CTF/HTB/flight/peas.log at 9d960e60ac62b7ec2937e438ec6d80e4d81d2c60

simon/CTF

Files

Simon 82b0759f1e init htb

old htb folders

2023-08-29 21:53:22 +02:00

261 KiB

Raw Blame History

ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD

((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.

WinPEAS-ng by @carlospolopm

/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/

[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links

You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
Creating Dynamic lists, this could take a while, please wait...
- Loading sensitive_files yaml definitions file...
- Loading regexes yaml definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list (local only)...
- Creating disabled users list...
- Admin users list...
- Creating AppLocker bypass list...
- Creating files/directories list for search...

��͹ System Information ��

��͹ Basic System Information
� Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
Hostname: g0
Domain Name: flight.htb
ProductName: Windows Server 2019 Standard
EditionID: ServerStandard
ReleaseId: 1809
BuildBranch: rs5_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 2/9/2023 8:25:15 AM
HighIntegrity: False
PartOfDomain: True
Hotfixes:

[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
[*] OS Version: 1809 (17763)
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
[>] https://exploit-db.com/exploits/46718
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

[!] CVE-2019-0841 : VULNERABLE
[>] https://github.com/rogue-kdc/CVE-2019-0841
[>] https://rastamouse.me/tags/cve-2019-0841/

[!] CVE-2019-1064 : VULNERABLE
[>] https://www.rythmstick.net/posts/cve-2019-1064/

[!] CVE-2019-1130 : VULNERABLE
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

[!] CVE-2019-1253 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2019-1253
[>] https://github.com/sgabe/CVE-2019-1253

[!] CVE-2019-1315 : VULNERABLE
[>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

[!] CVE-2019-1385 : VULNERABLE
[>] https://www.youtube.com/watch?v=K6gHnr-VkAg

[!] CVE-2019-1388 : VULNERABLE
[>] https://github.com/jas502n/CVE-2019-1388

[!] CVE-2019-1405 : VULNERABLE
[>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
[>] https://github.com/apt69/COMahawk

[!] CVE-2020-0668 : VULNERABLE
[>] https://github.com/itm4n/SysTracingPoc

[!] CVE-2020-0683 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2020-0683
[>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

[!] CVE-2020-1013 : VULNERABLE
[>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

[*] Finished. Found 12 potential vulnerabilities.

��͹ Showing All Microsoft Updates
[X] Exception: Exception has been thrown by the target of an invocation.

��͹ System Last Shutdown Date/time (from Registry)

Last Shutdown Date/time : 10/31/2022 8:14:21 PM

��͹ User Environment Variables
� Check for some passwords or keys in the env variables
COMPUTERNAME: G0
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Users\svc_apache\AppData\Local
PSModulePath: %ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\svc_apache\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 23
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERPROFILE: C:\Users\svc_apache
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 3100
USERNAME: svc_apache
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
TEMP: C:\Users\SVC_AP~1\AppData\Local\Temp
NUMBER_OF_PROCESSORS: 2
APPDATA: C:\Users\svc_apache\AppData\Roaming
TMP: C:\Users\SVC_AP~1\AppData\Local\Temp
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: flight
USERDNSDOMAIN: FLIGHT.HTB

��͹ System Environment Variables
� Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 23
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
PROCESSOR_REVISION: 3100

��͹ Audit Settings
� Check what is being logged
Not Found

��͹ Audit Policy Settings - Classic & Advanced

��͹ WEF Settings
� Windows Event Forwarding, is interesting to know were are sent the logs
Not Found

��͹ LAPS Settings
� If installed, local administrator password is changed frequently and is restricted by ACL
LAPS Enabled: LAPS not installed

��͹ Wdigest
� If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest
Wdigest is not enabled

��͹ LSA Protection
� If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection
LSA Protection is not enabled

��͹ Credentials Guard
� If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard
CredentialGuard is not enabled
Virtualization Based Security Status: Not enabled
Configured: False
Running: False

��͹ Cached Creds
� If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials
cachedlogonscount is 10

��͹ Enumerating saved credentials in Registry (CurrentPass)

��͹ AV Information
[X] Exception: Invalid namespace
No AV was detected!!
Not Found

��͹ Windows Defender configuration
Local Settings
Group Policy Settings

��͹ UAC Status
� If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.

��͹ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file:
PS history size:

��͹ Enumerating PowerShell Session Settings using the registry
You must be an administrator to run this check

��͹ PS default transcripts history
� Read the PS history inside these files (if any)

��͹ HKCU Internet Settings
DisableCachingOfSSLPages: 0
IE5_UA_Backup_Flag: 5.0
PrivacyAdvanced: 1
SecureProtocols: 2688
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation: 1
ZonesSecurityUpgrade: System.Byte[]

��͹ HKLM Internet Settings
ActiveXCache: C:\Windows\Downloaded Program Files
CodeBaseSearchPath: CODEBASE
EnablePunycode: 1
MinorVersion: 0
WarnOnIntranet: 1

��͹ Drives Information
� Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 4 GB)(Permissions: Users [AppendData/CreateDirectories])

��͹ Checking WSUS
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
Not Found

��͹ Checking KrbRelayUp
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system is inside a domain (flight) so it could be vulnerable.
� You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges

��͹ Checking If Inside Container
� If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container

��͹ Checking AlwaysInstallElevated
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated isn't available

��͹ Enumerate LSA settings - auth packages included

auditbasedirectories : 0
auditbaseobjects : 0
Bounds : 00-30-00-00-00-20-00-00
crashonauditfail : 0
fullprivilegeauditing : 00
LimitBlankPasswordUse : 1
NoLmHash : 1
Security Packages : ""
Notification Packages : rassfm,scecli
Authentication Packages : msv1_0
LsaPid : 656
LsaCfgFlagsDefault : 0
SecureBoot : 1
ProductType : 7
disabledomaincreds : 0
everyoneincludesanonymous : 0
forceguest : 0
restrictanonymous : 0
restrictanonymoussam : 1

��͹ Enumerating NTLM Settings
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)

NTLM Signing Settings
ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : True
ServerNegotiateSigning : True
LdapSigning : Negotiate signing (Negotiate signing)

Session Security
NTLMMinClientSec : 536870912 (Require 128-bit encryption)
NTLMMinServerSec : 536870912 (Require 128-bit encryption)

NTLM Auditing and Restrictions
InboundRestrictions : (Not defined)
OutboundRestrictions : (Not defined)
InboundAuditing : (Not defined)
OutboundExceptions :

��͹ Display Local Group Policy settings - local users/machine

��͹ Checking AppLocker effective policy
AppLockerPolicy version: 1
listing rules:

��͹ Enumerating Printers (WMI)

��͹ Enumerating Named Pipes
Name CurrentUserPerms Sddl

eventlog Everyone [WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)

ROUTER Everyone [WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)

RpcProxy\49673 Everyone [WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)

RpcProxy\593 Everyone [WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)

vgauth-service Everyone [WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)

��͹ Enumerating AMSI registered providers
Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
Path: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2209.7-0\MpOav.dll"

=================================================================================================

��͹ Enumerating Sysmon configuration
You must be an administrator to run this check

��͹ Enumerating Sysmon process creation logs (1)
You must be an administrator to run this check

��͹ Installed .NET versions

CLR Versions
4.0.30319

.NET Versions
4.7.03190

.NET & AMSI (Anti-Malware Scan Interface) support
.NET version supports AMSI : False
OS supports AMSI : True

��͹ Interesting Events information ��

��͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials

You must be an administrator to run this check

��͹ Printing Account Logon Events (4624) for the last 10 days.

You must be an administrator to run this check

��͹ Process creation events - searching logs (EID 4688) for sensitive data.

You must be an administrator to run this check

��͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.

[X] Exception: Attempted to perform an unauthorized operation.

��͹ Displaying Power off/on events for last 5 days

2/9/2023 5:49:08 AM : Startup

��͹ Users Information ��

��͹ Users
� Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
Current user: svc_apache
Current groups: Domain Users, Everyone, Users, Builtin\Pre-Windows 2000 Compatible Access, Service, Console Logon, Authenticated Users, This Organization, Local, Authentication authority asserted identity
=================================================================================================

Not Found

��͹ Current User Idle Time
Current User : flight\svc_apache
Idle Time : 02h:36m:09s:562ms

��͹ Display Tenant information (DsRegCmd.exe /status)
Tenant is NOT Azure AD Joined.

