ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD  (((((((((((((((((((((((((((((((( ((((((((((((((((((((((((((((((((((((((((((( ((((((((((((((**********/##########((((((((((((( ((((((((((((********************/#######((((((((((( ((((((((******************/@@@@@/****######(((((((((( ((((((********************@@@@@@@@@@/***,####(((((((((( (((((********************/@@@@@%@@@@/********##((((((((( (((############*********/%@@@@@@@@@/************(((((((( ((##################(/******/@@@@@/***************(((((( ((#########################(/**********************((((( ((##############################(/*****************((((( ((###################################(/************((((( ((#######################################(*********((((( ((#######(,.***.,(###################(..***.*******((((( ((#######*(#####((##################((######/(*****((((( ((###################(/***********(##############()((((( (((#####################/*******(################)(((((( ((((############################################)(((((( (((((##########################################)((((((( ((((((########################################)((((((( ((((((((####################################)(((((((( (((((((((#################################)((((((((( ((((((((((##########################)((((((((( (((((((((((((((((((((((((((((((((((((( (((((((((((((((((((((((((((((( ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.  WinPEAS-ng by @carlospolopm  /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli  | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/   [+] Legend:  Red Indicates a special privilege over an object or something is misconfigured  Green Indicates that some protection is enabled or something is well configured  Cyan Indicates active users  Blue Indicates disabled users  LightYellow Indicates links  You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation  Creating Dynamic lists, this could take a while, please wait...  - Loading sensitive_files yaml definitions file...  - Loading regexes yaml definitions file...  - Checking if domain...  - Getting Win32_UserAccount info...  - Creating current user groups list...  [X] Exception: Object reference not set to an instance of an object.  [X] Exception: Object reference not set to an instance of an object.  - Creating active users list (local only)...  - Creating disabled users list...  - Admin users list...  - Creating AppLocker bypass list...  - Creating files/directories list for search... ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Basic System Information È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits  Hostname: g0  Domain Name: flight.htb  ProductName: Windows Server 2019 Standard  EditionID: ServerStandard  ReleaseId: 1809  BuildBranch: rs5_release  CurrentMajorVersionNumber: 10  CurrentVersion: 6.3  Architecture: AMD64  ProcessorCount: 2  SystemLang: en-US  KeyboardLang: English (United States)  TimeZone: (UTC-08:00) Pacific Time (US & Canada)  IsVirtualMachine: True  Current Time: 2/9/2023 10:25:50 AM  HighIntegrity: False  PartOfDomain: True  Hotfixes:   [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) [*] OS Version: 1809 (17763) [*] Enumerating installed KBs...  [!] CVE-2019-0836 : VULNERABLE  [>] https://exploit-db.com/exploits/46718  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/  [!] CVE-2019-0841 : VULNERABLE  [>] https://github.com/rogue-kdc/CVE-2019-0841  [>] https://rastamouse.me/tags/cve-2019-0841/  [!] CVE-2019-1064 : VULNERABLE  [>] https://www.rythmstick.net/posts/cve-2019-1064/  [!] CVE-2019-1130 : VULNERABLE  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear  [!] CVE-2019-1253 : VULNERABLE  [>] https://github.com/padovah4ck/CVE-2019-1253  [>] https://github.com/sgabe/CVE-2019-1253  [!] CVE-2019-1315 : VULNERABLE  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html  [!] CVE-2019-1385 : VULNERABLE  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg  [!] CVE-2019-1388 : VULNERABLE  [>] https://github.com/jas502n/CVE-2019-1388  [!] CVE-2019-1405 : VULNERABLE  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/  [>] https://github.com/apt69/COMahawk  [!] CVE-2020-0668 : VULNERABLE  [>] https://github.com/itm4n/SysTracingPoc  [!] CVE-2020-0683 : VULNERABLE  [>] https://github.com/padovah4ck/CVE-2020-0683  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1  [!] CVE-2020-1013 : VULNERABLE  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/  [*] Finished. Found 12 potential vulnerabilities.  ÉÍÍÍÍÍÍÍÍÍ͹ Showing All Microsoft Updates  [X] Exception: Exception has been thrown by the target of an invocation. ÉÍÍÍÍÍÍÍÍÍ͹ System Last Shutdown Date/time (from Registry)  Last Shutdown Date/time : 10/31/2022 8:14:21 PM ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables È Check for some passwords or keys in the env variables   COMPUTERNAME: G0  PUBLIC: C:\Users\Public  PSModulePath: %ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules  PROCESSOR_ARCHITECTURE: AMD64  Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\  CommonProgramFiles(x86): C:\Program Files (x86)\Common Files  ProgramFiles(x86): C:\Program Files (x86)  PROCESSOR_LEVEL: 23  ProgramFiles: C:\Program Files  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC  USERPROFILE: C:\Users\Default  SystemRoot: C:\Windows  ALLUSERSPROFILE: C:\ProgramData  DriverData: C:\Windows\System32\Drivers\DriverData  ProgramData: C:\ProgramData  PROCESSOR_REVISION: 3100  USERNAME: DefaultAppPool  CommonProgramW6432: C:\Program Files\Common Files  CommonProgramFiles: C:\Program Files\Common Files  OS: Windows_NT  PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD  ComSpec: C:\Windows\system32\cmd.exe  PROMPT: $P$G  SystemDrive: C:  TEMP: C:\Windows\TEMP  NUMBER_OF_PROCESSORS: 2  TMP: C:\Windows\TEMP  ProgramW6432: C:\Program Files  windir: C:\Windows  USERDOMAIN: IIS APPPOOL  USERDNSDOMAIN: flight.htb ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables È Check for some passwords or keys in the env variables   ComSpec: C:\Windows\system32\cmd.exe  DriverData: C:\Windows\System32\Drivers\DriverData  OS: Windows_NT  Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\  PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC  PROCESSOR_ARCHITECTURE: AMD64  PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules  TEMP: C:\Windows\TEMP  TMP: C:\Windows\TEMP  USERNAME: SYSTEM  windir: C:\Windows  NUMBER_OF_PROCESSORS: 2  PROCESSOR_LEVEL: 23  PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD  PROCESSOR_REVISION: 3100 ÉÍÍÍÍÍÍÍÍÍ͹ Audit Settings È Check what is being logged   Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Audit Policy Settings - Classic & Advanced ÉÍÍÍÍÍÍÍÍÍ͹ WEF Settings È Windows Event Forwarding, is interesting to know were are sent the logs   Not Found ÉÍÍÍÍÍÍÍÍÍ͹ LAPS Settings È If installed, local administrator password is changed frequently and is restricted by ACL   LAPS Enabled: LAPS not installed ÉÍÍÍÍÍÍÍÍÍ͹ Wdigest È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest  Wdigest is not enabled ÉÍÍÍÍÍÍÍÍÍ͹ LSA Protection È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection  LSA Protection is not enabled ÉÍÍÍÍÍÍÍÍÍ͹ Credentials Guard È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard  CredentialGuard is not enabled Virtualization Based Security Status: Not enabled Configured: False Running: False ÉÍÍÍÍÍÍÍÍÍ͹ Cached Creds È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials  cachedlogonscount is 10 ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating saved credentials in Registry (CurrentPass) ÉÍÍÍÍÍÍÍÍÍ͹ AV Information  [X] Exception: Invalid namespace   No AV was detected!!  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Windows Defender configuration  Local Settings  Group Policy Settings ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access  ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries  EnableLUA: 1  LocalAccountTokenFilterPolicy:   FilterAdministratorToken:   [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1. [-] Only the RID-500 local admin account can be used for lateral movement. ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings  PowerShell v2 Version: 2.0  PowerShell v5 Version: 5.1.17763.1  PowerShell Core Version:   Transcription Settings:   Module Logging Settings:   Scriptblock Logging Settings:   PS history file:   PS history size:  ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating PowerShell Session Settings using the registry You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ PS default transcripts history È Read the PS history inside these files (if any) ÉÍÍÍÍÍÍÍÍÍ͹ HKCU Internet Settings  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)  IE5_UA_Backup_Flag: 5.0  ZonesSecurityUpgrade: System.Byte[] ÉÍÍÍÍÍÍÍÍÍ͹ HKLM Internet Settings  ActiveXCache: C:\Windows\Downloaded Program Files  CodeBaseSearchPath: CODEBASE  EnablePunycode: 1  MinorVersion: 0  WarnOnIntranet: 1 ÉÍÍÍÍÍÍÍÍÍ͹ Drives Information È Remember that you should search more info inside the other drives  C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 4 GB)(Permissions: Users [AppendData/CreateDirectories]) ÉÍÍÍÍÍÍÍÍÍ͹ Checking WSUS È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking KrbRelayUp È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup  The system is inside a domain (IIS APPPOOL) so it could be vulnerable. È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges ÉÍÍÍÍÍÍÍÍÍ͹ Checking If Inside Container È If the binary cexecsvc.exe or associated service exists, you are inside Docker  You are NOT inside a container ÉÍÍÍÍÍÍÍÍÍ͹ Checking AlwaysInstallElevated È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated  AlwaysInstallElevated isn't available ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate LSA settings - auth packages included  auditbasedirectories : 0 auditbaseobjects : 0 Bounds : 00-30-00-00-00-20-00-00 crashonauditfail : 0 fullprivilegeauditing : 00 LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : "" Notification Packages : rassfm,scecli Authentication Packages : msv1_0 LsaPid : 656 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 7 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating NTLM Settings  LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)   NTLM Signing Settings ClientRequireSigning : False ClientNegotiateSigning : True ServerRequireSigning : True ServerNegotiateSigning : True LdapSigning : Negotiate signing (Negotiate signing)  Session Security  NTLMMinClientSec : 536870912 (Require 128-bit encryption)  NTLMMinServerSec : 536870912 (Require 128-bit encryption)   NTLM Auditing and Restrictions InboundRestrictions : (Not defined)  OutboundRestrictions : (Not defined) InboundAuditing : (Not defined) OutboundExceptions : ÉÍÍÍÍÍÍÍÍÍ͹ Display Local Group Policy settings - local users/machine ÉÍÍÍÍÍÍÍÍÍ͹ Checking AppLocker effective policy AppLockerPolicy version: 1 listing rules: ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Printers (WMI) ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes Name CurrentUserPerms Sddl CPFATP_948_v4.0.30319 DefaultAppPool [WriteData/CreateFiles] O:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415G:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415D:P(A;;0x12019f;;;BA)(A;;0x12019f;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415) eventlog Everyone [WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122) iislogpipe77b3ad5f-db2f-4ceb-9dc3-521a4a754b6f DefaultAppPool [AllAccess] O:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415G:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415D:P(A;;FA;;;SY)(A;;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415) ROUTER Everyone [WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY) RpcProxy\49673 Everyone [WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA) RpcProxy\593 Everyone [WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080) vgauth-service Everyone [WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA) ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating AMSI registered providers Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE} Path: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2209.7-0\MpOav.dll"  ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon configuration You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon process creation logs (1) You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Installed .NET versions   CLR Versions 4.0.30319  .NET Versions 4.7.03190  .NET & AMSI (Anti-Malware Scan Interface) support .NET version supports AMSI : False OS supports AMSI : True ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials  You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Printing Account Logon Events (4624) for the last 10 days.  You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Process creation events - searching logs (EID 4688) for sensitive data.  You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.   [X] Exception: Attempted to perform an unauthorized operation. ÉÍÍÍÍÍÍÍÍÍ͹ Displaying Power off/on events for last 5 days  2/9/2023 5:49:08 AM : Startup ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Users È Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups Current user: DefaultAppPool Current groups: Everyone, Builtin\Pre-Windows 2000 Compatible Access, Users, Service, Console Logon, Authenticated Users, This Organization, IIS_IUSRS, Local, S-1-5-82-0  =================================================================================================  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Current User Idle Time Current User : IIS APPPOOL\DefaultAppPool Idle Time : 04h:36m:45s:218ms ÉÍÍÍÍÍÍÍÍÍ͹ Display Tenant information (DsRegCmd.exe /status) Tenant is NOT Azure AD Joined. ÉÍÍÍÍÍÍÍÍÍ͹ Current Token privileges È Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation  SeAssignPrimaryTokenPrivilege: DISABLED  SeIncreaseQuotaPrivilege: DISABLED  SeMachineAccountPrivilege: DISABLED  SeAuditPrivilege: DISABLED  SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED  SeIncreaseWorkingSetPrivilege: DISABLED ÉÍÍÍÍÍÍÍÍÍ͹ Clipboard text ÉÍÍÍÍÍÍÍÍÍ͹ Logged users flight\svc_apache ÉÍÍÍÍÍÍÍÍÍ͹ Display information about local users Computer Name : G0 User Name : Administrator User Id : 500 Is Enabled : True User Type : Administrator Comment : Built-in account for administering the computer/domain Last Logon : 2/9/2023 5:50:28 AM Logons Count : 55 Password Last Set : 9/22/2022 12:17:02 PM  ================================================================================================= Computer Name : G0 User Name : Guest User Id : 501 Is Enabled : False User Type : Guest Comment : Built-in account for guest access to the computer/domain Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 1/1/1970 12:00:00 AM  ================================================================================================= Computer Name : G0 User Name : krbtgt User Id : 502 Is Enabled : False User Type : User Comment : Key Distribution Center Service Account Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 11:48:01 AM  ================================================================================================= Computer Name : G0 User Name : S.Moon User Id : 1602 Is Enabled : True User Type : User Comment : Junion Web Developer Last Logon : 2/9/2023 6:32:37 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : R.Cold User Id : 1603 Is Enabled : True User Type : User Comment : HR Assistant Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : G.Lors User Id : 1604 Is Enabled : True User Type : User Comment : Sales manager Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : L.Kein User Id : 1605 Is Enabled : True User Type : User Comment : Penetration tester Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : M.Gold User Id : 1606 Is Enabled : True User Type : User Comment : Sysadmin Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : C.Bum User Id : 1607 Is Enabled : True User Type : User Comment : Senior Web Developer Last Logon : 2/9/2023 9:41:19 AM Logons Count : 18 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : W.Walker User Id : 1608 Is Enabled : True User Type : User Comment : Payroll officer Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : I.Francis User Id : 1609 Is Enabled : True User Type : User Comment : Nobody knows why he's here Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : D.Truff User Id : 1610 Is Enabled : True User Type : User Comment : Project Manager Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : V.Stevens User Id : 1611 Is Enabled : True User Type : User Comment : Secretary Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:22 PM  ================================================================================================= Computer Name : G0 User Name : svc_apache User Id : 1612 Is Enabled : True User Type : User Comment : Service Apache web Last Logon : 2/9/2023 5:49:59 AM Logons Count : 26 Password Last Set : 9/22/2022 12:08:23 PM  ================================================================================================= Computer Name : G0 User Name : O.Possum User Id : 1613 Is Enabled : True User Type : User Comment : Helpdesk Last Logon : 1/1/1970 12:00:00 AM Logons Count : 0 Password Last Set : 9/22/2022 12:08:23 PM  ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Ever logged users IIS APPPOOL\.NET v4.5 Classic IIS APPPOOL\.NET v4.5 flight\Administrator flight\svc_apache flight\C.Bum ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found  C:\Users\.NET v4.5  C:\Users\.NET v4.5 Classic  C:\Users\Administrator  C:\Users\All Users  C:\Users\C.Bum  C:\Users\Default  C:\Users\Default User  C:\Users\Public : Service [WriteData/CreateFiles]  C:\Users\svc_apache ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials  Some AutoLogon credentials were found DefaultDomainName : flight DefaultUserName : Administrator ÉÍÍÍÍÍÍÍÍÍ͹ Password Policies È Check for a possible brute-force   Domain: Builtin  SID: S-1-5-32  MaxPasswordAge: 42.22:47:31.7437440  MinPasswordAge: 00:00:00  MinPasswordLength: 0  PasswordHistoryLength: 0  PasswordProperties: 0  =================================================================================================  Domain: flight  SID: S-1-5-21-4078382237-1492182817-2568127209  MaxPasswordAge: 42.00:00:00  MinPasswordAge: 1.00:00:00  MinPasswordLength: 7  PasswordHistoryLength: 24  PasswordProperties: DOMAIN_PASSWORD_COMPLEX  ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Print Logon Sessions Method: WMI Logon Server: Logon Server Dns Domain: Logon Id: 35046227 Logon Time: Logon Type: Service Start Time: 2/9/2023 10:04:51 AM Domain: IIS APPPOOL Authentication Package: Negotiate Start Time: 2/9/2023 10:04:51 AM User Name: DefaultAppPool User Principal Name: User SID:  ================================================================================================= ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Vulnerable Leaked Handlers È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation  Handle: 2556(key)  Handle Owner: Pid is 4552(winPEASx64_ofs) with owner: DefaultAppPool  Reason: AllAccess  Registry: HKU\.default\software\classes  =================================================================================================  Handle: 2636(key)  Handle Owner: Pid is 4552(winPEASx64_ofs) with owner: DefaultAppPool  Reason: TakeOwnership  Registry: HKLM\software\classes  =================================================================================================  Handle: 2556(key)  Handle Owner: Pid is 4552(winPEASx64_ofs) with owner: DefaultAppPool  Reason: AllAccess  Registry: HKU\.default\software\classes  =================================================================================================  Handle: 2636(key)  Handle Owner: Pid is 4552(winPEASx64_ofs) with owner: DefaultAppPool  Reason: TakeOwnership  Registry: HKLM\software\classes  ================================================================================================= ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft- È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services ApacheHTTPServer(Apache Software Foundation - Apache HTTP Server)["C:\Xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running Possible DLL Hijacking in binary folder: C:\Xampp\apache\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles]) Apache/2.4.52 (Win64)  ================================================================================================= ssh-agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped Agent to hold private keys used for public key authentication.  ================================================================================================= VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running Alias Manager and Ticket Service  ================================================================================================= vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Auto - Running Helps VMware SVGA driver by collecting and conveying user mode information  ================================================================================================= VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running Provides support for synchronizing objects between the host and guest operating systems.  ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Modifiable Services È Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services  LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s: RmSvc: GenericExecute (Start/Stop) ÉÍÍÍÍÍÍÍÍÍ͹ Looking if you can modify any service registry È Check if you can modify the registry of a service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions  [-] Looks like you cannot change the registry of any service... ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking) È Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking  C:\Windows\system32  C:\Windows  C:\Windows\System32\Wbem  C:\Windows\System32\WindowsPowerShell\v1.0\  C:\Windows\System32\OpenSSH\ ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Current Active Window Application  [X] Exception: Object reference not set to an instance of an object. ÉÍÍÍÍÍÍÍÍÍ͹ Installed Applications --Via Program Files/Uninstall registry-- È Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software  C:\Program Files\Common Files  C:\Program Files\desktop.ini  C:\Program Files\internet explorer  C:\Program Files\Uninstall Information  C:\Program Files\VMware  C:\Program Files\Windows Defender  C:\Program Files\Windows Defender Advanced Threat Protection  C:\Program Files\Windows Mail  C:\Program Files\Windows Media Player  C:\Program Files\Windows Multimedia Platform  C:\Program Files\windows nt  C:\Program Files\Windows Photo Viewer  C:\Program Files\Windows Portable Devices  C:\Program Files\Windows Security  C:\Program Files\Windows Sidebar  C:\Program Files\WindowsApps  C:\Program Files\WindowsPowerShell ÉÍÍÍÍÍÍÍÍÍ͹ Autorun Applications È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key: SecurityHealth Folder: C:\Windows\system32 File: C:\Windows\system32\SecurityHealthSystray.exe  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key: VMware User Process Folder: C:\Program Files\VMware\VMware Tools File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Key: Common Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Key: Common Startup Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Key: Userinit Folder: C:\Windows\system32 File: C:\Windows\system32\userinit.exe,  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Key: Shell Folder: None (PATH Injection) File: explorer.exe  ================================================================================================= RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot Key: AlternateShell Folder: None (PATH Injection) File: cmd.exe  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers Key: Adobe Type Manager Folder: None (PATH Injection) File: atmfd.dll  ================================================================================================= RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers Key: Adobe Type Manager Folder: None (PATH Injection) File: atmfd.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midimapper Folder: None (PATH Injection) File: midimap.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.imaadpcm Folder: None (PATH Injection) File: imaadp32.acm  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.l3acm Folder: C:\Windows\System32 File: C:\Windows\System32\l3codeca.acm  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msadpcm Folder: None (PATH Injection) File: msadp32.acm  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msg711 Folder: None (PATH Injection) File: msg711.acm  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msgsm610 Folder: None (PATH Injection) File: msgsm32.acm  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.i420 Folder: None (PATH Injection) File: iyuv_32.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.iyuv Folder: None (PATH Injection) File: iyuv_32.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.mrle Folder: None (PATH Injection) File: msrle32.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.msvc Folder: None (PATH Injection) File: msvidc32.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.uyvy Folder: None (PATH Injection) File: msyuv.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yuy2 Folder: None (PATH Injection) File: msyuv.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvu9 Folder: None (PATH Injection) File: tsbyuv.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvyu Folder: None (PATH Injection) File: msyuv.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wavemapper Folder: None (PATH Injection) File: msacm32.drv  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wave Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midi Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: mixer Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: aux Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midimapper Folder: None (PATH Injection) File: midimap.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.imaadpcm Folder: None (PATH Injection) File: imaadp32.acm  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.l3acm Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\l3codeca.acm  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msadpcm Folder: None (PATH Injection) File: msadp32.acm  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msg711 Folder: None (PATH Injection) File: msg711.acm  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: msacm.msgsm610 Folder: None (PATH Injection) File: msgsm32.acm  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.cvid Folder: None (PATH Injection) File: iccvid.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.i420 Folder: None (PATH Injection) File: iyuv_32.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.iyuv Folder: None (PATH Injection) File: iyuv_32.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.mrle Folder: None (PATH Injection) File: msrle32.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.msvc Folder: None (PATH Injection) File: msvidc32.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.uyvy Folder: None (PATH Injection) File: msyuv.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yuy2 Folder: None (PATH Injection) File: msyuv.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvu9 Folder: None (PATH Injection) File: tsbyuv.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: vidc.yvyu Folder: None (PATH Injection) File: msyuv.dll  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wavemapper Folder: None (PATH Injection) File: msacm32.drv  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: wave Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: midi Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: mixer Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Key: aux Folder: None (PATH Injection) File: wdmaud.drv  ================================================================================================= RegPath: HKLM\Software\Classes\htmlfile\shell\open\command Folder: C:\Program Files\Internet Explorer File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected)  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _wow64cpu Folder: None (PATH Injection) File: wow64cpu.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _wowarmhw Folder: None (PATH Injection) File: wowarmhw.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: _xtajit Folder: None (PATH Injection) File: xtajit.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: advapi32 Folder: None (PATH Injection) File: advapi32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: clbcatq Folder: None (PATH Injection) File: clbcatq.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: combase Folder: None (PATH Injection) File: combase.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: COMDLG32 Folder: None (PATH Injection) File: COMDLG32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: coml2 Folder: None (PATH Injection) File: coml2.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: DifxApi Folder: None (PATH Injection) File: difxapi.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: gdi32 Folder: None (PATH Injection) File: gdi32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: gdiplus Folder: None (PATH Injection) File: gdiplus.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: IMAGEHLP Folder: None (PATH Injection) File: IMAGEHLP.