You have gotten a shell but you are not yet a privileged user, and now you want to enumerate the system to try and find a way to escalate those privileges so that you can become a system level user.
With a quick findstring – findstr, and a couple of other commands we can issue a command like this:
You can easily see what system and version you run, architecture, etc. Remember! You want to find adequate exploits for the system in question, you might run into an x86 architecture, or a Windows Enterprise system, so you don’t want to bombard it with random exploits. That’s why enumeration is key – so you can extract information that you can use. As we all know there are five stages to the process – but enumeration is usually the vital part! Enumerate, enumerate, enumerate!!
To check for patches and other stuff that’s installed on the target Windows computer, you might use a command like this:
Wmic is the Windows Management Instrumentation (WMI – sysadmins/engineers and our support guys knows what this is about) and the WMIC is a command-line interface for the WMI.
QFE in the command above will look for recently installed patches. Very useful when trying to discover what type of exploit the computer will be vulnerable to. QFE stands for Quick Fix Engineering. After running the command on my system, you can observe the following:
As you can notice, you will see the related KB – knowledge base, type of update (security, etc.), who installed it, the HotFix ID, as well as the date it was installed on. Further, if you only want specific stuff, like the Caption, HotFixD and Installed on, you can run something like this:
wmic qfe get Caption,HotFixID,InstalledOn
To enumerate drives, you can issue a command like this:
This will give a messy output, though, so you can use the same methodology as the above and for example say get Caption:
wmic logicaldisk get Caption
And quickly check if there are any drives other than the C: drive on the computer. (In my case there’s not, but if there are, this command will find them, and you might want to look around those drives in search for something interesting…)
Of course, you can also use the good ol’ hostname and whoami to check the name of the computer you’re currently within, and to check the domain/username of that same computer, respectively.
I will just do a few of the commands here, just so you can get a basic idea of what you might end up doing upon entering the system. You would probably start with the basic ipconfig command or the ipconfig /all command to see the information about stuff like the default gateway, DNS server, etc. If you’re on a domain, you might see a DC as a DNS server.
Another one is arp -a which can tell you about the stuff that’s communicating with your box. A quick look at the route tables, with a route print you can also see where your machine is communicating too. This is cool as it will show you the NICs on the machine, telling you if you need to elevate or if you can just pivot of that other NIC.
A very important command here to do is netstat! You want to do the netstat -ano and check what services are listening and where. You can gather a lot of information here, and in conjunction with the commands above with all this stuff you might also glean a bit on the architecture of the said network/systems. Of course, the mileage may vary. If you’re a seasoned pro, even though you might be using the same commands, you would immediately understand what’s happening, but regardless, it is a place to start no matter the experience.
Here you can do something like:
To check for the privileges you have.
To see which groups you belong to.
Further, you would want to do a net user command to see what user you are… remember, if you just gained a foothold on a box, you might not necessarily be a user, you could also land on a service. In that case, you will probably want to find more users so you can escalate to them, or just immediately escalate to an administrator user.
You can also do net user <username> or net user administrator – to see what groups they belong to. To see the administrator group members you would do net localgroup administrators.
These are some basic quick and dirty commands to check stuff about your users, groups, and their privileges.
All of the above can be done, and probably will if you’re doing this professionally, with tools that can automate the process. But, in order to better understand those tools and what they’re doing in the background, I created this short intro, cause ultimately it will be some variation or a more complex version of the stuff above with some more stuff tacked onto it.
Lastly, those tools just might not work, or something else along those lines. Be aware of those caveats, as for example, WinPEAS is a very, very, good tool but it requires a version of .NET that’s greater than 4 which will obviously be useless if your Windows box that you got a hold of doesn’t have and you are a user that can’t install it, or you don’t want to set off the alarms.
The main idea here is to understand the context, which is also why all the pentesting tutorials and other resources almost exclusively emphasize the importance of having rock solid understanding of the basics.
Some of the tools you might end up using:
Watson – Is a .sln file, meaning you have to compile (and know the .NET version on the machine)
PowerUp – Part of Powersploit
Win PrivEsc Checklist – Awesome checklist for PrivEsc
Windows Exploit Suggester – a vuln checker in a format of a Python script
You might want to try these in your lab environment to familiarize yourself first. There’s also probably way more of these tools out there, but these are some of the ‘main’ ones, as they’re tried and tested.
Before concluding, I’d just like to emphasize again how important it is to know the context you’re in. Also, sometimes less truly is more and even though the tooling can be a tremendous time-saver, you first need to understand its nuts and bolts, otherwise you’re basically doing what script kiddies do. Take your time, and it will pay off.
Finally, enumerate, enumerate, enumerate!
Cover image by Omar Flores
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.