��͹ Current Token privileges
� Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED

��͹ Clipboard text

��͹ Logged users
flight\svc_apache

��͹ Display information about local users
Computer Name : G0
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 2/9/2023 5:50:28 AM
Logons Count : 55
Password Last Set : 9/22/2022 12:17:02 PM

=================================================================================================

Computer Name : G0
User Name : Guest
User Id : 501
Is Enabled : False
User Type : Guest
Comment : Built-in account for guest access to the computer/domain
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM

=================================================================================================

Computer Name : G0
User Name : krbtgt
User Id : 502
Is Enabled : False
User Type : User
Comment : Key Distribution Center Service Account
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 11:48:01 AM

=================================================================================================

Computer Name : G0
User Name : S.Moon
User Id : 1602
Is Enabled : True
User Type : User
Comment : Junion Web Developer
Last Logon : 2/9/2023 6:32:37 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : R.Cold
User Id : 1603
Is Enabled : True
User Type : User
Comment : HR Assistant
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : G.Lors
User Id : 1604
Is Enabled : True
User Type : User
Comment : Sales manager
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : L.Kein
User Id : 1605
Is Enabled : True
User Type : User
Comment : Penetration tester
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : M.Gold
User Id : 1606
Is Enabled : True
User Type : User
Comment : Sysadmin
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : C.Bum
User Id : 1607
Is Enabled : True
User Type : User
Comment : Senior Web Developer
Last Logon : 9/22/2022 2:50:24 PM
Logons Count : 5
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : W.Walker
User Id : 1608
Is Enabled : True
User Type : User
Comment : Payroll officer
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : I.Francis
User Id : 1609
Is Enabled : True
User Type : User
Comment : Nobody knows why he's here
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : D.Truff
User Id : 1610
Is Enabled : True
User Type : User
Comment : Project Manager
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : V.Stevens
User Id : 1611
Is Enabled : True
User Type : User
Comment : Secretary
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:22 PM

=================================================================================================

Computer Name : G0
User Name : svc_apache
User Id : 1612
Is Enabled : True
User Type : User
Comment : Service Apache web
Last Logon : 2/9/2023 5:49:59 AM
Logons Count : 26
Password Last Set : 9/22/2022 12:08:23 PM

=================================================================================================

Computer Name : G0
User Name : O.Possum
User Id : 1613
Is Enabled : True
User Type : User
Comment : Helpdesk
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 9/22/2022 12:08:23 PM

=================================================================================================

��͹ RDP Sessions
Not Found

��͹ Ever logged users
IIS APPPOOL\.NET v4.5 Classic
IIS APPPOOL\.NET v4.5
flight\Administrator
flight\svc_apache
flight\C.Bum

��͹ Home folders found
C:\Users\.NET v4.5
C:\Users\.NET v4.5 Classic
C:\Users\Administrator
C:\Users\All Users
C:\Users\C.Bum
C:\Users\Default
C:\Users\Default User
C:\Users\Public : Service [WriteData/CreateFiles]
C:\Users\svc_apache : svc_apache [AllAccess]

��͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : flight
DefaultUserName : Administrator

��͹ Password Policies
� Check for a possible brute-force
Domain: Builtin
SID: S-1-5-32
MaxPasswordAge: 42.22:47:31.7437440
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: 0
=================================================================================================

Domain: flight
SID: S-1-5-21-4078382237-1492182817-2568127209
MaxPasswordAge: 42.00:00:00
MinPasswordAge: 1.00:00:00
MinPasswordLength: 7
PasswordHistoryLength: 24
PasswordProperties: DOMAIN_PASSWORD_COMPLEX
=================================================================================================

��͹ Print Logon Sessions
Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 374592
Logon Time:
Logon Type: Service
Start Time: 2/9/2023 5:49:59 AM
Domain: flight
Authentication Package: Kerberos
Start Time: 2/9/2023 5:49:59 AM
User Name: svc_apache
User Principal Name:
User SID:

=================================================================================================

��͹ Processes Information ��

��͹ Vulnerable Leaked Handlers
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation
Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 732(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 736(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 740(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 744(file)
Handle Owner: Pid is 4620(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 660(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 692(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 696(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\access.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 700(file)
Handle Owner: Pid is 4720(httpd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\ssl_request.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 256(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 1848(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 3328(cmd) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

Handle: 580(file)
Handle Owner: Pid is 2984(findstr) with owner: svc_apache
Reason: WriteData/CreateFiles
File Path: \xampp\apache\logs\error.log
File Owner: BUILTIN\Administrators
=================================================================================================

��͹ Services Information ��

��͹ Interesting Services -non Microsoft-
� Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
ApacheHTTPServer(Apache Software Foundation - Apache HTTP Server)["C:\Xampp\apache\bin\httpd.exe" -k runservice] - Auto - Running
File Permissions: svc_apache [WriteData/CreateFiles]
Possible DLL Hijacking in binary folder: C:\Xampp\apache\bin (svc_apache [WriteData/CreateFiles], Users [AppendData/CreateDirectories WriteData/CreateFiles])
Apache/2.4.52 (Win64)
=================================================================================================

ssh-agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped
Agent to hold private keys used for public key authentication.
=================================================================================================

VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running
Alias Manager and Ticket Service
=================================================================================================

vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Auto - Running
Helps VMware SVGA driver by collecting and conveying user mode information
=================================================================================================

VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running
Provides support for synchronizing objects between the host and guest operating systems.
=================================================================================================

��͹ Modifiable Services
� Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
RmSvc: GenericExecute (Start/Stop)

��͹ Looking if you can modify any service registry
� Check if you can modify the registry of a service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions
[-] Looks like you cannot change the registry of any service...

��͹ Checking write permissions in PATH folders (DLL Hijacking)
� Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\

��͹ Applications Information ��

��͹ Current Active Window Application
[X] Exception: Object reference not set to an instance of an object.

��͹ Installed Applications --Via Program Files/Uninstall registry--
� Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
C:\Program Files\Common Files
C:\Program Files\desktop.ini
C:\Program Files\internet explorer
C:\Program Files\Uninstall Information
C:\Program Files\VMware
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\Windows Mail
C:\Program Files\Windows Media Player
C:\Program Files\Windows Multimedia Platform
C:\Program Files\windows nt
C:\Program Files\Windows Photo Viewer
C:\Program Files\Windows Portable Devices
C:\Program Files\Windows Security
C:\Program Files\Windows Sidebar
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell

��͹ Autorun Applications
� Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: SecurityHealth
Folder: C:\Windows\system32
File: C:\Windows\system32\SecurityHealthSystray.exe
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Userinit
Folder: C:\Windows\system32
File: C:\Windows\system32\userinit.exe,
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Shell
Folder: None (PATH Injection)
File: explorer.exe
=================================================================================================

RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Key: AlternateShell
Folder: None (PATH Injection)
File: cmd.exe
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================

RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midimapper
Folder: None (PATH Injection)
File: midimap.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.imaadpcm
Folder: None (PATH Injection)
File: imaadp32.acm
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.l3acm
Folder: C:\Windows\System32
File: C:\Windows\System32\l3codeca.acm
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msadpcm
Folder: None (PATH Injection)
File: msadp32.acm
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msg711
Folder: None (PATH Injection)
File: msg711.acm
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msgsm610
Folder: None (PATH Injection)
File: msgsm32.acm
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.i420
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.iyuv
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.mrle
Folder: None (PATH Injection)
File: msrle32.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.msvc
Folder: None (PATH Injection)
File: msvidc32.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.uyvy
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yuy2
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvu9
Folder: None (PATH Injection)
File: tsbyuv.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvyu
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wavemapper
Folder: None (PATH Injection)
File: msacm32.drv
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wave
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midi
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: mixer
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: aux
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midimapper
Folder: None (PATH Injection)
File: midimap.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.imaadpcm
Folder: None (PATH Injection)
File: imaadp32.acm
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.l3acm
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\l3codeca.acm
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msadpcm
Folder: None (PATH Injection)
File: msadp32.acm
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msg711
Folder: None (PATH Injection)
File: msg711.acm
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msgsm610
Folder: None (PATH Injection)
File: msgsm32.acm
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.cvid
Folder: None (PATH Injection)
File: iccvid.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.i420
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.iyuv
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.mrle
Folder: None (PATH Injection)
File: msrle32.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.msvc
Folder: None (PATH Injection)
File: msvidc32.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.uyvy
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yuy2
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvu9
Folder: None (PATH Injection)
File: tsbyuv.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvyu
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wavemapper
Folder: None (PATH Injection)
File: msacm32.drv
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wave
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midi
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: mixer
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: aux
Folder: None (PATH Injection)
File: wdmaud.drv
=================================================================================================

RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
Folder: C:\Program Files\Internet Explorer
File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected)
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wow64cpu
Folder: None (PATH Injection)
File: wow64cpu.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wowarmhw
Folder: None (PATH Injection)
File: wowarmhw.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _xtajit
Folder: None (PATH Injection)
File: xtajit.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: advapi32
Folder: None (PATH Injection)
File: advapi32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: clbcatq
Folder: None (PATH Injection)
File: clbcatq.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: combase
Folder: None (PATH Injection)
File: combase.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: COMDLG32
Folder: None (PATH Injection)
File: COMDLG32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: coml2
Folder: None (PATH Injection)
File: coml2.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: DifxApi
Folder: None (PATH Injection)
File: difxapi.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdi32
Folder: None (PATH Injection)
File: gdi32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdiplus
Folder: None (PATH Injection)
File: gdiplus.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMAGEHLP
Folder: None (PATH Injection)
File: IMAGEHLP.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMM32
Folder: None (PATH Injection)
File: IMM32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: kernel32
Folder: None (PATH Injection)
File: kernel32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSCTF
Folder: None (PATH Injection)
File: MSCTF.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSVCRT
Folder: None (PATH Injection)
File: MSVCRT.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NORMALIZ
Folder: None (PATH Injection)
File: NORMALIZ.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NSI
Folder: None (PATH Injection)
File: NSI.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: ole32
Folder: None (PATH Injection)
File: ole32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: OLEAUT32
Folder: None (PATH Injection)
File: OLEAUT32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: PSAPI
Folder: None (PATH Injection)
File: PSAPI.DLL
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: rpcrt4
Folder: None (PATH Injection)
File: rpcrt4.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: sechost
Folder: None (PATH Injection)
File: sechost.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: Setupapi
Folder: None (PATH Injection)
File: Setupapi.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHCORE
Folder: None (PATH Injection)
File: SHCORE.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHELL32
Folder: None (PATH Injection)
File: SHELL32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHLWAPI
Folder: None (PATH Injection)
File: SHLWAPI.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: user32
Folder: None (PATH Injection)
File: user32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WLDAP32
Folder: None (PATH Injection)
File: WLDAP32.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64
Folder: None (PATH Injection)
File: wow64.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64win
Folder: None (PATH Injection)
File: wow64win.dll
=================================================================================================