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: IMM32 Folder: None (PATH Injection) File: IMM32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: kernel32 Folder: None (PATH Injection) File: kernel32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: MSCTF Folder: None (PATH Injection) File: MSCTF.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: MSVCRT Folder: None (PATH Injection) File: MSVCRT.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: NORMALIZ Folder: None (PATH Injection) File: NORMALIZ.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: NSI Folder: None (PATH Injection) File: NSI.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: ole32 Folder: None (PATH Injection) File: ole32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: OLEAUT32 Folder: None (PATH Injection) File: OLEAUT32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: PSAPI Folder: None (PATH Injection) File: PSAPI.DLL  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: rpcrt4 Folder: None (PATH Injection) File: rpcrt4.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: sechost Folder: None (PATH Injection) File: sechost.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: Setupapi Folder: None (PATH Injection) File: Setupapi.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHCORE Folder: None (PATH Injection) File: SHCORE.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHELL32 Folder: None (PATH Injection) File: SHELL32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: SHLWAPI Folder: None (PATH Injection) File: SHLWAPI.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: user32 Folder: None (PATH Injection) File: user32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: WLDAP32 Folder: None (PATH Injection) File: WLDAP32.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: wow64 Folder: None (PATH Injection) File: wow64.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: wow64win Folder: None (PATH Injection) File: wow64win.dll  ================================================================================================= RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls Key: WS2_32 Folder: None (PATH Injection) File: WS2_32.dll  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} Key: StubPath Folder: \ FolderPerms: Users [AppendData/CreateDirectories] File: /UserInstall  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Key: StubPath Folder: C:\Windows\system32 File: C:\Windows\system32\unregmp2.exe /FirstLogon  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} Key: StubPath Folder: None (PATH Injection) File: U  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\ie4uinit.exe -UserConfig  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenAdmin  ================================================================================================= RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} Key: StubPath Folder: C:\Windows\System32 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenUser  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Key: StubPath Folder: C:\Windows\system32 File: C:\Windows\system32\unregmp2.exe /FirstLogon  ================================================================================================= RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Key: StubPath Folder: C:\Windows\SysWOW64 File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install  ================================================================================================= Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)  ================================================================================================= Folder: C:\windows\tasks FolderPerms: Authenticated Users [WriteData/CreateFiles]  ================================================================================================= Folder: C:\windows\system32\tasks FolderPerms: Authenticated Users [WriteData/CreateFiles]  ================================================================================================= Folder: C:\windows File: C:\windows\system.ini  ================================================================================================= Folder: C:\windows File: C:\windows\win.ini  ================================================================================================= Key: From WMIC Folder: C:\Windows\system32 File: C:\Windows\system32\SecurityHealthSystray.exe  ================================================================================================= Key: From WMIC Folder: C:\Program Files\VMware\VMware Tools File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr  ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft-- È Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries ÉÍÍÍÍÍÍÍÍÍ͹ Device Drivers --Non Microsoft-- È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qevbda.sys NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys VMware vSockets Service - 9.8.19.0 build-18956547 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys VMware PCI VMCI Bus Device - 9.8.18.0 build-18956547 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64 bit x64 [Broadcom]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qeois.sys QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qefcoe.sys QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys VMware Raw Disk Helper Driver - 1.1.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmrawdsk.sys VMware Pointing PS/2 Device Driver - 12.5.12.0 build-18967789 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys VMware SVGA 3D - 9.17.01.0002 - build-18913173 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys VMware SVGA 3D - 9.17.01.0002 - build-18913173 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.9.9.0 build-19932667 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys VMware server memory controller - 7.5.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Network Shares ADMIN$ (Path: C:\Windows) C$ (Path: C:\) IPC$ (Path: ) NETLOGON (Path: C:\Windows\SYSVOL\sysvol\flight.htb\SCRIPTS) Shared (Path: C:\Shared) SYSVOL (Path: C:\Windows\SYSVOL\sysvol) Users (Path: C:\Users) Web (Path: C:\xampp\htdocs) ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate Network Mapped Drives (WMI) ÉÍÍÍÍÍÍÍÍÍ͹ Host File ÉÍÍÍÍÍÍÍÍÍ͹ Network Ifaces and known hosts È The masks are only for the IPv4 addresses  Ethernet0 2[00:50:56:B9:24:63]: 10.10.11.187, fe80::3418:57dd:cff4:b69a%6, dead:beef::3418:57dd:cff4:b69a, dead:beef::13d / 255.255.254.0 Gateways: 10.10.10.2, fe80::250:56ff:feb9:cdb8%6 DNSs: 1.1.1.1 Known hosts: 10.10.10.2 00-50-56-B9-CD-B8 Dynamic 10.10.10.255 00-00-00-00-00-00 Invalid 10.10.11.255 FF-FF-FF-FF-FF-FF Static 224.0.0.22 01-00-5E-00-00-16 Static 224.0.0.251 01-00-5E-00-00-FB Static 224.0.0.252 01-00-5E-00-00-FC Static Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0 DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1 Known hosts: 224.0.0.22 00-00-00-00-00-00 Static ÉÍÍÍÍÍÍÍÍÍ͹ Current TCP Listening Ports È Check for services restricted from the outside   Enumerating IPv4 connections  Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name TCP 0.0.0.0 80 0.0.0.0 0 Listening 4620 httpd TCP 0.0.0.0 88 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 135 0.0.0.0 0 Listening 912 svchost TCP 0.0.0.0 389 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 443 0.0.0.0 0 Listening 4620 httpd TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 464 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 593 0.0.0.0 0 Listening 912 svchost TCP 0.0.0.0 636 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 3268 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 3269 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 8000 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 9389 0.0.0.0 0 Listening 2788 Microsoft.ActiveDirectory.WebServices TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System TCP 0.0.0.0 49664 0.0.0.0 0 Listening 500 wininit TCP 0.0.0.0 49665 0.0.0.0 0 Listening 1108 svchost TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1500 svchost TCP 0.0.0.0 49668 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 49673 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 49674 0.0.0.0 0 Listening 656 lsass TCP 0.0.0.0 49682 0.0.0.0 0 Listening 636 services TCP 0.0.0.0 49690 0.0.0.0 0 Listening 2940 dns TCP 0.0.0.0 49699 0.0.0.0 0 Listening 2888 dfsrs TCP 10.10.11.187 53 0.0.0.0 0 Listening 2940 dns TCP 10.10.11.187 139 0.0.0.0 0 Listening 4 System TCP 10.10.11.187 445 10.10.16.3 41514 Established 4 System TCP 10.10.11.187 50493 10.10.16.3 4445 Established 4340 conhost TCP 10.10.11.187 56208 10.10.16.3 4445 Established 4332 rtcp64 TCP 10.10.11.187 57135 10.10.16.3 4444 Established 4720 httpd TCP 10.10.11.187 61410 10.10.16.3 4445 Established 1916 rtcp64 TCP 10.10.11.187 61822 10.10.16.3 9999 Established 3504 chisel TCP 10.10.11.187 62930 10.10.16.3 4445 Established 5852 C:\xampp\rtcp64.exe TCP 10.10.11.187 62953 10.10.16.13 9999 SYN Sent 2136 chisel TCP 127.0.0.1 53 0.0.0.0 0 Listening 2940 dns TCP 127.0.0.1 8000 127.0.0.1 62046 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62049 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62059 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62417 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62841 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62844 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62845 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62846 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62855 Established 4 System TCP 127.0.0.1 8000 127.0.0.1 62898 Established 4 System TCP 127.0.0.1 62046 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62049 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62059 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62417 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62841 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62844 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62845 