PrivescCheck.ps1

Step 2: Open the powershell.exe terminal to check the current user.

We are running as a student user. We will run the PrivescCheck PowerShell script to find possible misconfiguration issues that can be leveraged for local privilege escalation.

Step 3: Switch current folder to PrivescCheck folder.

Commands:

Step 4: Running PrivescCheck.ps1 script.

Commands:

The scan has started and it would take 1-2 minutes to finish.

We have received the report and we can notice that we found WinLogon credentials. Investigate WinLogon output.

We have found an administrator user credential. i.e administrator:hello_123321.

Step 5: We are running a command prompt i.e cmd.exe as an administrator user using discovered credential and runas.exe.

Commands:

We are running cmd.exe as an administrator.

Switch to the Kali Machine

Step 6: Running the hta_server module to gain the meterpreter shell. Start msfconsole.

Commands:

“This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell.”

Copy the generated payload i.e “http://10.10.31.2:8080/Rv4eiCTge85UJ15.hta” and run it on cmd.exe with mshta command to gain the meterpreter shell.

Note: You need to execute the below payload on the cmd.exe.

Switch to Victim Machine

Step 7: Gaining a meterpreter shell.

Commands:

Note: You need to use your own Metasploit HTA server link.

We can expect a meterpreter shell.

Step 8: Read the flag.

Commands:

This reveals the flag to us.

Flag: 2b070a650a92129c2462deae7707b0c5

Conclusion

In this lab, we explored the usage of PrivescCheck.ps1 script to find a common Windows privilege escalation flaw and used it to gain a meterpreter session with high privilege.