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WS2_32
Folder: None (PATH Injection)
File: WS2_32.dll
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Key: StubPath
Folder: \
FolderPerms: Users [AppendData/CreateDirectories]
File: /UserInstall
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Key: StubPath
Folder: C:\Windows\system32
File: C:\Windows\system32\unregmp2.exe /FirstLogon
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Key: StubPath
Folder: None (PATH Injection)
File: U
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\ie4uinit.exe -UserConfig
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenAdmin
=================================================================================================

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenUser
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Key: StubPath
Folder: C:\Windows\system32
File: C:\Windows\system32\unregmp2.exe /FirstLogon
=================================================================================================

RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
=================================================================================================

Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
=================================================================================================

Folder: C:\windows\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================

Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================

Folder: C:\windows
File: C:\windows\system.ini
=================================================================================================

Folder: C:\windows
File: C:\windows\win.ini
=================================================================================================

Key: From WMIC
Folder: C:\Windows\system32
File: C:\Windows\system32\SecurityHealthSystray.exe
=================================================================================================

Key: From WMIC
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr
=================================================================================================

��͹ Scheduled Applications --Non Microsoft--
� Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries

��͹ Device Drivers --Non Microsoft--
� Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers
QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qevbda.sys
NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys
VMware vSockets Service - 9.8.19.0 build-18956547 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
VMware PCI VMCI Bus Device - 9.8.18.0 build-18956547 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys
Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys
Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys
LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys
Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys
Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys
LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys
LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys
MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys
MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys
Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys
NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys
MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys
MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys
Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys
Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys
VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys
VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys
Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys
Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64 bit x64 [Broadcom]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys
QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qeois.sys
QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys
QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys
QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys
PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys
Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys
QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qefcoe.sys
QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys
QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys
VMware Raw Disk Helper Driver - 1.1.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmrawdsk.sys
VMware Pointing PS/2 Device Driver - 12.5.12.0 build-18967789 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
VMware SVGA 3D - 9.17.01.0002 - build-18913173 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys
VMware SVGA 3D - 9.17.01.0002 - build-18913173 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys
VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.9.9.0 build-19932667 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys
VMware server memory controller - 7.5.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys

��͹ Network Information ��

��͹ Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
IPC$ (Path: )
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\flight.htb\SCRIPTS)
Shared (Path: C:\Shared)
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)
Users (Path: C:\Users)
Web (Path: C:\xampp\htdocs)

��͹ Enumerate Network Mapped Drives (WMI)

��͹ Host File

��͹ Network Ifaces and known hosts
� The masks are only for the IPv4 addresses
Ethernet0 2[00:50:56:B9:24:63]: 10.10.11.187, fe80::3418:57dd:cff4:b69a%6, dead:beef::3418:57dd:cff4:b69a, dead:beef::13d / 255.255.254.0
Gateways: 10.10.10.2, fe80::250:56ff:feb9:cdb8%6
DNSs: 1.1.1.1
Known hosts:
10.10.10.2 00-50-56-B9-CD-B8 Dynamic
10.10.10.255 00-00-00-00-00-00 Invalid
10.10.11.255 FF-FF-FF-FF-FF-FF Static
224.0.0.22 01-00-5E-00-00-16 Static
224.0.0.251 01-00-5E-00-00-FB Static
224.0.0.252 01-00-5E-00-00-FC Static

Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
Known hosts:
224.0.0.22 00-00-00-00-00-00 Static

��͹ Current TCP Listening Ports
� Check for services restricted from the outside
Enumerating IPv4 connections

Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name

TCP 0.0.0.0 80 0.0.0.0 0 Listening 4620 C:\Xampp\apache\bin\httpd.exe
TCP 0.0.0.0 88 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 135 0.0.0.0 0 Listening 912 svchost
TCP 0.0.0.0 389 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 443 0.0.0.0 0 Listening 4620 C:\Xampp\apache\bin\httpd.exe
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 464 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 593 0.0.0.0 0 Listening 912 svchost
TCP 0.0.0.0 636 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 3268 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 3269 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 8000 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 9389 0.0.0.0 0 Listening 2788 Microsoft.ActiveDirectory.WebServices
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0 Listening 500 wininit
TCP 0.0.0.0 49665 0.0.0.0 0 Listening 1108 svchost
TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1500 svchost
TCP 0.0.0.0 49668 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 49673 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 49674 0.0.0.0 0 Listening 656 lsass
TCP 0.0.0.0 49682 0.0.0.0 0 Listening 636 services
TCP 0.0.0.0 49690 0.0.0.0 0 Listening 2940 dns
TCP 0.0.0.0 49699 0.0.0.0 0 Listening 2888 dfsrs
TCP 10.10.11.187 53 0.0.0.0 0 Listening 2940 dns

Enumerating IPv6 connections

Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name

TCP [::] 80 [::] 0 Listening 4620 C:\Xampp\apache\bin\httpd.exe
TCP [::] 88 [::] 0 Listening 656 lsass
TCP [::] 135 [::] 0 Listening 912 svchost
TCP [::] 389 [::] 0 Listening 656 lsass
TCP [::] 443 [::] 0 Listening 4620 C:\Xampp\apache\bin\httpd.exe
TCP [::] 445 [::] 0 Listening 4 System
TCP [::] 464 [::] 0 Listening 656 lsass
TCP [::] 593 [::] 0 Listening 912 svchost
TCP [::] 636 [::] 0 Listening 656 lsass
TCP [::] 3268 [::] 0 Listening 656 lsass
TCP [::] 3269 [::] 0 Listening 656 lsass
TCP [::] 5985 [::] 0 Listening 4 System
TCP [::] 8000 [::] 0 Listening 4 System
TCP [::] 9389 [::] 0 Listening 2788 Microsoft.ActiveDirectory.WebServices
TCP [::] 47001 [::] 0 Listening 4 System
TCP [::] 49664 [::] 0 Listening 500 wininit
TCP [::] 49665 [::] 0 Listening 1108 svchost
TCP [::] 49666 [::] 0 Listening 1500 svchost
TCP [::] 49668 [::] 0 Listening 656 lsass
TCP [::] 49673 [::] 0 Listening 656 lsass
TCP [::] 49674 [::] 0 Listening 656 lsass
TCP [::] 49682 [::] 0 Listening 636 services
TCP [::] 49690 [::] 0 Listening 2940 dns
TCP [::] 49699 [::] 0 Listening 2888 dfsrs
TCP [::1] 53 [::] 0 Listening 2940 dns
TCP [::1] 389 [::1] 49678 Established 656 lsass
TCP [::1] 389 [::1] 49679 Established 656 lsass
TCP [::1] 389 [::1] 49688 Established 656 lsass
TCP [::1] 389 [::1] 49694 Established 656 lsass
TCP [::1] 389 [::1] 49697 Established 656 lsass
TCP [::1] 49668 [::1] 49696 Established 656 lsass
TCP [::1] 49678 [::1] 389 Established 2972 ismserv
TCP [::1] 49679 [::1] 389 Established 2972 ismserv
TCP [::1] 49688 [::1] 389 Established 2940 dns
TCP [::1] 49694 [::1] 389 Established 2888 dfsrs
TCP [::1] 49696 [::1] 49668 Established 2888 dfsrs
TCP [::1] 49697 [::1] 389 Established 2888 dfsrs
TCP [dead:beef::13d] 53 [::] 0 Listening 2940 dns
TCP [dead:beef::3418:57dd:cff4:b69a] 53 [::] 0 Listening 2940 dns
TCP [fe80::3418:57dd:cff4:b69a%6] 53 [::] 0 Listening 2940 dns
TCP [fe80::3418:57dd:cff4:b69a%6] 389 [fe80::3418:57dd:cff4:b69a%6] 49689 Established 656 lsass
TCP [fe80::3418:57dd:cff4:b69a%6] 49668 [fe80::3418:57dd:cff4:b69a%6] 49754 Established 656 lsass
TCP [fe80::3418:57dd:cff4:b69a%6] 49668 [fe80::3418:57dd:cff4:b69a%6] 49869 Established 656 lsass
TCP [fe80::3418:57dd:cff4:b69a%6] 49689 [fe80::3418:57dd:cff4:b69a%6] 389 Established 2940 dns
TCP [fe80::3418:57dd:cff4:b69a%6] 49754 [fe80::3418:57dd:cff4:b69a%6] 49668 Established 656 lsass
TCP [fe80::3418:57dd:cff4:b69a%6] 49869 [fe80::3418:57dd:cff4:b69a%6] 49668 Established 2476 dfssvc

