TryHackMe — Windows PrivEsc WalkThrough

Aniket Badami
24 min readJan 13, 2021

--

This is a practical walkthrough of “Windows PrivEsc v 1.0” on TryHackMe. This room is created by Tib3rius aimed at understanding Windows Privilege Escalation techniques. There are no any Flags in this room tho, however the goal of this room is to gain system/admin level privileges on windows OS.

First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

On attacker machine (Kali Linux) we have to setup a samba server to share tools or shells between both OS. Before we setup I created a specific folder named “priv_tools” on my attacker machine. From that newly created folder, we have to run “ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .” to start samba service on local port 445.

Samba Service

As you can see from above screenshot, we have started samba service with share name “tools” and running in $pwd. Do not close this tab/window, let it run indefinitely and open a new tab or window for further commands and make sure you are in same directory.

We have to create a reverse shell using msfvenom with respective variables set. Make sure to change lhost (IP address) to your kali machines IP

Msfvenom

Note: I know I said we won’t need Metasploit to complete room, using this reverse shell we can receive remote connection using netcat (nc) from target.

Now set up a listener on Kali Machine to receive reverse connections when we execute previously created .exe file on target machine.

NetCat Listener

Now we need to access target machine using its RDP. They have already given us the local user (less privileged) credentials. Run the below command to access RDP from Kali Machine.

RDP Access

Once we access target windows OS successfully, open command prompt, change directory to C:\PrivEsc. This directory has all the tools required for this room to complete.

CMD

Now we need to download our rev.exe (reverse shell) from Kali to Windows using below command.

Copy Reverse Shell

As this room is all about Privilege Escalation, so we need some kind of initial access on target OS with lower privileges. Now we need to run the reverse shell on target to connect our netcat on kali machine.

Initial Access

Once we execute that exe file, we receive connection on netcat and run ‘whoami /priv’ to find the available privileges to current user.

Whoami /priv

Our first challenge is based on “Service Exploits”.

“Services are simply programs that run in the background, accepting input or performing regular tasks. If services run with SYSTEM privileges and are misconfigured, exploiting them may lead to command execution with SYSTEM privileges as well”.

Service Misconfiguration

1. Insecure Service Properties
2. Unquoted Service Path
3. Weak Registry Permissions
4. Insecure Service Executables
5. DLL Hijacking

Task is Service Exploits — Insecure Service Permissions

If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own.

“Potential Rabbit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!”

We are going to use some tools which will allow us to automate the reconnaissance that can identify potential privilege escalations.

winPEAS is a very powerful tool that not only actively hunts for privilege escalation misconfigurations, but highlights them for the user in the results.

AccessChk is an old but still trustworthy tool for checking user access control rights.You can use it to check whether a user or group has access to files, directories, services, and registry keys.

Will start our recon with winPEAS application which is already on the target machine. winPEAS can scrape a lot of information, so we restrict with some parameters. The below command will only search for services related misconfigurations on target machine.

winPEAS

Note: We have to run these commands from netcat session on Kali Linux.

Upon execution, it gives you a a lot of information and it is color coded and every color has a meaning. See below

Color Code

Let’s concentrate on red color to find first service related misconfiguration.

daclsvc misconfig

As you can see, there is a service called DACL which is misconfigured and we can take advantage of this to elevate our privileges. To do that, we need to switch the daclservice.exe with our reverse shell (rev.exe) and need to start the service manually. Before we switch the exe file, we need to find whether we have to permission to start the service or not. If we don’t have the permission then its a dead end.

To check available permission, we use accesschk application.

accesschk

Run above command to get the permission list. As you can see, we have permission to start and stop the service. So, we can definitely exploit this to gain elevated privileges.

-v verbose

-w write access

-q quite/omit banner

-e Only show explicitly set Integrity Levels

-c Windows service name

So, if we exploit this misconfiguration, then what kind of privilege we gain? To check that we can run below command.

service control manager

Using sc (service control manager) we can query the configuration information for a service. As you can see from the result, “SERVICE_START_NAME : LocalSystem”, we would get local system privileges upon successful exploit.

We also need to make sure whether the service is running or stopped at the moment. To do that run below command.

SC Query

As you can see, the service is stopped for time being. But, we have to permission to start it back.

So, now we switch the binary file with our own. To do that, run below command.

sc config

Make sure to use exact name of your binary file and give space after = . Now we switched the binary file with ours. Now we need to start another netcat listener on kali machine. To do that open a new tab/window and run bellow command.

netcat listener

We are using the same reverse shell (rev.exe) file so, we have to use same port#.