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62846 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62855 127.0.0.1 8000 Established 3504 chisel TCP 127.0.0.1 62898 127.0.0.1 8000 Established 3504 chisel   Enumerating IPv6 connections  Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name TCP [::] 80 [::] 0 Listening 4620 httpd TCP [::] 88 [::] 0 Listening 656 lsass TCP [::] 135 [::] 0 Listening 912 svchost TCP [::] 389 [::] 0 Listening 656 lsass TCP [::] 443 [::] 0 Listening 4620 httpd TCP [::] 445 [::] 0 Listening 4 System TCP [::] 464 [::] 0 Listening 656 lsass TCP [::] 593 [::] 0 Listening 912 svchost TCP [::] 636 [::] 0 Listening 656 lsass TCP [::] 3268 [::] 0 Listening 656 lsass TCP [::] 3269 [::] 0 Listening 656 lsass TCP [::] 5985 [::] 0 Listening 4 System TCP [::] 8000 [::] 0 Listening 4 System TCP [::] 9389 [::] 0 Listening 2788 Microsoft.ActiveDirectory.WebServices TCP [::] 47001 [::] 0 Listening 4 System TCP [::] 49664 [::] 0 Listening 500 wininit TCP [::] 49665 [::] 0 Listening 1108 svchost TCP [::] 49666 [::] 0 Listening 1500 svchost TCP [::] 49668 [::] 0 Listening 656 lsass TCP [::] 49673 [::] 0 Listening 656 lsass TCP [::] 49674 [::] 0 Listening 656 lsass TCP [::] 49682 [::] 0 Listening 636 services TCP [::] 49690 [::] 0 Listening 2940 dns TCP [::] 49699 [::] 0 Listening 2888 dfsrs TCP [::1] 53 [::] 0 Listening 2940 dns TCP [::1] 389 [::1] 49678 Established 656 lsass TCP [::1] 389 [::1] 49679 Established 656 lsass TCP [::1] 389 [::1] 49688 Established 656 lsass TCP [::1] 389 [::1] 49694 Established 656 lsass TCP [::1] 389 [::1] 49697 Established 656 lsass TCP [::1] 49668 [::1] 49696 Established 656 lsass TCP [::1] 49678 [::1] 389 Established 2972 ismserv TCP [::1] 49679 [::1] 389 Established 2972 ismserv TCP [::1] 49688 [::1] 389 Established 2940 dns TCP [::1] 49694 [::1] 389 Established 2888 dfsrs TCP [::1] 49696 [::1] 49668 Established 2888 dfsrs TCP [::1] 49697 [::1] 389 Established 2888 dfsrs TCP [dead:beef::13d] 53 [::] 0 Listening 2940 dns TCP [dead:beef::3418:57dd:cff4:b69a] 53 [::] 0 Listening 2940 dns TCP [fe80::3418:57dd:cff4:b69a%6] 53 [::] 0 Listening 2940 dns TCP [fe80::3418:57dd:cff4:b69a%6] 389 [fe80::3418:57dd:cff4:b69a%6] 49689 Established 656 lsass TCP [fe80::3418:57dd:cff4:b69a%6] 49668 [fe80::3418:57dd:cff4:b69a%6] 49754 Established 656 lsass TCP [fe80::3418:57dd:cff4:b69a%6] 49668 [fe80::3418:57dd:cff4:b69a%6] 49869 Established 656 lsass TCP [fe80::3418:57dd:cff4:b69a%6] 49668 [fe80::3418:57dd:cff4:b69a%6] 62950 Established 656 lsass TCP [fe80::3418:57dd:cff4:b69a%6] 49689 [fe80::3418:57dd:cff4:b69a%6] 389 Established 2940 dns TCP [fe80::3418:57dd:cff4:b69a%6] 49754 [fe80::3418:57dd:cff4:b69a%6] 49668 Established 656 lsass TCP [fe80::3418:57dd:cff4:b69a%6] 49869 [fe80::3418:57dd:cff4:b69a%6] 49668 Established 2476 dfssvc ÉÍÍÍÍÍÍÍÍÍ͹ Current UDP Listening Ports È Check for services restricted from the outside   Enumerating IPv4 connections  Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name UDP 0.0.0.0 123 *:* 716 svchost UDP 0.0.0.0 389 *:* 656 lsass UDP 0.0.0.0 5353 *:* 1120 svchost UDP 0.0.0.0 5355 *:* 1120 svchost UDP 0.0.0.0 54488 *:* 1120 svchost UDP 10.10.11.187 88 *:* 656 lsass UDP 10.10.11.187 137 *:* 4 System UDP 10.10.11.187 138 *:* 4 System UDP 10.10.11.187 464 *:* 656 lsass UDP 127.0.0.1 49483 *:* 2972 ismserv UDP 127.0.0.1 50347 *:* 1968 svchost UDP 127.0.0.1 54489 *:* 3032 svchost UDP 127.0.0.1 54491 *:* 3952 WmiPrvSE UDP 127.0.0.1 54496 *:* 4552 C:\Windows\TEMP\winPEASx64_ofs.exe UDP 127.0.0.1 56562 *:* 2476 dfssvc UDP 127.0.0.1 57083 *:* 1240 svchost UDP 127.0.0.1 60507 *:* 2888 dfsrs UDP 127.0.0.1 60550 *:* 2788 Microsoft.ActiveDirectory.WebServices UDP 127.0.0.1 61455 *:* 1368 svchost   Enumerating IPv6 connections  Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name UDP [::] 123 *:* 716 svchost UDP [::] 389 *:* 656 lsass UDP [::] 5353 *:* 1120 svchost UDP [::] 5355 *:* 1120 svchost UDP [::] 54488 *:* 1120 svchost UDP [dead:beef::13d] 88 *:* 656 lsass UDP [dead:beef::13d] 464 *:* 656 lsass UDP [dead:beef::3418:57dd:cff4:b69a] 88 *:* 656 lsass UDP [dead:beef::3418:57dd:cff4:b69a] 464 *:* 656 lsass UDP [fe80::3418:57dd:cff4:b69a%6] 88 *:* 656 lsass UDP [fe80::3418:57dd:cff4:b69a%6] 464 *:* 656 lsass ÉÍÍÍÍÍÍÍÍÍ͹ Firewall Rules È Showing only DENY rules (too many ALLOW rules always)  Current Profiles: DOMAIN FirewallEnabled (Domain): True FirewallEnabled (Private): True FirewallEnabled (Public): True  DENY rules:  [X] Exception: Object reference not set to an instance of an object. ÉÍÍÍÍÍÍÍÍÍ͹ DNS cached --limit 70--  Entry Name Data ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Internet settings, zone and proxy configuration  General Settings Hive Key Value HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32) HKCU IE5_UA_Backup_Flag 5.0 HKCU ZonesSecurityUpgrade System.Byte[] HKLM ActiveXCache C:\Windows\Downloaded Program Files HKLM CodeBaseSearchPath CODEBASE HKLM EnablePunycode 1 HKLM MinorVersion 0 HKLM WarnOnIntranet 1  Zone Maps No URLs configured  Zone Auth Settings No Zone Auth Settings ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Checking Windows Vault È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking Credential manager È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string [!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): Element not found' Please run: cmdkey /list ÉÍÍÍÍÍÍÍÍÍ͹ Saved RDP connections  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Remote Desktop Server/Client Settings  RDP Server Settings Network Level Authentication : Block Clipboard Redirection : Block COM Port Redirection : Block Drive Redirection : Block LPT Port Redirection : Block PnP Device Redirection : Block Printer Redirection : Allow Smart Card Redirection :  RDP Client Settings Disable Password Saving : True Restricted Remote Administration : False ÉÍÍÍÍÍÍÍÍÍ͹ Recently run commands  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Master Keys È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Credential Files È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Checking for RDCMan Settings Files È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Kerberos tickets È  https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for saved Wifi credentials  [X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E) Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh' No saved Wifi credentials found ÉÍÍÍÍÍÍÍÍÍ͹ Looking AppCmd.exe È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe  AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You must be an administrator to run this check ÉÍÍÍÍÍÍÍÍÍ͹ Looking SSClient.exe È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating SSCM - System Center Configuration Manager settings ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Security Packages Credentials  Version: NetNTLMv2 Hash: G0$::flight:1122334455667788:481bcd7edecd7c1f05b28363684fde3e:0101000000000000167309f5b33cd901530b32c803237f6d0000000008003000300000000000000000000000003000002755a3568a8f9afb587704de2295ccd9a81d9f4a43144fa432f7cf9d1e2be3f10a00100000000000000000000000000000000000090000000000000000000000   ================================================================================================= ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Firefox  Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Firefox DBs È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Firefox history È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Chrome  Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Chrome DBs È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Chrome history È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Chrome bookmarks  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Opera  Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Brave Browser  Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Internet Explorer (unsupported)  Info: if no credentials were listed, you might need to close the browser and try again. ÉÍÍÍÍÍÍÍÍÍ͹ Current IE tabs È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history  [X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A) --- End of inner exception stack trace --- at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at fk.l()  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in IE history È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ IE favorites  Not Found ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Putty Sessions  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Putty SSH Host keys  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ SSH keys in registry È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ SuperPutty configuration files ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Office 365 endpoints synced by OneDrive.  