# Privilege escalation

**windows:**&#x20;

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

&#x20;**linux:**&#x20;

cat /etc/issue uname - whoami

**enumerating processes**

&#x20;tasklist /SVC ps axu

**enumerating network information**

ipconfig /all&#x20;

route print\
route \
ifconfig \
ip a \
netstat -ano \
\
**linux:** \
netstat -anp

enumerating firewall status and Rules

&#x20;netsh advfirewall show currentprofile netsh advfirewall firewall show rule dir=in name=all

must have root privileges iptables -L search for iptables files grep -Hs iptables /etc/\*

enumerating scheduled tasks schtasks /query /fo LIST /v crontab -l ls -la /etc/cron.daily cron.weekly cron.hourly ...

enumerating installed apps and patch levels apps: wmic product get name, version, vendor patch level: wmic qfe get Caption, Description, HotfixID, InstalledOn

debian: dpkg -l

redhat rpm -l

enumerating readable/writable files and directories

sysinternalsuite accesscheck accesschk.exe -uws "Everyone" "C:\Program Files"

powershell: Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$\_.AccessToString - match "Everyone\sAllow\s\SModify"}

linux: find / -writable -type d 2>/dev/null

enumerating unmounted disks mountvol

linux: mount cat /etc/fstab lsblk

enumerating device drivers and kernel modules powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path Get-WMIObject Win32\_PnPignedDriver | Select Object Devicename, DriverVersion, Manufacturer | Where-Object {$\_.DeviceName -like "*VMware*"}

linux: lsmod

/sbin/modinfo libata

enumerating binaries that AutoElevate reg query HKEY\_CURRENT\_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\Installer

if enabled we can craft a MSI file to elevate our privileges

linux - SUID find / -perm -u=s -type f 2>/dev/null

Automated enumeration windows-privesc-check-master --dump -G

unix-privsec-check standard > output.txt

windows privilege escalation examples:

log in RDP rdesktop x.x.x.x -u admin -p password -g 1024x768 -x 0x80 whoami /groups

nmap -T4 -p- -A