Our listener is set, now from remote command prompt, run below command to start the daclsvc service.

start daclsvc

The moment you run that command, you’d get a reverse connection from target OS on second netcat listener.

elevated privilege

As you can see, we now have system level access on target machine. We got this successfully by exploiting a service misconfiguration.

What is the original BINARY_PATH_NAME of the daclsvc service?
Find the answer from service control manager

Exit the second netcat session (system).

exit second netcat

Task is Service Exploits — Unquoted Service Path

“Executables in Windows can be run without using their extension (e.g. “whoami.exe” can be run by just typing “whoami”).
Some executables take arguments, separated by spaces, e.g. someprog.exe arg1 arg2 arg3…
This behavior leads to ambiguity when using absolute paths that are unquoted and contain spaces”

Consider the following unquoted path: C:\Program Files\Some Dir\SomeProgram.exe
To us, this obviously runs SomeProgram.exe. To Windows, C:\Program could be the executable, with two arguments: “Files\Some” and “Dir\ SomeProgram.exe”
Windows resolves this ambiguity by checking each of the possibilities in turn. If we can write to a location Windows checks before the actual executable, we can trick the service into executing it instead.

Check our previous winPEAS result for unquoted path service section.

winPEAS result

As you can see the above result, there is a service running on target machine named as “unquotedsvc” which also contain spaces.

If we query the service using sc, then we get the below result.

service query

If we exploit it then we’d get local system privileges and as you can see the binary path name has spaces.

What that really means?
In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.

If we have permission to write a custom file to wither c:\ or c:\Program Files or c:\Program Files\Unquoted Path Service, then we can exploit this vulnerability to gain elevated privileges.

Let’s check for permissions in above mentioned path.

accesschk on c:\
accesschk on c:\ sub dir

As you can see in the first result of accesschk under builtin\user, we dont have any write permission, but in in second image we have file all access, it simply means we can add our custom files.

Now we need to copy our reverse shell (rev.exe) to following path “c:\program files\unquoted path service\” and name the file as Common.exe

copy reverse shell

On kali machine, start another netcat listener from different tab/window.

netcat listener

Now start the service to run our reverse shell

start service

We get the reverse shell from target with system privileges

reverse shell

What is the BINARY_PATH_NAME of the unquotedsvc service?
Check service control manager

Note: Make sure to exit this new netcat session.

Task is Service Exploits — Weak Registry Permissions

“The Windows registry stores entries for each service.
Since registry entries can have ACLs, if the ACL is misconfigured, it may be possible to modify a service’s configuration even if we cannot modify the service directly.”

Run winPEAS again with same servicesinfo arguments. This time look for registry related section.

registry

There is a service running named “regsvc”, which is misconfigured in registry.

regsvc binary path

Its binary path is as shown in above image. To exploit this we have two possible ways, one we can remove the existing exe file and replace with our rev.exe to get reverse shell and two we have to modify the registry path itself to our rev.exe file.

If we have permission to read/write to c:\program files\insecure registry service directory then we can go with first option. We can check the permission with accesschk program.

accesschk

Unfortunately we don’t have any kind of permission on that directory.

Now we have to modify the registry path itself to work. Run below command to find the permission to modify the Registry.

accesschk registry

As you can see, NT Authority\Interactive has read/write access, our intial user is part of that group thus we have full control of the registry key for that service.

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then we can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then our program will execute, allowing the us to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Run below command to modify the registry and set imagepath to our rev.exe path.

registry modify

Start another netcat listener on kali linux

netcat listener

From remote command prompt run below command to start the service.

start service

We’d get the system level access after successful execution.

system access

Note: Make sure to exit this new netcat session

Task is Service Exploits — Insecure Service Executables

“If the original service executable is modifiable by our user, we can simply replace it with our reverse shell executable.
Remember to create a backup of the original executable if you are exploiting this in a real system!”

Run winPEAS again with the same servicesinfo arguments.

File Permission

As you can see in the above result of winPEAS, there’s a service named ‘filepermsvc’ running with all types of access for everyone, that means we can modify service executable with our own reverse shell executable (rev.exe).