SID: S-1-5-19  ================================================================================================= SID: S-1-5-20  ================================================================================================= SID: S-1-5-21-4078382237-1492182817-2568127209-1612  ================================================================================================= SID: S-1-5-18  ================================================================================================= ÉÍÍÍÍÍÍÍÍÍ͹ Cloud Credentials È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Unattend Files ÉÍÍÍÍÍÍÍÍÍ͹ Looking for common SAM & SYSTEM backups ÉÍÍÍÍÍÍÍÍÍ͹ Looking for McAfee Sitelist.xml Files ÉÍÍÍÍÍÍÍÍÍ͹ Cached GPP Passwords ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible regs with creds È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry  Not Found  Not Found  Not Found  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible password files in users homes È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml ÉÍÍÍÍÍÍÍÍÍ͹ Searching for Oracle SQL Developer config files  ÉÍÍÍÍÍÍÍÍÍ͹ Slack files & directories  note: check manually if something is found ÉÍÍÍÍÍÍÍÍÍ͹ Looking for LOL Binaries and Scripts (can be slow) È  https://lolbas-project.github.io/  [!] Check skipped, if you want to run it, please specify '-lolbas' argument ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Outlook download files  ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating machine and user certificate files  ÉÍÍÍÍÍÍÍÍÍ͹ Searching known files that can contain creds in home È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files ÉÍÍÍÍÍÍÍÍÍ͹ Looking for documents --limit 100--  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Office Most Recent Files -- limit 50   Last Access Date User Application Document ÉÍÍÍÍÍÍÍÍÍ͹ Recent files --limit 70--  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files  Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow)   C:\Users\All Users\ntuser.pol  C:\Users\Default User  C:\Users\Default  C:\Users\All Users ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow)  ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow) ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Linux shells/distributions - wsl.exe, bash.exe ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ File Analysis ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ÉÍÍÍÍÍÍÍÍÍ͹ Found MySQL Files Folder: C:\xampp\licenses\strawberry\licenses\mysql Folder: C:\xampp\licenses\mysql Folder: C:\xampp\licenses\mysql Folder: C:\xampp\mysql Folder: C:\xampp\php\data\phpdocref\mysql Folder: C:\xampp\perl\vendor\lib\DBD\mysql Folder: C:\xampp\perl\vendor\lib\auto\DBD\mysql Folder: C:\xampp\mysql\data\mysql Folder: C:\xampp\mysql\backup\mysql ÉÍÍÍÍÍÍÍÍÍ͹ Found Apache-Nginx Files File: C:\xampp\php\php.ini ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 6. The directory from the --with-config-file-path compile time option, or the ; See the PHP docs for more specific information. ; https://php.net/configuration.file ; beginning with a semicolon are silently ignored (as you probably guessed). ; Section headers (e.g. [Foo]) are also silently ignored, even though ; Directives following the section heading [PATH=/www/mysite] only ; following the section heading [HOST=www.example.com] only apply to ; special sections cannot be overridden by user-defined INI files or ; at runtime. Currently, [PATH=] and [HOST=] sections only work under ; https://php.net/ini.sections ; Directives are variables used to configure PHP or PHP extensions. ; There is no name validation. If PHP can't find an expected ; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one ; of the INI constants (On, Off, True, False, Yes, No and None) or an expression ; Expressions in the INI file are limited to bitwise operators and parentheses: ; Boolean flags can be turned on using the values 1, On, True or Yes. ; sign, or by using the None keyword: ; foo = None ; sets foo to an empty string ; foo = "None" ; sets foo to the string 'None' ; If you use constants in your value, and these constants belong to a ; dynamically loaded extension (either a PHP extension or a Zend extension), ; you may only use these constants *after* the line that loads the extension. ; PHP comes packaged with two INI files. One that is recommended to be used ; in production environments and one that is recommended to be used in ; development environments. ; php.ini-production contains settings which hold security, performance and ; compatibility with older or less security conscience applications. We ; recommending using the production ini in production and testing environments. ; php.ini-development is very similar to its production variant, except it is ; development version only in development environments, as errors shown to ; application users can inadvertently leak otherwise secure information. ; The following are all the settings which are different in either the production ; or development versions of the INIs with respect to PHP's default behavior. ; Default Value: On ; Development Value: On ; Production Value: Off ; Default Value: On ; Development Value: On ; Production Value: Off ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT ; Development Value: On ; Production Value: On ; Development Value: 60 (60 seconds) ; Production Value: 60 (60 seconds) ; Production Value: 4096 ; Default Value: On ; Production Value: Off ; Default Value: None ; Production Value: "GP" ; session.gc_divisor ; Production Value: 1000 ; session.sid_bits_per_character ; Production Value: 5 ; Default Value: On ; Production Value: Off ; Production Value: "GPCS" ; zend.exception_ignore_args ; Production Value: On ; zend.exception_string_param_max_len ; Production Value: 0 ; php.ini Options ; ; To disable this feature set this option to an empty value ; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) ; Language Options ; engine = On ; documents, however this remains supported for backward compatibility reasons. ; Note that this directive does not control the .so' and ; 'extension='php_.dll') is supported for legacy reasons and may be ; deprecated in a future PHP major version. So, when it is possible, please ; move to the new ('extension=) syntax. ; Notes for Windows environments : ; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+) ; extension folders as well as the separate PECL DLL download (PHP 5+). ; Be sure to appropriately set the extension_dir directive. extension=bz2 extension=curl ;extension=ffi ;extension=ftp extension=fileinfo ;extension=gd extension=gettext ;extension=gmp ;extension=intl ;extension=imap ;extension=ldap extension=mbstring extension=exif ; Must be after mbstring as it depends on it extension=mysqli ;extension=oci8_12c ; Use with Oracle Database 12c Instant Client ;extension=oci8_19 ; Use with Oracle Database 19 Instant Client ;extension=odbc ;extension=openssl ;extension=pdo_firebird extension=pdo_mysql ;extension=pdo_oci ;extension=pdo_odbc ;extension=pdo_pgsql extension=pdo_sqlite ;extension=pgsql ;extension=shmop ; The MIBS data available in the PHP distribution must be installed. ; See https://www.php.net/manual/en/snmp.installation.php ;extension=snmp ;extension=soap ;extension=sockets ;extension=sodium ;extension=sqlite3 ;extension=tidy ;extension=xsl ;zend_extension=opcache display_startup_errors=On y2k_compliance=On register_long_arrays=Off extension=php_openssl.dll extension=php_ftp.dll cli_server.color = On ; Defines the default timezone used by the date functions ; https://php.net/date.timezone ;date.timezone = ; https://php.net/date.default-longitude ;date.default_longitude = 35.2333 [iconv] ; If empty, default_charset or input_encoding or iconv.input_encoding is used. ; The precedence is: default_charset < input_encoding < iconv.input_encoding ;iconv.input_encoding = ; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. ; The precedence is: default_charset < internal_encoding < iconv.internal_encoding ;iconv.internal_encoding = ; If empty, default_charset or output_encoding or iconv.output_encoding is used. ; The precedence is: default_charset < output_encoding < iconv.output_encoding ; To use an output encoding conversion, iconv's output handler must be set ; otherwise output encoding conversion cannot be performed. ;iconv.output_encoding = ; passing them to rsh/ssh command, thus passing untrusted data to this function ; happens within intl functions. The value is the level of the error produced. ;intl.use_exceptions = 0 ; Directory pointing to SQLite3 extensions ; https://php.net/sqlite3.extension-dir ;sqlite3.extension_dir = ; SQLite defensive mode flag (only available from SQLite 3.26+) ; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html ; (for older SQLite versions, this flag has no use) ; PCRE library recursion limit. ; Please note that if you set this value to a high number you may consume all ; https://php.net/pcre.recursion-limit ;pcre.recursion_limit=100000 ; Enables or disables JIT compilation of patterns. This requires the PCRE ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" ; https://php.net/pdo-odbc.connection-pooling ;pdo_odbc.connection_pooling=strict ; Default socket name for local MySQL connects. If empty, uses the built-in ; https://php.net/phar.readonly ;phar.readonly = On ;phar.require_hash = On [mail function] ; For Win32 only. ; For Win32 only. ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). ; Force the addition of the specified parameters to be passed as extra parameters ; Log mail to syslog (Event Log on Windows). ; Controls the ODBC cursor model. odbc.allow_persistent = On ; Check that a connection is still valid before reuse. odbc.check_persistent = On ; Maximum number of links (persistent + non-persistent). -1 means no limit. ; Handling of LONG fields. Returns number of bytes to variables. 