# Enumeration ```powerquery PS C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> whoami /all USER INFORMATION ---------------- User Name SID ================== ============================================== steelmountain\bill S-1-5-21-3029548963-3893655183-1231094572-1001 GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` ``` PS C:\Users\Bill\Desktop> systeminfo Host Name: STEELMOUNTAIN OS Name: Microsoft Windows Server 2012 R2 Datacenter OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00253-50000-00000-AA656 Original Install Date: 9/26/2019, 7:11:06 AM System Boot Time: 3/22/2024, 3:32:47 AM System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz BIOS Version: Xen 4.11.amazon, 8/24/2006 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-08:00) Pacific Time (US & Canada) Total Physical Memory: 2,048 MB Available Physical Memory: 1,433 MB Virtual Memory: Max Size: 2,432 MB Virtual Memory: Available: 1,574 MB Virtual Memory: In Use: 858 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\STEELMOUNTAIN Hotfix(s): 6 Hotfix(s) Installed. [01]: KB2919355 [02]: KB2919442 [03]: KB2937220 [04]: KB2938772 [05]: KB2939471 [06]: KB2949621 Network Card(s): 1 NIC(s) Installed. [01]: AWS PV Network Device Connection Name: Ethernet 2 DHCP Enabled: Yes DHCP Server: 10.10.0.1 IP address(es) [01]: 10.10.114.58 [02]: fe80::5101:5b83:7dcf:df2a Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. ``` {% hint style="danger" %} Kernel Exploits can result in a BSOD so I will avoid them {% endhint %} ``` adot@kali:~/opt/wpe/Windows-Exploit-Suggester$ python2.7 windows-exploit-suggester.py -i ~/thm/steelmountain/sysinfo.txt -d 2024-03-02-mssb.xls [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 6 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits [*] there are now 266 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2012 R2 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important [*] https://github.com/foxglovesec/RottenPotato [*] https://github.com/Kevin-Robertson/Tater [*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege [*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation [*] [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC [*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC [*] [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical [*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC [*] [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC [*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC [*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#) [*] [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC [*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC [*] [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC [*] [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC [*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC [*] [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important [*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC [*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC [*] [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical [*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112) [*] [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important [*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC [*] [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important [*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC [*] [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical [*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC [*] [M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical [*] https://www.exploit-db.com/exploits/38222/ -- MS15-078 Microsoft Windows Font Driver Buffer Overflow [*] [E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important [*] https://www.exploit-db.com/exploits/37052/ -- Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052), PoC [*] [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC [*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF [*] [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC [*] [E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important [*] http://www.exploit-db.com/exploits/35661/ -- Windows 8.1 (32/64 bit) - Privilege Escalation (ahcache.sys/NtApphelpCacheControl), PoC [*] [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC [*] [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC [*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF [*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF [*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important [*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC [*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF [*] [E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important [*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC [*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC [*] [E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical [E] MS14-029: Security Update for Internet Explorer (2962482) - Critical [*] http://www.exploit-db.com/exploits/34458/ [*] [E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important [*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC [*] [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical [M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical [*] done ``` ``` PS C:\Users\Bill\Desktop> . .\powerup.ps1 PS C:\Users\Bill\Desktop> Invoke-AllChecks ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe; IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path CanRestart : True Name : AdvancedSystemCareService9 Check : Unquoted Service Paths ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path CanRestart : False Name : AWSLiteAgent Check : Unquoted Service Paths ServiceName : AWSLiteAgent Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path CanRestart : False Name : AWSLiteAgent Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe; IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path CanRestart : False Name : IObitUnSvr Check : Unquoted Service Paths ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path CanRestart : False Name : LiveUpdateSvc Check : Unquoted Service Paths ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path CanRestart : False Name : LiveUpdateSvc Check : Unquoted Service Paths ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe; IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path CanRestart : False Name : LiveUpdateSvc Check : Unquoted Service Paths ServiceName : AdvancedSystemCareService9 Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiableFile : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...} ModifiableFileIdentityReference : STEELMOUNTAIN\bill StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'AdvancedSystemCareService9' CanRestart : True Name : AdvancedSystemCareService9 Check : Modifiable Service Files ServiceName : IObitUnSvr Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiableFile : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...} ModifiableFileIdentityReference : STEELMOUNTAIN\bill StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'IObitUnSvr' CanRestart : False Name : IObitUnSvr Check : Modifiable Service Files ServiceName : LiveUpdateSvc Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiableFile : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...} ModifiableFileIdentityReference : STEELMOUNTAIN\bill StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'LiveUpdateSvc' CanRestart : False Name : LiveUpdateSvc Check : Modifiable Service Files DefaultDomainName : DefaultUserName : bill DefaultPassword : PMBAf5KhZAxVhvqb AltDefaultDomainName : AltDefaultUserName : AltDefaultPassword : Check : Registry Autologons ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thm.adot8.com/try-hack-me/machines/steel-mountain/enumeration-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.