If we exploit this vulnerability the we’d get local system privileges, you can check it by executing below command.

service query

Let’s check the permission with accesschk application to find whether we have power to modify the file or not.

accesschk

As you can see the result, all users have full access to read/write on the file. Now we need to copy our rev.exe to that specific folder and need to overwrite the file with same service executable name. To do that run below command.

copy reverse shell

The file is copied successfully, now we need to start the service, before we start the service, we need to set a new netcat listener in another tab.

net cat listener

To start the service, run below command,

sercice start

Now we have local system privileges.

system privileges

Note: Make sure to exit this new netcat session

Task is Registry — AutoRuns

“Windows can be configured to run commands at startup, with elevated privileges. These “AutoRuns” are configured in the Registry. If you are able to write to an AutoRun executable, and are able to restart the system (or wait for it to be restarted) you may be able to escalate privileges.“

Run winPEAS again with applicationsinfo arguments.

winpeas autorun

As you can see the result, there’s an application running as autorun when system restarts with folder/file and registry path. Let’s run accesschk to find permissions for that file.

accesschk

As you can see, every builtin user has full access to file. Now we need to copy our rev.exe to autorun program folder. Run below command to copy.

Copy reverse shell

Start a new netcat listener from another tab.

net cat listener

Note: on Windows 10, the exploit appears to run with the privileges of the last logged on user, so log out of the “user” account and log in as the “admin” account first.

Admin access

We would not get local system access by exploiting this, the reason behind this is a user must login to run our autorun program, as local system is not a user. So, in real world environments, we have to wait for admin to login to get administrator level privileges.

Note: Make sure to exit this new netcat session

Task is Registry — AlwaysInstallElevated

“MSI files are package files used to install applications. These files run with the permissions of the user trying to install them. Windows allows for these installers to be run with elevated (i.e. admin) privileges. If this is the case, we can generate a malicious MSI file which contains a reverse shell.”

“The catch is that two Registry settings must be enabled for this to work.
The “AlwaysInstallElevated” value must be set to 1 for both the local machine:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
and the current user: HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
If either of these are missing or disabled, the exploit will not work.”

Run winPEAS with windowscreds arguments.

winpeas always install elevated

We need to generate a new reverse shell with msi extension using msfvenom. Our previous rev.exe would not work as it is an executable not package (msi).

msfvenom msi reverse shell

As we have generated this in home folder of Kali Linux, so we need to move this file to priv_tools. Because, on priv_tools we are already running samba service, so it’d be easy to copy this msi file to target machine easily.

copy msi to priv_tools

Now we need to download rev.msi file from kali to target using our initial net cat session.

copy msi reverse shell

Start a new net cat listener in another tab.

net cat listener

Now we need to install the msi reverse shell.

msiexec installation

/quiet -Specifies quiet mode, which means there’s no user interaction required.
/qn -Specifies there’s no UI during the installation process.
/i -Specifies normal installation.

After installation, we get the our reverse shell with system level privileges.

system privileges

Note: Make sure to exit this new netcat session

Task is Passwords — Registry

“Even administrators re-use their passwords, or leave their passwords on systems in readable locations. Windows can be especially vulnerable to this, as several features of Windows store passwords insecurely.”

Registry — “Plenty of programs store configuration options in the Windows Registry. Windows itself sometimes will store passwords in plaintext in the Registry. It is always worth searching the Registry for passwords.”

Run winPEAS with filesinfo (Search files that can contains credentials) and userinfo (Search user information) arguments.

winpeas user information
admin creds

Note: We manually query them, but it would take much time and generate a lot of data to filter.

WinPEAS found admin credentials saved by putty application in its registry. Alternatively you can query the registry to verify.

admin creds

Now we have admin password. So, we can gain elevated privileges by logging in directly using those credentials. We don’t need to setup a net cat listener, as this is not a reverse shell.

winexe

Note: Make sure to exit this new netcat session

Task is Passwords — Saved Creds

“Windows has a runas command which allows users to run commands with the privileges of other users. This usually requires the knowledge of the other user’s password. However, Windows also allows users to save their credentials to the system, and these saved credentials can be used to bypass this requirement.”

Run winPEAS with cmd (Obtain wifi, cred manager and clipboard information executing CMD commands) and windowscreds (Search windows credentials) arguments.

winpeas command
winpeas creds result

Alternatively, we can run below command too.

cmdkey

Now we know that admin credentials are stored in windows credentials manager vault. We can use to get the reverse shell with admin privileges. Setup a new netcat listener in another tab and run below command.

runas command
admin privileges

Note: Make sure to exit this new netcat session

Task is Passwords — Security Account Manager (SAM)

“Windows stores password hashes in the Security Account Manager (SAM). The hashes are encrypted with a key which can be found in a file named SYSTEM. If you have the ability to read the SAM and SYSTEM files, you can extract the hashes.”

