In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.
If you don't have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
Deploy the machine.
Who is the employee of the month?
Now you have deployed the machine, lets get an initial shell!
Scan the machine with nmap. What is the other port running a web server on?
Take a look at the other web server. What file server is running?
What is the CVE number to exploit this file server?
Use Metasploit to get an initial shell. What is the user flag?
Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!
To enumerate this machine, we will use a powershell script called PowerUp, that's purpose is to evaluate a Windows machine and determine any abnormalities - "PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations."
You can download the script here. Now you can use the upload command in Metasploit to upload the script.
To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:
Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!
Use msfvenom to generate a reverse shell as an Windows executable.
Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.
Note: The
service showed up as being unquoted (and could be exploited using this
technique), however, in this case we have exploited weak file
permissions on the service files instead.
What is the root flag?
Now let's complete the room without the use of Metasploit.
For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to
To begin we shall be using the same CVE. However, this time let's use this exploit.
*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*
To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!
You
will need to run the exploit twice. The first time will pull our netcat
binary to the system and the second will execute our payload to gain a
callback!
Congratulations, we're now onto the system. Now we can pull winPEAS to the system using powershell -c.
Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.
What powershell -c command could we run to manually find out the service name?
*Format is "powershell -c "command here"*
Now let's escalate to Administrator with our new found knowledge.
Generate your payload using msfvenom and pull it to the system using powershell.
Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.
First we need to stop the service which we can do like so;
sc stop AdvancedSystemCareService9
Shortly followed by;
sc start AdvancedSystemCareService9
Once this command runs, you will see you gain a shell as Administrator on our listener!
0 Comments