[Day 13] Networking They Lost The Plan! | Advent of Cyber 3 (2021)
Yeah, we will get the Administrator back. Today is about Privilege Escalation. If you don’t know about privilege escalation, it’s about how get the high privilege (administrator/root) with lower privileges.
Learning Objectives
- Understanding different types of user privileges in Windows
- Different privilege escalation techniques
- Exploiting a privilege escalation vulnerability
Let’s get to Escalate…
# Complete the username: p…..
pepper
# What is the OS version?
10.0.17763 N/A Build 17763
# What backup service did you find running on the system?
IperiusSvc
# What is the path of the executable for the backup service you have identified?
C:\Program Files (x86)\Iperius Backup\IperiusService.exe
# Run the whoami command on the connection you have received on your attacking machine. What user do you have?
the-grinch-hack\thegrinch
Open the Iperius Backup apps, and make a backup schedule.
Make sure you have nc.exe, in my AttackBox it at the Downloads folder. And then make connection with bat file.
Check on “run a program or open external file” and select our bat file.
Listen in your AttackBox with port 1337 or anything you write in your bat file. Then Run backup as service (/the-grinch-hack\thegrinch). It’s mean you run the backup schedule with another user, which is thegrinch (as Administrator).
Waiting for a second, and it’s pwned.
# What is the content of the flag.txt file?
THM-736635221
The important file is always in the Documents folder, and just go to there.
# The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?
jazzercize
Conclusion
The Privilege Escalation is a part of the Exploitation Phase in Penetration Testing. Out of what we do above, so may method we could do to privilege escalation. Practice more method and be familiar, it’s a better way.
Thanks