The SAM and SYSTEM files are located in the C:\Windows\System32\config directory.
The files are locked while Windows is running.
Backups of the files may exist in the C:\Windows\Repair or C:\Windows\System32\config\RegBack directories.

Now we need to find SAM & SYSTEM files and copy to Kali Linux using samba service.

SAM
SYSTEM

We successfully copied SAM and SYSTEM to our Kali Linux machine. Now we need to extract the hash using another tool called ‘CredDump’.

On our Kali Linux, we have to clone this repository from github.

clone cred dump

Note: Due to some weird reason, my Kali Linux couldn't able to run cred dump script. So, I ran this on my macOS using below command.

cred dump

Now we have hashes of admin, user and administrator accounts. Let’s use another application called ‘hashcat’ to crack admin hash.

hashcat

-m -hash type (1000 is NTLM)

-force -ignore warnings

rockyou.txt -wordlist

Once hashcat cracks the password, it’d give result like below.

cracked hash

Note: We can use these cracked password to login using winexe or rdp

Task is Passwords — Passing the Hash

“Windows accepts hashes instead of passwords to authenticate to a number of services. We can use a modified version of winexe, pth-winexe to spawn a command prompt using the admin user’s hash.”

We already have the hash from previous task, so we use them to pass it through pth-winexe to get a shell with admin privileges.

pass the hash to gain admin shell

If you want system level shell, then you have to run below command. This only works, if you already have administrator credentials.

pass the hash system shell

Note: Make sure to exit this session

Task is Scheduled Tasks

“Windows can be configured to run tasks at specific times, periodically (e.g. every 5 mins) or when triggered by some event (e.g. a user logon). Tasks usually run with the privileges of the user who created them, however administrators can configure tasks to run as other users, including SYSTEM.”

Note: There’s no easy way to enumerate custom tasks that belong to other users as a low privileged user account.

Run below command to list all scheduled tasks our user can see.

schtasks /query /fo LIST /v

PS> Get-ScheduledTask | where {$_.TaskPath -notlike “\Microsoft*”} | ft TaskName,TaskPath,State

These above two commands can give a list of available Scheduled tasks, but in this challenge they are no use. Most of the times we have to rely on other clues, such as finding a script or log file that indicates a scheduled task is being run.

According to the task, there’s a script in C drive called cleanup.ps1.

devtools

Switch to devtools directory and read the content of the file. As you can see the script, it’s been running every minute to clear the log files with system level privileges. Let’s check the permissions on this file using accesschk application. Change the directory to PrivEsc and run below command.

accesschk

As you can see we can able to append data and write data to this script. So, let’s append our rev.exe to this script to get back reverse shell on our machine. Setup a new netcat listener first from another tab, then run below commands.

append reverse shell to cleanup script

Wait for the scheduled task to run (it should run every minute) to get the reverse shell.

system level access

Note: Make sure to exit this new netcat session

Task is Insecure GUI Apps

“On some (older) versions of Windows, users could be granted the permission to run certain GUI apps with administrator privileges. There are often numerous ways to spawn command prompts from within GUI apps, including using native Windows functionality. Since the parent process is running with administrator privileges, the spawned command prompt will also run with these privileges.
We call this the “Citrix Method” because it uses many of the same techniques used to break out of Citrix environments.”

For this challenge we need GUI access of the user, we can get that using rdp or rdesktop. Run below command to access GUI (if it’s already not running).

xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.125.156

Once you are on windows GUI, from desktop open “adminpaint” application. Then, open cmd prompt and run below command.

task list

tasklist /V command gives us all the process/services information which are running on the system with under which user it’s running. As you can see from the above result, mspaint.exe is executed by low privileged user but task is being run with admin level privileges. We can abuse to gain admin/system level shell on the system.

From mspaint, click file and open, and from navigation bar, run the following

mspaint

It open command prompt with administrator level privileges.

admin level access

Task is Startup Apps

“Each user can define apps that start when they log in, by placing shortcuts to them in a specific directory. Windows also has a startup directory for apps that should start for all users: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp If we can create files in this directory, we can use our reverse shell executable and escalate privileges when an admin logs in.”

Let’s do a permission check on that folder using accesschk

accesschk

As you can see, our builtin user (\Users) has access to read/write on this directory. So, we can add a startup script to this directory upon script execution we would get a admin privileges.

They have already given us the script in “PrivEsc” directory.

vb script

As you can see, if we invoke this script, then it’d create a link (lnk) file in startup folder with specified path of our reverse shelll executable. We have to change one thing and that is our reverse shell file name (rev.exe).

