12. Enumerate Local Privileges and AutoLogon

We're now in the post-exploitation phase with access to the system as sysadmin. Our goal is privilege escalation β€” gaining full control (Administrator or SYSTEM access).

πŸ”§ Step-by-Step: Run winPEASx64.exe to Find PrivEsc Vectors:

1. πŸ“ Upload winPEASx64.exe to the target via evil-winrm

From your Kali machine, in the same folder where winPEASx64.exe is saved:

evil-winrm -i 192.168.10.4 -u 'sysadmin' -p 'NewPassword123'

Once inside the shell:

upload winPEASx64.exe

It will upload the file to the current directory (usually C:\Users\sysadmin\).

2. 🧠 Run winPEASx64.exe inside the shell

After upload completes, run:

Let it run fully β€” it will check:

  • πŸ” Stored credentials (AutoLogon, saved RDP passwords, etc.)

  • βš™οΈ Misconfigured services (e.g., unquoted paths)

  • πŸ“¦ Files with weak permissions

  • πŸ”Ό PrivEsc misconfigs (AlwaysInstallElevated, etc.)

3. πŸ” Look for These in Output

Pay attention to:

  • AutoLogon credentials ➜ cleartext passwords

  • AlwaysInstallElevated ➜ lets any user install MSI as SYSTEM

  • Unquoted service paths ➜ exploitable services

  • Writable services ➜ can hijack a service

  • Credential files in registry or config folders

To get AutoLogon Credentials (manually via WinRM)

Once you're inside using evil-winrm:

Look for these keys in the output:

  • DefaultUserName

  • DefaultPassword ← this is what you want!

  • AutoAdminLogon (should be set to 1 if enabled)

The AutoLogon password configured for the administrator user is:

πŸ“Œ Found in this registry value:

So the full AutoLogon credentials are:

  • Username: administrator

  • Password: d0m@in_c0ntr0ll3r

We can now try using these credentials for SMB, WinRM, or any service that accepts domain login.

Previous11. Validate New Credentials via WinRMNext13. Reuse Administrator Credentials

Last updated