��͹ Current UDP Listening Ports
� Check for services restricted from the outside
Enumerating IPv4 connections

Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name

UDP 0.0.0.0 123 *:* 716 svchost
UDP 0.0.0.0 389 *:* 656 lsass
UDP 0.0.0.0 5353 *:* 1120 svchost
UDP 0.0.0.0 5355 *:* 1120 svchost
UDP 0.0.0.0 54488 *:* 1120 svchost
UDP 0.0.0.0 60293 *:* 1120 svchost
UDP 10.10.11.187 88 *:* 656 lsass
UDP 10.10.11.187 137 *:* 4 System
UDP 10.10.11.187 138 *:* 4 System
UDP 10.10.11.187 464 *:* 656 lsass
UDP 127.0.0.1 49483 *:* 2972 ismserv
UDP 127.0.0.1 50347 *:* 1968 svchost
UDP 127.0.0.1 54489 *:* 3032 svchost
UDP 127.0.0.1 54491 *:* 3952 WmiPrvSE
UDP 127.0.0.1 56562 *:* 2476 dfssvc
UDP 127.0.0.1 57083 *:* 1240 svchost
UDP 127.0.0.1 59990 *:* 6068 C:\Users\svc_apache\Documents\winPEASx64_ofs.exe
UDP 127.0.0.1 60507 *:* 2888 dfsrs
UDP 127.0.0.1 60550 *:* 2788 Microsoft.ActiveDirectory.WebServices
UDP 127.0.0.1 61455 *:* 1368 svchost

Enumerating IPv6 connections

Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name

UDP [::] 123 *:* 716 svchost
UDP [::] 389 *:* 656 lsass
UDP [::] 5353 *:* 1120 svchost
UDP [::] 5355 *:* 1120 svchost
UDP [::] 54488 *:* 1120 svchost
UDP [::] 60293 *:* 1120 svchost
UDP [dead:beef::13d] 88 *:* 656 lsass
UDP [dead:beef::13d] 464 *:* 656 lsass
UDP [dead:beef::3418:57dd:cff4:b69a] 88 *:* 656 lsass
UDP [dead:beef::3418:57dd:cff4:b69a] 464 *:* 656 lsass
UDP [fe80::3418:57dd:cff4:b69a%6] 88 *:* 656 lsass
UDP [fe80::3418:57dd:cff4:b69a%6] 464 *:* 656 lsass

��͹ Firewall Rules
� Showing only DENY rules (too many ALLOW rules always)
Current Profiles: DOMAIN
FirewallEnabled (Domain): True
FirewallEnabled (Private): True
FirewallEnabled (Public): True
DENY rules:
[X] Exception: Object reference not set to an instance of an object.

��͹ DNS cached --limit 70--
Entry Name Data

��͹ Enumerating Internet settings, zone and proxy configuration
General Settings
Hive Key Value
HKCU DisableCachingOfSSLPages 0
HKCU IE5_UA_Backup_Flag 5.0
HKCU PrivacyAdvanced 1
HKCU SecureProtocols 2688
HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
HKCU CertificateRevocation 1
HKCU ZonesSecurityUpgrade System.Byte[]
HKLM ActiveXCache C:\Windows\Downloaded Program Files
HKLM CodeBaseSearchPath CODEBASE
HKLM EnablePunycode 1
HKLM MinorVersion 0
HKLM WarnOnIntranet 1

Zone Maps
No URLs configured

Zone Auth Settings
No Zone Auth Settings

��͹ Windows Credentials ��

��͹ Checking Windows Vault
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault
Not Found

��͹ Checking Credential manager
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault
[!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string

[!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): Element not found'
Please run:
cmdkey /list

��͹ Saved RDP connections
Not Found

��͹ Remote Desktop Server/Client Settings
RDP Server Settings
Network Level Authentication :
Block Clipboard Redirection :
Block COM Port Redirection :
Block Drive Redirection :
Block LPT Port Redirection :
Block PnP Device Redirection :
Block Printer Redirection :
Allow Smart Card Redirection :

RDP Client Settings
Disable Password Saving : True
Restricted Remote Administration : False

��͹ Recently run commands
Not Found

��͹ Checking for DPAPI Master Keys
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
MasterKey: C:\Users\svc_apache\AppData\Roaming\Microsoft\Protect\S-1-5-21-4078382237-1492182817-2568127209-1612\ea8e916b-9506-4eec-b97c-5f2612f2685e
Accessed: 2/9/2023 7:54:00 AM
Modified: 2/9/2023 7:54:00 AM
=================================================================================================

��͹ Checking for DPAPI Credential Files
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
Not Found

��͹ Checking for RDCMan Settings Files
� Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
Not Found

��͹ Looking for Kerberos tickets
� https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
serverName: krbtgt/FLIGHT.HTB
RealmName: FLIGHT.HTB
StartTime: 2/9/2023 5:49:59 AM
EndTime: 2/9/2023 3:49:59 PM
RenewTime: 2/16/2023 5:49:59 AM
EncryptionType: aes256_cts_hmac_sha1_96
TicketFlags: name_canonicalize, pre_authent, initial, renewable, forwardable
=================================================================================================

��͹ Looking for saved Wifi credentials
[X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)
Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'
No saved Wifi credentials found

��͹ Looking AppCmd.exe
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe
You must be an administrator to run this check

��͹ Looking SSClient.exe
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm
Not Found

��͹ Enumerating SSCM - System Center Configuration Manager settings

��͹ Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: svc_apache::flight:1122334455667788:6ec94705d26e05dba629b64f96e4cfb3:01010000000000009788051da33cd9012d207f2d02b8cbb70000000008003000300000000000000000000000003000002755a3568a8f9afb587704de2295ccd9a81d9f4a43144fa432f7cf9d1e2be3f10a00100000000000000000000000000000000000090000000000000000000000

=================================================================================================

��͹ Browsers Information ��

��͹ Showing saved credentials for Firefox
Info: if no credentials were listed, you might need to close the browser and try again.

��͹ Looking for Firefox DBs
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found

��͹ Looking for GET credentials in Firefox history
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found

��͹ Showing saved credentials for Chrome
Info: if no credentials were listed, you might need to close the browser and try again.

��͹ Looking for Chrome DBs
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found

��͹ Looking for GET credentials in Chrome history
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found

��͹ Chrome bookmarks
Not Found

��͹ Showing saved credentials for Opera
Info: if no credentials were listed, you might need to close the browser and try again.

��͹ Showing saved credentials for Brave Browser
Info: if no credentials were listed, you might need to close the browser and try again.

��͹ Showing saved credentials for Internet Explorer (unsupported)
Info: if no credentials were listed, you might need to close the browser and try again.

��͹ Current IE tabs
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
[X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A)
--- End of inner exception stack trace ---
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
at fk.l()
Not Found

��͹ Looking for GET credentials in IE history
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history

��͹ IE history -- limit 50

http://go.microsoft.com/fwlink/p/?LinkId=255141

��͹ IE favorites
Not Found

��͹ Interesting files and registry ��

��͹ Putty Sessions
Not Found

��͹ Putty SSH Host keys
Not Found

��͹ SSH keys in registry
� If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry
Not Found

��͹ SuperPutty configuration files

��͹ Enumerating Office 365 endpoints synced by OneDrive.

SID: S-1-5-19
=================================================================================================

SID: S-1-5-20
=================================================================================================

SID: S-1-5-21-4078382237-1492182817-2568127209-1612
=================================================================================================

SID: S-1-5-18
=================================================================================================

��͹ Cloud Credentials
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Not Found

��͹ Unattend Files

��͹ Looking for common SAM & SYSTEM backups

��͹ Looking for McAfee Sitelist.xml Files

��͹ Cached GPP Passwords

��͹ Looking for possible regs with creds
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
Not Found
Not Found
Not Found
Not Found

��͹ Looking for possible password files in users homes
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml

��͹ Searching for Oracle SQL Developer config files

��͹ Slack files & directories
note: check manually if something is found

��͹ Looking for LOL Binaries and Scripts (can be slow)
� https://lolbas-project.github.io/
[!] Check skipped, if you want to run it, please specify '-lolbas' argument

��͹ Enumerating Outlook download files

��͹ Enumerating machine and user certificate files

��͹ Searching known files that can contain creds in home
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files

��͹ Looking for documents --limit 100--
Not Found

��͹ Office Most Recent Files -- limit 50

Last Access Date User Application Document

��͹ Recent files --limit 70--
Not Found

��͹ Looking inside the Recycle Bin for creds files
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Not Found

��͹ Searching hidden files or folders in C:\Users home (can be slow)

C:\Users\All Users\ntuser.pol
C:\Users\Default User
C:\Users\Default
C:\Users\All Users

��͹ Searching interesting files in other users home directories (can be slow)

��͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
File Permissions "C:\xampp\tomcat\tomcat_service_uninstall.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\tomcat_service_install.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\catalina_stop.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\catalina_start.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\version.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\tool-wrapper.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\tomcat8w.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\tomcat8.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\startup.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\shutdown.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\setclasspath.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\service.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\digest.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\configtest.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\ciphers.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\tomcat\bin\catalina.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\sendmail\sendmail.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\install\portcheck.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\install\awk.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\makecert.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\wintty.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\rotatelogs.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\pv.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\openssl.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\logresolve.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\httxt2dbm.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\httpd.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\htpasswd.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\htdigest.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\htdbm.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\htcacheclean.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\curl.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\ApacheMonitor.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\abs.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache\bin\ab.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\xampp_stop.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\xampp_start.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\xampp-control.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\test_php.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\setup_xampp.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql_stop.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql_start.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\catalina_stop.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\catalina_start.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\catalina_service.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache_stop.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\apache_start.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\phpunit.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\phpdbg.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\php.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\php-win.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\php-cgi.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\pecl.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\peardev.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\pear.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\pciconf.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\pci.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\deplister.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\windowsXamppPhp\phpdbg.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\windowsXamppPhp\php.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\windowsXamppPhp\php-win.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\windowsXamppPhp\php-cgi.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\windowsXamppPhp\deplister.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\scripts\pciconf.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\scripts\compatinfo.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\php\extras\openssl\openssl.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\vendor\lib\auto\share\dist\FFI-Platypus\probe\bin\dlrun.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\zipdetails.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\xsubpp.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\xml_split.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\xml_spellcheck.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\xml_pp.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\xml_merge.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\xml_grep.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\wperl.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\whirlpoolsum.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\use-devel-checklib.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\ttree.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\tpage.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\test-yaml.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\stubmaker.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\streamzip.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\splain.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\SOAPsh.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\shasum.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\search.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\scan-perl-prereqs-nqlite.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\runperl.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\ptargrep.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\ptardiff.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\ptar.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\prove.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\primes.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\ppm.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\ppd2par.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pod_cover.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\podselect.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\podchecker.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pod2usage.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pod2text.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pod2man.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pod2latex.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pod2html.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pm-uninstall.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pler.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pl2pm.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pl2bat.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pkg-config.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\piconv.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\pgplet.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perltidy.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perlthanks.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perlivp.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perlglob.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perlglob.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perldoc.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perlbug.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\perl.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\parinstallppd.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\package-stash-conflicts.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\nssm_64.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\nssm_32.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\mymeta-cpanfile.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\morbo.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\moose-outdated.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\mojo.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\module-version.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\minicpan.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\mech-dump.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\lwp-request.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\lwp-mirror.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\lwp-dump.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\lwp-download.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\llw32helper.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\libnetcfg.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\kwalitee-metrics.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\json_xs.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\json_pp.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\instmodsh.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\hypnotoad.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\htmltree.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\h2xs.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\h2ph.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\findrule.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\factor.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\extract_vba.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\exe_update.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\exetype.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\encguess.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\enc2xs.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\dbiproxy.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\dbiprof.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\dbilogstrip.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\dbicadmin.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\crc32.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpanp.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpanp-run-perl.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpanm.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpanfile-dump.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpanel_json_xs.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpandb.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpan2dist.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpan.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpan-outdated.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\cpan-mirrors.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\corelist.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\config_data.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\chartex.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\perl\bin\bdf2gdfont.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\resetroot.bat": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\sst_dump.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\replace.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\perror.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\my_print_defaults.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_upgrade_wizard.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_upgrade_service.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_upgrade.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_tzinfo_to_sql.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_plugin.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_ldb.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql_install_db.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqlslap.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqlshow.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqlimport.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqldump.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqld.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqlcheck.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqlbinlog.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysqladmin.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mysql.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\myisam_ftdump.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\myisampack.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\myisamlog.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\myisamchk.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mbstream.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\mariabackup.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\innochecksum.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\aria_read_log.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\aria_pack.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\aria_ftdump.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\aria_dump_log.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\xampp\mysql\bin\aria_chk.exe": svc_apache [WriteData/CreateFiles]
File Permissions "C:\Users\svc_apache\Documents\winPEASx64_ofs.exe": svc_apache [AllAccess]
File Permissions "C:\Users\svc_apache\Documents\SharpHound.exe": svc_apache [AllAccess]

��͹ Looking for Linux shells/distributions - wsl.exe, bash.exe

��͹ File Analysis ��

��͹ Found MySQL Files
Folder: C:\xampp\licenses\strawberry\licenses\mysql
Folder: C:\xampp\licenses\mysql
Folder: C:\xampp\licenses\mysql
Folder: C:\xampp\mysql
Folder: C:\xampp\php\data\phpdocref\mysql
Folder: C:\xampp\mysql\data\mysql
Folder: C:\xampp\mysql\backup\mysql
Folder: C:\xampp\perl\vendor\lib\DBD\mysql
Folder: C:\xampp\perl\vendor\lib\auto\DBD\mysql

