Quick Wins

whoami /priv # Printspoofer
whoami /groups # UAC Bypass
findstr /si password *.txt *.ini *.config # passwords # BREAKS THE SHELL A LOT # AVOID
# Powershell history passwords
type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Is value 1? If yes, AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

icacls "test.exe" # Insecure file permission
Get-Acl C:\xampp\htdocs\logs | fl # Same as icacls but better
wsl whoami # Windows subsystem
cmdkey /list # Stored creds so do Runas
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Autologon creds

# unquoted
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\"
wmic service list brief | findstr  "Running" # Scheduled tasks
netstat -ano # Chisel?

# Low-level findings
Look in temp, Look in system 32 for SAM and SYSTEM, Look for ssh keys
Look at PowerShell history and appcmd.exe on winpeas