|
@@ -165,6 +165,8 @@ echo.
|
|
|
echo PS default transcript history
|
|
|
dir %SystemDrive%\transcripts\
|
|
|
echo.
|
|
|
+echo Checking PS history file
|
|
|
+dir "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
|
|
|
echo.
|
|
|
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] MOUNTED DISKS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
|
|
|
echo [i] Maybe you find something interesting
|
|
@@ -278,8 +280,7 @@ ipconfig /displaydns | findstr "Record" | findstr "Name Host"
|
|
|
echo.
|
|
|
echo.
|
|
|
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WIFI ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
|
|
|
-echo [i] To get the clear-text password use: netsh wlan show profile <SSID> key=clear
|
|
|
-netsh wlan show profile
|
|
|
+for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.)
|
|
|
echo.
|
|
|
echo.
|
|
|
echo.
|
|
@@ -359,7 +360,7 @@ echo [i] The permissions are also checked and filtered using icacls
|
|
|
echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
|
|
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
|
|
|
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
|
|
|
- echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
|
|
|
+ echo %%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
|
|
|
)
|
|
|
)
|
|
|
::wmic service get name,displayname,pathname,startmode | more | findstr /i /v "C:\\Windows\\system32\\" | findstr /i /v """
|