��͹ Found Apache-Nginx Files
File: C:\xampp\php\php.ini
; PHP's initialization file, generally called php.ini, is responsible for
; configuring many of the aspects of PHP's behavior.
; PHP attempts to find and load this configuration from a number of locations.
; 1. SAPI module specific location.
; 2. The PHPRC environment variable. (As of PHP 5.2.0)
; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
; 6. The directory from the --with-config-file-path compile time option, or the
; See the PHP docs for more specific information.
; https://php.net/configuration.file
; beginning with a semicolon are silently ignored (as you probably guessed).
; Section headers (e.g. [Foo]) are also silently ignored, even though
; Directives following the section heading [PATH=/www/mysite] only
; following the section heading [HOST=www.example.com] only apply to
; special sections cannot be overridden by user-defined INI files or
; at runtime. Currently, [PATH=] and [HOST=] sections only work under
; https://php.net/ini.sections
; Directives are variables used to configure PHP or PHP extensions.
; There is no name validation. If PHP can't find an expected
; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
; Expressions in the INI file are limited to bitwise operators and parentheses:
; Boolean flags can be turned on using the values 1, On, True or Yes.
; sign, or by using the None keyword:
; foo = None ; sets foo to an empty string
; foo = "None" ; sets foo to the string 'None'
; If you use constants in your value, and these constants belong to a
; dynamically loaded extension (either a PHP extension or a Zend extension),
; you may only use these constants *after* the line that loads the extension.
; PHP comes packaged with two INI files. One that is recommended to be used
; in production environments and one that is recommended to be used in
; development environments.
; php.ini-production contains settings which hold security, performance and
; compatibility with older or less security conscience applications. We
; recommending using the production ini in production and testing environments.
; php.ini-development is very similar to its production variant, except it is
; development version only in development environments, as errors shown to
; application users can inadvertently leak otherwise secure information.
; The following are all the settings which are different in either the production
; or development versions of the INIs with respect to PHP's default behavior.
; Default Value: On
; Development Value: On
; Production Value: Off
; Default Value: On
; Development Value: On
; Production Value: Off
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
; Development Value: On
; Production Value: On
; Development Value: 60 (60 seconds)
; Production Value: 60 (60 seconds)
; Production Value: 4096
; Default Value: On
; Production Value: Off
; Default Value: None
; Production Value: "GP"
; session.gc_divisor
; Production Value: 1000
; session.sid_bits_per_character
; Production Value: 5
; Default Value: On
; Production Value: Off
; Production Value: "GPCS"
; zend.exception_ignore_args
; Production Value: On
; zend.exception_string_param_max_len
; Production Value: 0
; php.ini Options ;
; To disable this feature set this option to an empty value
; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
; Language Options ;
engine = On
; documents, however this remains supported for backward compatibility reasons.
; Note that this directive does not control the <?= shorthand tag, which can be
; Default Value: On
; Production Value: Off
; https://php.net/precision
precision = 14
; Output buffering is a mechanism for controlling how much output data
; data to the client. If your application's output exceeds this setting, PHP
; Turning on this setting and managing its maximum buffer size can yield some
; interesting side-effects depending on your application and web server.
; as it gets it. On production servers, 4096 bytes is a good setting for performance
; reasons.
; Note: Output buffering can also be controlled via Output Buffering Control
; functions.
; On = Enabled and buffer is unlimited. (Use with caution)
; Production Value: 4096
; You can redirect all of the output of your scripts to a function. For
; encoding will be transparently converted to the specified encoding.
; Setting any output handler automatically turns on output buffering.
; Note: People who wrote portable scripts should not depend on this ini
; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
; Note: output_handler must be empty if this is set 'On' !!!!
; URL rewriter function rewrites URL on the fly by using
; output buffer. You can set target tags by this configuration.
; Refer to session.trans_sid_tags for usage.
; Production Value: "form="
; Refer to session.trans_sid_hosts for more details.
; Production Value: ""
; Transparent output compression using the zlib library
; Valid values for this option are 'off', 'on', or a specific buffer size
; to be used for compression (default is 4KB)
; Note: Resulting chunk size may vary due to nature of compression. PHP
; compression. If you prefer a larger chunk size for better
; performance, enable output_buffering in addition.
; https://php.net/zlib.output-compression
zlib.output_compression = Off
; https://php.net/zlib.output-compression-level
;zlib.output_compression_level = -1
; You cannot specify additional output handlers if zlib.output_compression
; PHP function flush() after each and every call to print() or echo() and each
; and every HTML block. Turning this option on has serious performance
; implications and is generally recommended for debugging purposes only.
; Note: This directive is hardcoded to On for the CLI SAPI
; The unserialize callback function will be called (with the undefined class'
; which should be instantiated. A warning appears if the specified function is
; not defined, or if the function doesn't include/implement the missing class.
; So only set this entry, if you really want to implement such a
; callback-function.
; during unserialization. The unserialize_max_depth ini setting can be
; overridden by the max_depth option on individual unserialize() calls.
; When floats & doubles are serialized, store serialize_precision significant
; The value is also used for json_encode when encoding double values.
; precision.
serialize_precision = -1
; open_basedir, if set, limits all file operations to the defined directory
; or per-virtualhost web server configuration file.
; This directive allows you to disable certain functions.
; It receives a comma-delimited list of function names.
; https://php.net/disable-functions
disable_functions =
; the request. Consider enabling it if executing long requests, which may end up
;ignore_user_abort = On
; be increased on systems where PHP opens many files to reflect the quantity of
; the file operations performed.
; Duration of time, in seconds for which to cache realpath information for a given
; file or directory. For systems with rarely changing files, consider increasing this
zend.enable_gc = On
; encodings. To use this feature, mbstring extension must be enabled.
; Only affects if zend.multibyte is set.
; Allows to include or exclude arguments from stack traces generated for exceptions.
; In production, it is recommended to turn this setting on to prohibit the output
; of sensitive information in stack traces
; Production Value: On
zend.exception_ignore_args = Off
; This has no effect when zend.exception_ignore_args is enabled.
; Production Value: 0
zend.exception_string_param_max_len = 15
; Decides whether PHP may expose the fact that it is installed on the server
; on your server or not.
expose_php = On
; Maximum execution time of each script, in seconds
; https://php.net/max-execution-time
max_execution_time = 120
; idea to limit this time on productions servers in order to eliminate unexpectedly
; long running scripts.
; Development Value: 60 (60 seconds)
; Production Value: 60 (60 seconds)
; Maximum amount of memory a script may consume
; it to take action for. The recommended way of setting values for this
; directive is through the use of the error level constants and bitwise
; operators. The error level constants are below here for convenience as well as
; some common settings and their meanings.
; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
; recommended coding standards in PHP. For performance reasons, this is the
; recommend error reporting setting. Your production server shouldn't be wasting
; Error Level Constants:
; E_WARNING - run-time warnings (non-fatal errors)
; intentional (e.g., using an uninitialized variable and
; relying on the fact it is automatically initialized to an
; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
; E_DEPRECATED - warn about code that will not work in future versions
; E_USER_DEPRECATED - user-generated deprecation warnings
; Common Values:
; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
; This directive controls whether or not and where PHP will output errors,
; it could be very dangerous in production environments. Depending on the code
; which is triggering the error, sensitive information could potentially leak
; out of your application such as database usernames and passwords or worse.
; For production environments, we recommend logging errors rather than
; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
; On or stdout = Display errors to STDOUT
; Default Value: On
; Development Value: On
; Production Value: Off
display_errors = On
; separately from display_errors. We strongly recommend you set this to 'off'
; for production servers to avoid leaking configuration details.
; Default Value: On
; Development Value: On
; Production Value: Off
display_startup_errors = On
; Besides displaying errors, PHP can also log errors to locations such as a
; server-specific log, STDERR, or a location specified by the error_log
; directive found below. While errors should not be displayed on productions
; servers they should still be monitored and logging is a great way to do that.
; Development Value: On
; Production Value: On
log_errors = On
; Do not log repeated messages. Repeated errors must occur in same file on same
; is On you will not log errors with repeated messages from different files or
; If this parameter is set to Off, then memory leaks will not be shown (on
; stdout or in the log). This is only effective in a debug compile, and if
report_memleaks = On
; error message as HTML for easier reading. This directive controls whether
;html_errors = On
; If html_errors is set to On *and* docref_root is not empty, then PHP
; or function causing the error in detail.
; leading '/'. You must also specify the file extension being used including
; case no links to documentation are generated.
; Note: Never use this feature for production boxes.
; Log errors to syslog (Event Log on Windows).
; to syslog. Only used when error_log is set to syslog.
; the message. Only used when error_log is set to syslog.
; Set this to disable filtering control characters (the default).
; Some loggers only accept NVT-ASCII, others accept anything that's not
; control characters. If your logger accepts everything, then no filtering
; no-ctrl (all characters except control characters)
; Production value: 0
; NOTE: Every character in this directive is considered as separator!
; starts up. G,P,C,E & S are abbreviations for the following respective super
; paid for the registration of these arrays and because ENV is not as commonly
; used as the others, ENV is not recommended on productions servers. You
; can still get access to the environment variables through getenv() should you
; Production Value: "GPCS";
; EXCEPT one. Leaving this value empty will cause PHP to use the value set
; Default Value: None
; Production Value: "GP"
; runs. $argv contains an array of all the arguments passed to PHP when a script
; is invoked. $argc contains an integer representing the number of arguments
; enabled, registering these variables consumes CPU cycles and memory each time
; a script is executed. For performance reasons, this feature should be disabled
; on production servers.
; Note: This directive is hardcoded to On for the CLI SAPI
; Default Value: On
; Production Value: Off
; variables are not used within a script, having this directive on will result
auto_globals_jit = On
; This option is enabled by default.
; Most likely, you won't want to disable this option globally. It causes $_POST
; and $_FILES to always be empty; the only way you will be able to read the
; to proxy requests or to process the POST data in a memory efficient fashion.
; By default, PHP will output a media type using the Content-Type header. To
; The root of the PHP pages, used only if nonempty.
; see documentation for security issues. The alternate is to use the
; cgi.force_redirect configuration below
; The directory under which PHP opens the script using /~username used only
; if nonempty.
; Directory in which the loadable extensions (modules) reside.
; https://php.net/extension-dir
;extension_dir = "./"
; On windows:
extension_dir = "\xampp\php\ext"
; Whether or not to enable the dl() function. The dl() function does NOT work
; disabled on them.
; most web servers. Left undefined, PHP turns this on by default. You can
; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
; will look for to know it is OK to continue execution. Setting this variable MAY
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
; FastCGI under IIS supports the ability to impersonate
; security context that the request runs under. mod_fastcgi under Apache
; https://php.net/fastcgi.impersonate
;fastcgi.impersonate = 1
; Disable logging through FastCGI connection. PHP's default behavior is to enable
; cgi.rfc2616_headers configuration option tells PHP what type of headers to
; use when sending HTTP response code. If set to 0, PHP sends Status: header that
; is supported by Apache. When this option is set to 1, PHP will send
; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
; mode skips this line and ignores its content if this directive is turned on.
file_uploads = On
allow_url_fopen = On
; Define the anonymous ftp password (your email address). PHP's default setting
; Default timeout for socket based streams (seconds)
; or you are running on a Mac and need to deal with files from
; Dynamic Extensions ;
; If you wish to have an extension loaded automatically, use the following
; extension=modulename
; extension=mysqli
; When the extension library to load is not located in the default extension
; extension=/path/to/extension/mysqli.so
; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and
; 'extension='php_<ext>.dll') is supported for legacy reasons and may be
; deprecated in a future PHP major version. So, when it is possible, please
; move to the new ('extension=<ext>) syntax.
; Notes for Windows environments :
; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
; extension folders as well as the separate PECL DLL download (PHP 5+).
; Be sure to appropriately set the extension_dir directive.
extension=bz2
extension=curl
;extension=ffi
;extension=ftp
extension=fileinfo
;extension=gd
extension=gettext
;extension=gmp
;extension=intl
;extension=imap
;extension=ldap
extension=mbstring
extension=exif ; Must be after mbstring as it depends on it
extension=mysqli
;extension=oci8_12c ; Use with Oracle Database 12c Instant Client
;extension=oci8_19 ; Use with Oracle Database 19 Instant Client
;extension=odbc
;extension=openssl
;extension=pdo_firebird
extension=pdo_mysql
;extension=pdo_oci
;extension=pdo_odbc
;extension=pdo_pgsql
extension=pdo_sqlite
;extension=pgsql
;extension=shmop
; The MIBS data available in the PHP distribution must be installed.
; See https://www.php.net/manual/en/snmp.installation.php
;extension=snmp
;extension=soap
;extension=sockets
;extension=sodium
;extension=sqlite3
;extension=tidy
;extension=xsl
;zend_extension=opcache
display_startup_errors=On
y2k_compliance=On
register_long_arrays=Off
extension=php_openssl.dll
extension=php_ftp.dll
cli_server.color = On
; Defines the default timezone used by the date functions
; https://php.net/date.timezone
;date.timezone =
; https://php.net/date.default-longitude
;date.default_longitude = 35.2333
[iconv]
; If empty, default_charset or input_encoding or iconv.input_encoding is used.
; The precedence is: default_charset < input_encoding < iconv.input_encoding
;iconv.input_encoding =
; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
;iconv.internal_encoding =
; If empty, default_charset or output_encoding or iconv.output_encoding is used.
; The precedence is: default_charset < output_encoding < iconv.output_encoding
; To use an output encoding conversion, iconv's output handler must be set
; otherwise output encoding conversion cannot be performed.
;iconv.output_encoding =
; passing them to rsh/ssh command, thus passing untrusted data to this function
; happens within intl functions. The value is the level of the error produced.
;intl.use_exceptions = 0
; Directory pointing to SQLite3 extensions
; https://php.net/sqlite3.extension-dir
;sqlite3.extension_dir =
; SQLite defensive mode flag (only available from SQLite 3.26+)
; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
; (for older SQLite versions, this flag has no use)
; PCRE library recursion limit.
; Please note that if you set this value to a high number you may consume all
; https://php.net/pcre.recursion-limit
;pcre.recursion_limit=100000
; Enables or disables JIT compilation of patterns. This requires the PCRE
; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
; https://php.net/pdo-odbc.connection-pooling
;pdo_odbc.connection_pooling=strict
; Default socket name for local MySQL connects. If empty, uses the built-in
; https://php.net/phar.readonly
;phar.readonly = On
;phar.require_hash = On
[mail function]
; For Win32 only.
; For Win32 only.
; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
; Force the addition of the specified parameters to be passed as extra parameters
; Log mail to syslog (Event Log on Windows).
; Controls the ODBC cursor model.
odbc.allow_persistent = On
; Check that a connection is still valid before reuse.
odbc.check_persistent = On
; Maximum number of links (persistent + non-persistent). -1 means no limit.
; Handling of LONG fields. Returns number of bytes to variables. 0 means
; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
;mysqli.allow_local_infile = On
mysqli.allow_persistent = On
; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
; Default socket name for local MySQL connects. If empty, uses the built-in
; Default host for mysqli_connect() (doesn't apply in safe mode).
; Default user for mysqli_connect() (doesn't apply in safe mode).
; Default password for mysqli_connect() (doesn't apply in safe mode).
; Allow or prevent reconnect
mysqli.reconnect = Off
; If this option is enabled, closing a persistent connection will rollback
; any pending transactions of this connection, before it is put back
; into the persistent connection pool.
;mysqli.rollback_on_cached_plink = Off
; Enable / Disable collection of general statistics by mysqlnd which can be
; used to tune and monitor MySQL operations.
mysqlnd.collect_statistics = On
; Enable / Disable collection of memory usage statistics by mysqlnd which can be
; used to tune and monitor MySQL operations.
mysqlnd.collect_memory_statistics = On
; Records communication from all extensions using mysqlnd to the specified log
; Timeout for network requests in seconds.
; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
; Connection: Enables privileged connections using external
; https://php.net/oci8.privileged-connect
;oci8.privileged_connect = Off
; Connection: The maximum number of persistent OCI8 connections per
; Connection: The maximum number of seconds a process is allowed to
; maintain an idle persistent connection. Using -1 means idle
; persistent connections will be maintained forever.
; Connection: The number of seconds that must pass before issuing a
; ping during oci_pconnect() to check the connection validity. When
; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
; Connection: Set this to a user chosen connection class to be used
; Connection Pooling (DRCP). To use DRCP, this value should be set to
; the same string for all web servers running the same application,
; the database pool must be configured, and the connection string must
;oci8.connection_class =
; High Availability: Using On lets PHP receive Fast Application
; Notification (FAN) events generated when a database node fails. The
; database must also be configured to post FAN events.
; Tuning: This option enables statement caching, and specifies how
; rows that will be fetched automatically after statement execution.
; Compatibility. Using On means oci_close() will not close
; oci_connect() and oci_new_connect() connections.
pgsql.allow_persistent = On
; Detect broken persistent links always with pg_pconnect().
; Maximum number of links (persistent+non persistent). -1 means no limit.
; Number of decimal digits for all bcmath functions.
[Session]
; https://php.net/session.save-handler
session.save_handler = files
; variable in order to use PHP's session functions.
; session.save_path = "N;/path"
; where N is an integer. Instead of storing all the session files in
; store the session data in those directories. This is useful if
; your OS has problems with many files in one directory, and is
; a more efficient layout for servers that handle many sessions.
; You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
; use subdirectories for session storage
; session.save_path = "N;MODE;/path"
; where MODE is the octal representation of the mode. Note that this
; https://php.net/session.save-path
session.save_path = "\xampp\tmp"
; Whether to use strict session mode.
; Strict session mode does not accept an uninitialized session ID, and
; regenerates the session ID if the browser sends an uninitialized session ID.
; Strict mode protects applications from session fixation via a session adoption
; https://wiki.php.net/rfc/strict_sessions
session.use_strict_mode = 0
; https://php.net/session.use-cookies
session.use_cookies = 1
; https://php.net/session.cookie-secure
;session.cookie_secure =
; This option forces PHP to fetch and use a cookie for storing and maintaining
; the session id. We encourage this operation as it's very helpful in combating
; session hijacking when not specifying and managing your own session id. It is
; not the be-all and end-all of session hijacking defense, but it's a good start.
; https://php.net/session.use-only-cookies
session.use_only_cookies = 1
; Name of the session (used as cookie name).
; https://php.net/session.name
session.name = PHPSESSID
; Initialize session on request startup.
; https://php.net/session.auto-start
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
; https://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
; https://php.net/session.cookie-path
session.cookie_path = /
; https://php.net/session.cookie-domain
session.cookie_domain =
; Whether or not to add the httpOnly flag to the cookie, which makes it
; https://php.net/session.cookie-httponly
session.cookie_httponly =
; Current valid values are "Strict", "Lax" or "None". When using "None",
; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
session.cookie_samesite =
; https://php.net/session.serialize-handler
session.serialize_handler = php
; Defines the probability that the 'garbage collection' process is started on every
; session initialization. The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
; Production Value: 1
; https://php.net/session.gc-probability
session.gc_probability = 1
; Defines the probability that the 'garbage collection' process is started on every
; session initialization. The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
; For high volume production servers, using a value of 1000 is a more efficient approach.
; Production Value: 1000
; https://php.net/session.gc-divisor
session.gc_divisor = 1000
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
; https://php.net/session.gc-maxlifetime
session.gc_maxlifetime = 1440
; NOTE: If you are using the subdirectory option for storing session files
; (see session.save_path above), then garbage collection does *not*
; collection through a shell script, cron entry, or some other method.
; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
; find /path/to/sessions -cmin +24 -type f | xargs rm
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
; https://php.net/session.referer-check
session.referer_check =
; https://php.net/session.cache-limiter
session.cache_limiter = nocache
; https://php.net/session.cache-expire
session.cache_expire = 180
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; - User may access your site with the same session ID
; https://php.net/session.use-trans-sid
session.use_trans_sid = 0
; Set session ID character length. This value could be between 22 to 256.
; Shorter length than default is supported only for compatibility reason.
; https://php.net/session.sid-length
; Production Value: 26
session.sid_length = 26
; to URLs. <form> tag's action attribute URL will not be modified
; Production Value: "a=href,area=href,frame=src,form="
session.trans_sid_tags = "a=href,area=href,frame=src,form="
; <form> tags is special. PHP will check action attribute's URL regardless
; of session.trans_sid_tags setting.
; Production Value: ""
;session.trans_sid_hosts=""
; Define how many bits are stored in each character when converting
; Production Value: 5
; https://php.net/session.hash-bits-per-character
session.sid_bits_per_character = 5
; Enable upload progress tracking in $_SESSION
; Default Value: On
; Development Value: On
; Production Value: On
; https://php.net/session.upload-progress.enabled
;session.upload_progress.enabled = On
; Cleanup the progress information as soon as all POST data has been read
; Default Value: On
; Development Value: On
; Production Value: On
; https://php.net/session.upload-progress.cleanup
;session.upload_progress.cleanup = On
; A prefix used for the upload progress key in $_SESSION
; Production Value: "upload_progress_"
; https://php.net/session.upload-progress.prefix
;session.upload_progress.prefix = "upload_progress_"
; The index name (concatenated with the prefix) in $_SESSION
; containing the upload progress information
; Default Value: "PHP_SESSION_UPLOAD_PROGRESS"
; Development Value: "PHP_SESSION_UPLOAD_PROGRESS"
; Production Value: "PHP_SESSION_UPLOAD_PROGRESS"
; https://php.net/session.upload-progress.name
;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
; Production Value: "1%"
; https://php.net/session.upload-progress.freq
;session.upload_progress.freq = "1%"
; The minimum delay between updates, in seconds
; Production Value: 1
; https://php.net/session.upload-progress.min-freq
;session.upload_progress.min_freq = "1"
; Only write session data when session data is changed. Enabled by default.
; https://php.net/session.lazy-write
;session.lazy_write = On
[Assertion]
; Switch whether to compile assertions at all (to have no overhead at run-time)
; 0: Jump over assertion at run-time
; 1: Execute assertions
; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
; Production Value: -1
; https://php.net/zend.assertions
zend.assertions = 1
;assert.active = On
; Throw an AssertionError on failed assertions
; https://php.net/assert.exception
;assert.exception = On
; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active)
;assert.warning = On
; Don't bail out by default.
; User-function to be called if an assertion fails.
; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
; autoregister constants of a component's typelib on com_load()
; register constants casesensitive
; show warnings on duplicate constant registrations
; The version of the .NET framework to use. The value of the setting are the first three parts
; of the framework's version number, separated by dots, and prefixed with "v", e.g. "v4.0.30319".
;com.dotnet_version=
; language for internal character representation.
; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
; mbstring.encoding_translation = On is needed to use this setting.
; mb_output_handler must be registered as output buffer to function.
; To use an output encoding conversion, mbstring's output handler must be set
; otherwise output encoding conversion cannot be performed.
; enable automatic encoding translation according to
; converted to internal encoding by setting this to On.
; Note: Do _not_ use automatic encoding translation for
; portable libs/applications.
; https://php.net/mbstring.encoding-translation
;mbstring.encoding_translation = Off
; automatic encoding detection order.
; substitute_character used when character cannot be converted
; one from another
;mbstring.substitute_character = none
; Enable strict encoding detection.
;mbstring.strict_detection = Off
; This directive specifies the regex pattern of content types for which mb_output_handler()
; Default: mbstring.http_output_conv_mimetypes=^(text/|application/xhtml\+xml)
;mbstring.http_output_conv_mimetypes=
; This directive specifies maximum stack depth for mbstring regular expressions. It is similar
; to the pcre.recursion_limit for PCRE.
; This directive specifies maximum retry count for mbstring regular expressions. It is similar
; With mbstring support this will automatically be converted into the encoding
; given by corresponding encode setting. When empty mbstring.internal_encoding
; The path to a default tidy configuration file to use when using tidy
; https://php.net/tidy.default-config
;tidy.default_config = /usr/local/lib/php/default.tcfg
; WARNING: Do not use this option if you are generating non-html content
; Sets the directory name where SOAP extension will put cache files.
; (time to live) Sets the number of second while cached file will be used
; instead of original one.
; Determines if Zend OPCache is enabled for the CLI version of PHP
;opcache.memory_consumption=128
; Only numbers between 200 and 1000000 are allowed.
; directory to the script key, thus eliminating possible collisions between
; performance, but may break existing applications.
; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
; Enables or disables file search in include_path optimization
; If enabled, compilation warnings (including notices and deprecations) will
; be recorded and replayed each time a file is included. Otherwise, compilation
; warnings will only be emitted when the file is first cached.
;opcache.optimization_level=0x7FFFBFFF
; The location of the OPcache blacklist file (wildcards allowed).
; Allows exclusion of large files from being cached. By default all files
;opcache.consistency_checks=0
; How long to wait (in seconds) for a scheduled restart to begin if the cache
; By default, only fatal errors (level 0) or errors (level 1) are logged.
; Protect the shared memory from unexpected writing during script execution.
; Useful for internal debugging only.
; Allows calling OPcache API functions only from PHP scripts which path is
; started from specified string. The default "" means no restriction
; Mapping base of shared memory segments (for Windows only). All the PHP
; Facilitates multiple OPcache instances per user (for Windows only). All PHP
; Enables and sets the second level cache directory.
;opcache.file_cache_only=0
; Enables or disables checksum validation when script loaded from file cache.
;opcache.file_cache_consistency_checks=1
; Implies opcache.file_cache_only=1 for a certain process that failed to
; reattach to the shared memory (for Windows only). Explicitly enabled file
; This should improve performance, but requires appropriate OS configuration.
; Validate cached file permissions.
;opcache.validate_permission=0
; Prevent name collisions in chroot'ed environment.
; optimizations.
; Preloading code as root is not allowed for security reasons. This directive
; Prevents caching files that are less than this number of seconds old. It
; on your site are atomic, you may increase performance by setting it to "0".
;opcache.file_update_protection=2
; Absolute path used to store shared lockfiles (for *nix only).
; A default value for the CURLOPT_CAINFO option. This is required to be an
; The location of a Certificate Authority (CA) file on the local filesystem
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
; FFI API restriction. Possible values:
[Session]
date.timezone=Europe/Berlin
mysql.allow_local_infile=On
mysql.allow_persistent=On
mysql.connect_timeout=3
sybct.allow_persistent=On
mssql.allow_persistent=On
mssql.secure_connection=Off

