Privilege Escalation

The Privilege Escalation on this machine was rather easy to identify and easy to exploit as well. This was actually an exploit path that I have encoutered multiple times during my journey to the OSCP.

So right off the bat.

An unusual directory that could possibly lead us somewhere interesting.

Inside this folder we see multiple notes, and upon reading this note, we now understand that the TFTP.exe is executed every 5 minutes. Although this is not necessarily a set down to stone a privilege escalation path, it usaully is.

So how do we exploit this? We basically generate a payload with the same name and replace it in that folder. Wait 5 minutes and we should get a reverse shell with the permissions as the binary. In our case hopefully it is Administrator.

We are also able to write the binary.

We rename TFTP.EXE to TFTP_old.exe

Transfered the binary to that Backup folder and after waiting 5 minutes.