If this was Linux box we could have edited the script file directly using VIM, this dumb windows machine can’t do stuff like that.

rename

Let’s run this script.

run script

Now we need to setup a new netcat listener from another terminal tab and need to restart the windows to work. Once restarted, we need to login using admin credentials which we gathered earlier.

admin level access

Upon login with admin creds, we get reverse shell access on new netcat.

Note: Make sure to exit this new netcat session

Task is Token Impersonation — Rogue Potato

History of Potato Attack

There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM.

Hot, Rotten, Lonely, Juicy and Rogue are family of potato exploits. To understand more about these attacks click on the type of attack and read the blog from the exploit devs.

TL;DR — Every potato attack has it’s own limitations
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato

This can only be done if current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts. In our case, we don’t have Privilege to impersonate security tokens.

Privileges

As you can see in the above result, even though we are admin we don’t have “SeImpersonatePrivilege” available. Although we can gain system privileges using different methods, as we have already gone through some of them above. But, what if we land on a local service account in real world pentesting or any CTF?

This challenge is about gaining a local service account access and using it to elevate privileges to system. So, first we need to get a reverse shell of local service on our kali linux. To do that we need to start a net cat listener and run below command from RDP session command prompt. (note: to run this below command we need administrator privileges).

PsExec

PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally.

So, basically what we are doing is, running PsExec on target machine with -i and -u arguments to get a reverse shell with “local service” privileges.

whoami

As you can see from the above result, we spawned a reverse shell with local service privileges. if we run whoami /priv on this, we get below result.

whoami /priv

As you can see this service has “SeImpersonatePrivilege” enabled, we can abuse this to spawn system privileges using “Rogue Potato” exploit.

“If you have SeAssignPrimaryToken or SeImpersonateprivilege, you are SYSTEM”. @decoder_it

These two privileges are very powerful indeed. They allow you to run code or even create a new process in the context of another user.

How does this work?

Credit

We have a local service access, now we need to setup a network redirector/port forwarder on our kali linux machine (must use 135 as source port) and redirecting back to Remote on any tcp port.

Socat

What’s happening in above command is we are opening a port #135 on kali machine, accepting connections, and forwarding the connections to port 4444 on the remote host (target).

Now we need to run rogue potato binary file on target with arguments. Before we do that, we need to start another netcat listener on kali machine.

RoguePotato

We are running the binary with -r (remote IP — Kali IP), -e (reverse shell executable path) and -l listening port. After successful execution, you would get reverse shell on netcat listener.

System Level Access

Note: Make sure to exit netcat session which has system level access. Please do not exit “local service” net cat session. As we need it in next task.

Task is Token Impersonation — PrintSpoofer

The goal of PrintSpoofer and RoguePotato is same to elevate privileges using same technique “SeImpersonatePrivilege”. However, RoguePotato came later after understanding two interesting exploits. Blog information is in credits.

Credit

Exploit tools of the Potato family are all based on the same idea: relaying a network authentication from a loopback TCP endpoint to an NTLM negotiator. To do so, they trick the NT AUTHORITY\SYSTEM account into connecting and authenticating to an RPC server they control by leveraging some peculiarities of the IStorage COM interface. This blog explains more technically than I ever could. Read

So, this exploit to work, we need local service or network service access and with “SeImpersonatePrivilege” or “SeAssignPrimaryTokenPrivilege” enabled.

local service
whoami /priv

Run “PrintSpoofer.exe” on local service shell with -c <Execute the command or executable> and -i <Interact with the new process in the current command prompt>. Before you do that, setup a new net cat listener on kali linux.

printspoofer

Upon execution, you would get a reverse connection on new net cat listener.

System Level Access

Privilege Escalation Strategy

This section is coming straight from Tib3rius Udemy Course.

Spend some time and read over the results of your enumeration.
If WinPEAS or another tool finds something interesting, make a note of it.
Avoid rabbit holes by creating a checklist of things you need for the privilege escalation method to work.

Have a quick look around for files in your user’s desktop and other common locations (e.g. C:\ and C:\Program Files).
Read through interesting files that you find, as they may contain useful information that could help escalate privileges.

Try things that don’t have many steps first, e.g. registry exploits, services, etc.
Have a good look at admin processes, enumerate their versions and search for exploits.
Check for internal ports that you might be able to forward to your attacking machine.

If you still don’t have an admin shell, re-read your full enumeration dumps and highlight anything that seems odd.
This might be a process or file name you aren’t familiar with or even a username.
At this stage you can also start to think about Kernel Exploits.

--

--