exe": daniel [AllAccess]
File Permissions "C:\xampp\xampp_start.exe": daniel [AllAccess]
File Permissions "C:\xampp\xampp_shell.bat": daniel [AllAccess]
File Permissions "C:\xampp\xampp-control.exe": daniel [AllAccess]
File Permissions "C:\xampp\uninstall.exe": daniel [AllAccess]
File Permissions "C:\xampp\test_php.bat": daniel [AllAccess]
File Permissions "C:\xampp\setup_xampp.bat": daniel [AllAccess]
File Permissions "C:\xampp\service.exe": daniel [AllAccess]
File Permissions "C:\xampp\mysql_stop.bat": daniel [AllAccess]
File Permissions "C:\xampp\mysql_start.bat": daniel [AllAccess]
File Permissions "C:\xampp\mercury_stop.bat": daniel [AllAccess]
File Permissions "C:\xampp\mercury_start.bat": daniel [AllAccess]
File Permissions "C:\xampp\killprocess.bat": daniel [AllAccess]
File Permissions "C:\xampp\filezilla_stop.bat": daniel [AllAccess]
File Permissions "C:\xampp\filezilla_start.bat": daniel [AllAccess]
File Permissions "C:\xampp\filezilla_setup.bat": daniel [AllAccess]
File Permissions "C:\xampp\ctlscript.bat": daniel [AllAccess]
File Permissions "C:\xampp\catalina_stop.bat": daniel [AllAccess]
File Permissions "C:\xampp\catalina_start.bat": daniel [AllAccess]
File Permissions "C:\xampp\catalina_service.bat": daniel [AllAccess]
File Permissions "C:\xampp\apache_stop.bat": daniel [AllAccess]
File Permissions "C:\xampp\apache_start.bat": daniel [AllAccess]
File Permissions "C:\Users\daniel\Desktop\winPEAS.exe": daniel [AllAccess]
File Permissions "C:\Log-Management\job.bat": Users [AllAccess]
File Permissions "C:\xampp\install\portcheck.bat": daniel [AllAccess]
File Permissions "C:\xampp\install\awk.exe": daniel [AllAccess]
File Permissions "C:\xampp\mailtodisk\mailtodisk.exe": daniel [AllAccess]
+----------¦ Looking for Linux shells/distributions - wsl.exe, bash.exe
------------------------------------¦ File Analysis ¦------------------------------------
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Get latest WinPEAS : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
WARNING
In the real Output important information was marked red. But colors are can’t be shown here unfortuantely.