Methodology

Once you have gained access to a system, it is paramount to look for other credentials which may be located on the system. These may be hidden in the Windows Registry, within log or configuration files, and more. Moreover, you should check to see if any credentials you have previously found work with anything else.

You should also check if you have access to the Windows SYSTEM or SAM files or any of their backups, since those will contain the hashes for users on the system. If so, you might be able to perform a pass-the-hash attack or simply crack them.

If the compromised system is a Windows Server, you should look for any stored credentials which can be used with RunAs.

You should check the Windows build and version, see if there are any kernel exploits available. You should then move onto enumerating misconfigurations in services and other Windows-specific vectors.

If none of these bear any fruit, you should look at the programmes installed on the system, enumerate them for misconfigurations, explore their versions and any exploits which may be available. If none are found, you might consider reverse engineering and binary exploitation as a last resort.

Finally, if you have gained access as a local administrator, you should proceeding to looking for ways to bypass UAC.

In essence:

1. Credentials

   • Reused Credentials
   • Credentials in Configuration or Log files
   • Credentials in the Windows Registry
   • Credentials from Windows SAM and SYSTEM files
   • Pass-the-hash attacks
   • Stored Credentials (Windows Servers)

2. Kernel Exploits

3. Misconfigurations

   • Services
   • AutoRuns
   • Startup Applications
   • Scheduled Tasks
   • AlwaysInstallElevated Group Policy

4. Bypassing UAC