0 means ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation ;mysqli.allow_local_infile = On mysqli.allow_persistent = On ; Default port number for mysqli_connect(). If unset, mysqli_connect() will use ; compile-time value defined MYSQL_PORT (in that order). Win32 will only look ; Default socket name for local MySQL connects. If empty, uses the built-in ; Default host for mysqli_connect() (doesn't apply in safe mode). ; Default user for mysqli_connect() (doesn't apply in safe mode). ; Default password for mysqli_connect() (doesn't apply in safe mode). ; Allow or prevent reconnect mysqli.reconnect = Off ; If this option is enabled, closing a persistent connection will rollback ; any pending transactions of this connection, before it is put back ; into the persistent connection pool. ;mysqli.rollback_on_cached_plink = Off ; Enable / Disable collection of general statistics by mysqlnd which can be ; used to tune and monitor MySQL operations. mysqlnd.collect_statistics = On ; Enable / Disable collection of memory usage statistics by mysqlnd which can be ; used to tune and monitor MySQL operations. mysqlnd.collect_memory_statistics = On ; Records communication from all extensions using mysqlnd to the specified log ; Timeout for network requests in seconds. ; SHA-256 Authentication Plugin related. File with the MySQL server public RSA ; Connection: Enables privileged connections using external ; https://php.net/oci8.privileged-connect ;oci8.privileged_connect = Off ; Connection: The maximum number of persistent OCI8 connections per ; Connection: The maximum number of seconds a process is allowed to ; maintain an idle persistent connection. Using -1 means idle ; persistent connections will be maintained forever. ; Connection: The number of seconds that must pass before issuing a ; ping during oci_pconnect() to check the connection validity. When ; set to 0, each oci_pconnect() will cause a ping. Using -1 disables ; Connection: Set this to a user chosen connection class to be used ; Connection Pooling (DRCP). To use DRCP, this value should be set to ; the same string for all web servers running the same application, ; the database pool must be configured, and the connection string must ;oci8.connection_class = ; High Availability: Using On lets PHP receive Fast Application ; Notification (FAN) events generated when a database node fails. The ; database must also be configured to post FAN events. ; Tuning: This option enables statement caching, and specifies how ; rows that will be fetched automatically after statement execution. ; Compatibility. Using On means oci_close() will not close ; oci_connect() and oci_new_connect() connections. pgsql.allow_persistent = On ; Detect broken persistent links always with pg_pconnect(). ; Maximum number of links (persistent+non persistent). -1 means no limit. ; Number of decimal digits for all bcmath functions. [Session] ; https://php.net/session.save-handler session.save_handler = files ; variable in order to use PHP's session functions. ; session.save_path = "N;/path" ; where N is an integer. Instead of storing all the session files in ; store the session data in those directories. This is useful if ; your OS has problems with many files in one directory, and is ; a more efficient layout for servers that handle many sessions. ; You can use the script in the ext/session dir for that purpose. ; NOTE 2: See the section on garbage collection below if you choose to ; use subdirectories for session storage ; session.save_path = "N;MODE;/path" ; where MODE is the octal representation of the mode. Note that this ; https://php.net/session.save-path session.save_path = "\xampp\tmp" ; Whether to use strict session mode. ; Strict session mode does not accept an uninitialized session ID, and ; regenerates the session ID if the browser sends an uninitialized session ID. ; Strict mode protects applications from session fixation via a session adoption ; https://wiki.php.net/rfc/strict_sessions session.use_strict_mode = 0 ; https://php.net/session.use-cookies session.use_cookies = 1 ; https://php.net/session.cookie-secure ;session.cookie_secure = ; This option forces PHP to fetch and use a cookie for storing and maintaining ; the session id. We encourage this operation as it's very helpful in combating ; session hijacking when not specifying and managing your own session id. It is ; not the be-all and end-all of session hijacking defense, but it's a good start. ; https://php.net/session.use-only-cookies session.use_only_cookies = 1 ; Name of the session (used as cookie name). ; https://php.net/session.name session.name = PHPSESSID ; Initialize session on request startup. ; https://php.net/session.auto-start session.auto_start = 0 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. ; https://php.net/session.cookie-lifetime session.cookie_lifetime = 0 ; https://php.net/session.cookie-path session.cookie_path = / ; https://php.net/session.cookie-domain session.cookie_domain = ; Whether or not to add the httpOnly flag to the cookie, which makes it ; https://php.net/session.cookie-httponly session.cookie_httponly = ; Current valid values are "Strict", "Lax" or "None". When using "None", ; make sure to include the quotes, as `none` is interpreted like `false` in ini files. session.cookie_samesite = ; https://php.net/session.serialize-handler session.serialize_handler = php ; Defines the probability that the 'garbage collection' process is started on every ; session initialization. The probability is calculated by using gc_probability/gc_divisor, ; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. ; Production Value: 1 ; https://php.net/session.gc-probability session.gc_probability = 1 ; Defines the probability that the 'garbage collection' process is started on every ; session initialization. The probability is calculated by using gc_probability/gc_divisor, ; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. ; For high volume production servers, using a value of 1000 is a more efficient approach. ; Production Value: 1000 ; https://php.net/session.gc-divisor session.gc_divisor = 1000 ; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. ; https://php.net/session.gc-maxlifetime session.gc_maxlifetime = 1440 ; NOTE: If you are using the subdirectory option for storing session files ; (see session.save_path above), then garbage collection does *not* ; collection through a shell script, cron entry, or some other method. ; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): ; find /path/to/sessions -cmin +24 -type f | xargs rm ; Check HTTP Referer to invalidate externally stored URLs containing ids. ; HTTP_REFERER has to contain this substring for the session to be ; considered as valid. ; https://php.net/session.referer-check session.referer_check = ; https://php.net/session.cache-limiter session.cache_limiter = nocache ; https://php.net/session.cache-expire session.cache_expire = 180 ; Use this option with caution. ; - User may send URL contains active session ID ; to other person via. email/irc/etc. ; - URL that contains active session ID may be stored ; - User may access your site with the same session ID ; https://php.net/session.use-trans-sid session.use_trans_sid = 0 ; Set session ID character length. This value could be between 22 to 256. ; Shorter length than default is supported only for compatibility reason. ; https://php.net/session.sid-length ; Production Value: 26 session.sid_length = 26 ; to URLs.
tag's action attribute URL will not be modified ; Production Value: "a=href,area=href,frame=src,form=" session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; tags is special. PHP will check action attribute's URL regardless ; of session.trans_sid_tags setting. ; Production Value: "" ;session.trans_sid_hosts="" ; Define how many bits are stored in each character when converting ; Production Value: 5 ; https://php.net/session.hash-bits-per-character session.sid_bits_per_character = 5 ; Enable upload progress tracking in $_SESSION ; Default Value: On ; Development Value: On ; Production Value: On ; https://php.net/session.upload-progress.enabled ;session.upload_progress.enabled = On ; Cleanup the progress information as soon as all POST data has been read ; Default Value: On ; Development Value: On ; Production Value: On ; https://php.net/session.upload-progress.cleanup ;session.upload_progress.cleanup = On ; A prefix used for the upload progress key in $_SESSION ; Production Value: "upload_progress_" ; https://php.net/session.upload-progress.prefix ;session.upload_progress.prefix = "upload_progress_" ; The index name (concatenated with the prefix) in $_SESSION ; containing the upload progress information ; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" ; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" ; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" ; https://php.net/session.upload-progress.name ;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" ; Production Value: "1%" ; https://php.net/session.upload-progress.freq ;session.upload_progress.freq = "1%" ; The minimum delay between updates, in seconds ; Production Value: 1 ; https://php.net/session.upload-progress.min-freq ;session.upload_progress.min_freq = "1" ; Only write session data when session data is changed. Enabled by default. ; https://php.net/session.lazy-write ;session.lazy_write = On [Assertion] ; Switch whether to compile assertions at all (to have no overhead at run-time) ; 0: Jump over assertion at run-time ; 1: Execute assertions ; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) ; Production Value: -1 ; https://php.net/zend.assertions zend.assertions = 1 ;assert.active = On ; Throw an AssertionError on failed assertions ; https://php.net/assert.exception ;assert.exception = On ; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) ;assert.warning = On ; Don't bail out by default. ; User-function to be called if an assertion fails. ; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs ; autoregister constants of a component's typelib on com_load() ; register constants casesensitive ; show warnings on duplicate constant registrations ; The version of the .NET framework to use. The value of the setting are the first three parts ; of the framework's version number, separated by dots, and prefixed with "v", e.g. "v4.0.30319". ;com.dotnet_version= ; language for internal character representation. ; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. ; The precedence is: default_charset < internal_encoding < iconv.internal_encoding ; mbstring.encoding_translation = On is needed to use this setting. ; mb_output_handler must be registered as output buffer to function. ; To use an output encoding conversion, mbstring's output handler must be set ; otherwise output encoding conversion cannot be performed. ; enable automatic encoding translation according to ; converted to internal encoding by setting this to On. ; Note: Do _not_ use automatic encoding translation for ; portable libs/applications. ; https://php.net/mbstring.encoding-translation ;mbstring.encoding_translation = Off ; automatic encoding detection order. ; substitute_character used when character cannot be converted ; one from another ;mbstring.substitute_character = none ; Enable strict encoding detection. ;mbstring.strict_detection = Off ; This directive specifies the regex pattern of content types for which mb_output_handler() ; Default: mbstring.http_output_conv_mimetypes=^(text/|application/xhtml\+xml) ;mbstring.http_output_conv_mimetypes= ; This directive specifies maximum stack depth for mbstring regular expressions. It is similar ; to the pcre.recursion_limit for PCRE. ; This directive specifies maximum retry count for mbstring regular expressions. It is similar ; With mbstring support this will automatically be converted into the encoding ; given by corresponding encode setting. When empty mbstring.internal_encoding ; The path to a default tidy configuration file to use when using tidy ; https://php.net/tidy.default-config ;tidy.default_config = /usr/local/lib/php/default.tcfg ; WARNING: Do not use this option if you are generating non-html content ; Sets the directory name where SOAP extension will put cache files. ; (time to live) Sets the number of second while cached file will be used ; instead of original one. ; Determines if Zend OPCache is enabled for the CLI version of PHP ;opcache.memory_consumption=128 ; Only numbers between 200 and 1000000 are allowed. ; directory to the script key, thus eliminating possible collisions between ; performance, but may break existing applications. ; How often (in seconds) to check file timestamps for changes to the shared ; memory storage allocation. ("1" means validate once per second, but only ; once per request. "0" means always validate) ; Enables or disables file search in include_path optimization ; If enabled, compilation warnings (including notices and deprecations) will ; be recorded and replayed each time a file is included. Otherwise, compilation ; warnings will only be emitted when the file is first cached. ;opcache.optimization_level=0x7FFFBFFF ; The location of the OPcache blacklist file (wildcards allowed). ; Allows exclusion of large files from being cached. By default all files ;opcache.consistency_checks=0 ; How long to wait (in seconds) for a scheduled restart to begin if the cache ; By default, only fatal errors (level 0) or errors (level 1) are logged. ; Protect the shared memory from unexpected writing during script execution. ; Useful for internal debugging only. ; Allows calling OPcache API functions only from PHP scripts which path is ; started from specified string. The default "" means no restriction ; Mapping base of shared memory segments (for Windows only). All the PHP ; Facilitates multiple OPcache instances per user (for Windows only). All PHP ; Enables and sets the second level cache directory. ;opcache.file_cache_only=0 ; Enables or disables checksum validation when script loaded from file cache. ;opcache.file_cache_consistency_checks=1 ; Implies opcache.file_cache_only=1 for a certain process that failed to ; reattach to the shared memory (for Windows only). Explicitly enabled file ; This should improve performance, but requires appropriate OS configuration. ; Validate cached file permissions. ;opcache.validate_permission=0 ; Prevent name collisions in chroot'ed environment. ; optimizations. ; Preloading code as root is not allowed for security reasons. This directive ; Prevents caching files that are less than this number of seconds old. It ; on your site are atomic, you may increase performance by setting it to "0". ;opcache.file_update_protection=2 ; Absolute path used to store shared lockfiles (for *nix only). ; A default value for the CURLOPT_CAINFO option. This is required to be an ; The location of a Certificate Authority (CA) file on the local filesystem ; be overridden on a per-stream basis via the "cafile" SSL stream context ; option. ; this value may still be overridden on a per-stream basis via the "capath" ; SSL stream context option. ; FFI API restriction. Possible values: [Session] date.timezone=Europe/Berlin mysql.allow_local_infile=On mysql.allow_persistent=On mysql.connect_timeout=3 sybct.allow_persistent=On mssql.allow_persistent=On mssql.secure_connection=Off ÉÍÍÍÍÍÍÍÍÍ͹ Found PHP_files Files File: C:\xampp\php\scripts\configure.php File: C:\xampp\php\pear\PHPUnit\Util\Configuration.php File: C:\xampp\php\pear\PHP\Debug\Renderer\HTML\TableConfig.php File: C:\xampp\php\pear\PHP\Debug\Renderer\HTML\DivConfig.php File: C:\xampp\php\pear\PEAR\Config.php File: C:\xampp\php\pear\PEAR\Command\Config.php File: C:\xampp\phpMyAdmin\vendor\tecnickcom\tcpdf\tcpdf_autoconfig.php File: C:\xampp\phpMyAdmin\vendor\tecnickcom\tcpdf\config\tcpdf_config.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ServicesConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ServiceConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ReferenceConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\PrototypeConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ParametersConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\InstanceofConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\InlineServiceConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\DefaultsConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ContainerConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\AliasConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\AbstractServiceConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\AbstractConfigurator.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\Traits\ConfiguratorTrait.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\Traits\AutoconfigureTrait.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Extension\ConfigurationExtensionInterface.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Compiler\PassConfig.php File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Compiler\MergeExtensionConfigurationPass.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\ResourceCheckerConfigCacheFactory.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\ResourceCheckerConfigCache.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCacheInterface.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCacheFactoryInterface.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCacheFactory.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCache.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\Definition\ConfigurationInterface.php File: C:\xampp\phpMyAdmin\vendor\symfony\config\Definition\Exception\InvalidConfigurationException.php File: C:\xampp\phpMyAdmin\setup\config.php File: C:\xampp\phpMyAdmin\libraries\vendor_config.php File: C:\xampp\phpMyAdmin\libraries\config.values.php File: C:\xampp\phpMyAdmin\libraries\config.default.php File: C:\xampp\phpMyAdmin\libraries\classes\Config.php File: C:\xampp\phpMyAdmin\libraries\classes\Setup\ConfigGenerator.php File: C:\xampp\phpMyAdmin\libraries\classes\Plugins\Auth\AuthenticationConfig.php File: C:\xampp\phpMyAdmin\libraries\classes\Controllers\ConfigController.php File: C:\xampp\phpMyAdmin\libraries\classes\Controllers\Setup\ConfigController.php File: C:\xampp\phpMyAdmin\libraries\classes\Config\ServerConfigChecks.php File: C:\xampp\phpMyAdmin\libraries\classes\Config\ConfigFile.php File: C:\xampp\phpMyAdmin\libraries\classes\Config\Forms\Setup\ConfigForm.php File: C:\xampp\phpMyAdmin\examples\config.manyhosts.inc.php File: C:\xampp\phpMyAdmin\show_config_errors.php File: C:\xampp\phpMyAdmin\config.sample.inc.php File: C:\xampp\phpMyAdmin\config.inc.php File: C:\xampp\php\pear\Table\Storage.php ÉÍÍÍÍÍÍÍÍÍ͹ Found Moodle Files File: C:\xampp\php\pear\PEAR\Config.php File: C:\xampp\php\pear\PEAR\Command\Config.php File: C:\xampp\phpMyAdmin\setup\config.php File: C:\xampp\phpMyAdmin\libraries\classes\Config.php ÉÍÍÍÍÍÍÍÍÍ͹ Found Tomcat Files File: C:\xampp\tomcat\conf\tomcat-users.xml ÉÍÍÍÍÍÍÍÍÍ͹ Found CERTSB4 Files File: C:\xampp\perl\vendor\lib\Mozilla\CA\cacert.pem File: C:\xampp\phpMyAdmin\libraries\certs\cacert.pem File: C:\xampp\apache\conf\ssl.crt [----------] 0% |/-\1% |/2% -\|/3% -\|4% /5% -\6% |7% /-8% \9% |#---------] 10% /-\|/-\|1% /-\|2% /-3% \|/-4% \|/-5% \|/-\|/-6% \|/-\7% |/-\|8% / Error looking for regexes inside files: System.AggregateException: One or more errors occurred. ---> System.UnauthorizedAccessException: Access to the path 'C:\xampp\htdocs\flight.htb\winshell.php' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost) at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost) at ij.f.d(hz A_0) at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.b__1() at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask) at System.Threading.Tasks.Task.<>c__DisplayClass176_0.b__0(Object ) --- End of inner exception stack trace --- at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken) at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Func`4 bodyWithLocal, Func`1 localInit, Action`1 localFinally) at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Action`3 bodyWithStateAndIndex, Func`4 bodyWithStateAndLocal, Func`5 bodyWithEverything, Func`1 localInit, Action`1 localFinally) at System.Threading.Tasks.Parallel.ForEach[TSource](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body) at ij.f.d() at h5.a(Action A_0, Boolean A_1, String A_2) at ij.a() ---> (Inner Exception #0) System.UnauthorizedAccessException: Access to the path 'C:\xampp\htdocs\flight.htb\winshell.php' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost) at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost) at ij.f.d(hz A_0) at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.b__1() at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask) at System.Threading.Tasks.Task.<>c__DisplayClass176_0.b__0(Object )<---   /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli  | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/