��͹ Found PHP_files Files
File: C:\xampp\phpMyAdmin\vendor\tecnickcom\tcpdf\tcpdf_autoconfig.php
File: C:\xampp\phpMyAdmin\vendor\tecnickcom\tcpdf\config\tcpdf_config.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ServicesConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ServiceConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ReferenceConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\PrototypeConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ParametersConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\InstanceofConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\InlineServiceConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\DefaultsConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\ContainerConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\AliasConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\AbstractServiceConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\AbstractConfigurator.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\Traits\ConfiguratorTrait.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Loader\Configurator\Traits\AutoconfigureTrait.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Extension\ConfigurationExtensionInterface.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Compiler\PassConfig.php
File: C:\xampp\phpMyAdmin\vendor\symfony\dependency-injection\Compiler\MergeExtensionConfigurationPass.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\ResourceCheckerConfigCacheFactory.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\ResourceCheckerConfigCache.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCacheInterface.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCacheFactoryInterface.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCacheFactory.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\ConfigCache.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\Definition\ConfigurationInterface.php
File: C:\xampp\phpMyAdmin\vendor\symfony\config\Definition\Exception\InvalidConfigurationException.php
File: C:\xampp\phpMyAdmin\libraries\vendor_config.php
File: C:\xampp\phpMyAdmin\libraries\config.values.php
File: C:\xampp\phpMyAdmin\libraries\config.default.php
File: C:\xampp\phpMyAdmin\libraries\classes\Config.php
File: C:\xampp\phpMyAdmin\libraries\classes\Setup\ConfigGenerator.php
File: C:\xampp\phpMyAdmin\libraries\classes\Plugins\Auth\AuthenticationConfig.php
File: C:\xampp\phpMyAdmin\libraries\classes\Controllers\ConfigController.php
File: C:\xampp\phpMyAdmin\libraries\classes\Controllers\Setup\ConfigController.php
File: C:\xampp\phpMyAdmin\libraries\classes\Config\ServerConfigChecks.php
File: C:\xampp\phpMyAdmin\libraries\classes\Config\ConfigFile.php
File: C:\xampp\phpMyAdmin\libraries\classes\Config\Forms\Setup\ConfigForm.php
File: C:\xampp\phpMyAdmin\examples\config.manyhosts.inc.php
File: C:\xampp\phpMyAdmin\show_config_errors.php
File: C:\xampp\phpMyAdmin\config.sample.inc.php
File: C:\xampp\phpMyAdmin\config.inc.php
File: C:\xampp\php\scripts\configure.php
File: C:\xampp\php\pear\PHPUnit\Util\Configuration.php
File: C:\xampp\php\pear\PHP\Debug\Renderer\HTML\TableConfig.php
File: C:\xampp\php\pear\PHP\Debug\Renderer\HTML\DivConfig.php
File: C:\xampp\php\pear\PEAR\Config.php
File: C:\xampp\php\pear\PEAR\Command\Config.php
File: C:\xampp\phpMyAdmin\setup\config.php
File: C:\xampp\php\pear\Table\Storage.php

