Introduction
In this post, We covered most common Windows Privilege Escalation techniques as part of TryHackMe Windows Privesc room. Common Windows privilege escalation techniques include abusing Windows services, credential harvesting and exploiting out of date or un-patched software.
During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target.
This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.
Overview of Junior Penetration Tester Pathway
The pathway is designed to equip learners with the knowledge required for junior penetration tester roles.
It covers essential modules like introduction to penetration testing, web application pen testing, network security, vulnerability research, Metasploit, and privilege escalation for both Windows and Linux.Completing the pathway involves working through several rooms in TryHackMe and earning certificates, which are valuable for starting a career in cybersecurity.
Windows Privilege Escalation | Methodology
Simply put, privilege escalation consists of using given access to a host with “user A” and leveraging it to gain access to “user B” by abusing a weakness in the target system. While we will usually want “user B” to have administrative rights, there might be situations where we’ll need to escalate into other unprivileged accounts before actually getting administrative privileges.
Gaining access to different accounts can be as simple as finding credentials in text files or spreadsheets left unsecured by some careless user, but that won’t always be the case. Depending on the situation, we might need to abuse some of the following weaknesses:
- Misconfigurations on Windows services or scheduled tasks
- Excessive privileges assigned to our account
- Vulnerable software
- Missing Windows security patches
Initial Enumeration:
- The instructor starts by demonstrating how to conduct basic enumeration tasks after gaining access to a system. Commands like
net users
,systeminfo
, andsc query
are used to list users, find the OS version, check installed updates, and query the status of Windows Defender. - These steps are crucial for identifying potential vulnerabilities and determining whether a system is patched.
DLL Hijacking:
- The video walks through the DLL Hijacking process. The instructor demonstrates how to create a malicious DLL using C code or MSFVenom, cross-compile it to a Windows-compatible DLL, and place it in a target directory.
- By exploiting a vulnerable service looking for a missing DLL, the attacker replaces it with the malicious DLL, allowing them to gain elevated privileges.
- After transferring the malicious DLL to the system and restarting the service, the attacker successfully gains access to the target system as another user.
Unquoted Service Path:
- Another privilege escalation method covered is the Unquoted Service Path vulnerability. This occurs when a service executable path lacks quotation marks, allowing an attacker to place a malicious executable in a directory within the service path.
- The instructor demonstrates how to find vulnerable services using commands like
sc qc
and then creates a malicious executable to exploit the vulnerability. - The payload is placed in the vulnerable directory, and after starting the service, the attacker successfully gains elevated privileges.
Using Process Monitor:
- Process Monitor is mentioned as a tool for identifying services that are vulnerable to DLL hijacking. However, due to limitations in this particular challenge, the instructor uses predefined paths to demonstrate the attack.
Key Takeaways
The video emphasizes the importance of enumeration during the privilege escalation process, using various Windows commands to gather information about users, installed software, and service configurations.
Techniques like DLL Hijacking and Unquoted Service Path are effective methods of exploiting misconfigurations in Windows services to gain higher privileges on a compromised system.
Cross-compiling payloads using tools like MinGW and MSFVenom allows attackers to create Windows-compatible executables from Linux.
Room Answers | TryHackMe Windows Privesc
The SYSTEM account has more privileges than the Administrator user (aye/nay)
A web server is running on the remote host. Find any interesting password on web.config files associated with IIS. What is the password of the db_admin user?
There is a saved password on your Windows credentials. Using cmdkey and runas, spawn a shell for mike.katz and retrieve the flag from his desktop.
Retrieve the saved password stored in the saved PuTTY session under your profile. What is the password for the thom.smith user?
Get the flag on svcusr2’s desktop.
Get the flag on the Administrator’s desktop.