Command-Line
Get Username
whoami /all
echo %username%
net user %username%
Get Hostname
hostname
Get OS Info
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
Get Interface Info
ipconfig /all
Display Settings: password, logon limitations, and domain information
net accounts
List users in local “administrators” group
net localgroup administrators
Lists Shared Resources
net share
Print Path
echo %path%
whoami /all
echo %username%
net user %username%
Get Hostname
hostname
Get OS Info
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
Get Interface Info
ipconfig /all
Display Settings: password, logon limitations, and domain information
net accounts
List users in local “administrators” group
net localgroup administrators
Lists Shared Resources
net share
Print Path
echo %path%
Startup and Services
View Scheduled Tasks
schtasks /query /fo LIST /v
View Running processes and startup service
tasklist /SVC
View Services started
net start
schtasks /query /fo LIST /v
View Running processes and startup service
tasklist /SVC
View Services started
net start
Priv Esc Tricks
AlwaysInstallElevated Key
Description: If Error then the key doesn’t Exist however if it does see AlwaysInstallElevated Key priv esc. Run both because both need to be present
Commands:
reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Unquoted Service Paths
Description: If results are returned see Priv Esc Guide for Unquoted Service Paths
Link: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Command:
wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v “””
Description: If Error then the key doesn’t Exist however if it does see AlwaysInstallElevated Key priv esc. Run both because both need to be present
Commands:
reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Unquoted Service Paths
Description: If results are returned see Priv Esc Guide for Unquoted Service Paths
Link: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Command:
wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v “””