��͹ Found Moodle Files
File: C:\xampp\phpMyAdmin\libraries\classes\Config.php
File: C:\xampp\php\pear\PEAR\Config.php
File: C:\xampp\php\pear\PEAR\Command\Config.php
File: C:\xampp\phpMyAdmin\setup\config.php

��͹ Found Tomcat Files
File: C:\xampp\tomcat\conf\tomcat-users.xml

��͹ Found CERTSB4 Files
File: C:\xampp\phpMyAdmin\libraries\certs\cacert.pem
File: C:\xampp\perl\vendor\lib\Mozilla\CA\cacert.pem
File: C:\xampp\apache\conf\ssl.crt
Error looking for regexes inside files: System.AggregateException: One or more errors occurred. ---> System.UnauthorizedAccessException: Access to the path 'C:\xampp\htdocs\flight.htb\winshell.php' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost)
at ij.f.d(hz A_0)
at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.<ForWorker>b__1()
at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
at System.Threading.Tasks.Task.<>c__DisplayClass176_0.<ExecuteSelfReplicating>b__0(Object )
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Func`4 bodyWithLocal, Func`1 localInit, Action`1 localFinally)
at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Action`3 bodyWithStateAndIndex, Func`4 bodyWithStateAndLocal, Func`5 bodyWithEverything, Func`1 localInit, Action`1 localFinally)
at System.Threading.Tasks.Parallel.ForEach[TSource](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body)
at ij.f.d()
at h5.a(Action A_0, Boolean A_1, String A_2)
at ij.a()
---> (Inner Exception #0) System.UnauthorizedAccessException: Access to the path 'C:\xampp\htdocs\flight.htb\winshell.php' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost)
at ij.f.d(hz A_0)
at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.<ForWorker>b__1()
at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
at System.Threading.Tasks.Task.<>c__DisplayClass176_0.<ExecuteSelfReplicating>b__0(Object )<---

/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/

261 KiB Raw Blame History

261 KiB

Raw Blame History