diannaosec

  One way we can seek to elevate privileges in a Windows environment is to look for unquoted service paths which also contain blank spaces. These can potentially be exploited if we have a shell as a user who can modify directories where Windows will search for binaries. To start this lab, I was given a bind shell to a Windows machine as a low privileged user. Before running the exploit, I used set AutoRunScript migrate -f so the shell would migrate to a different process once it had been established. This is useful as it prevents the shell being disrupted by a user who closes the process it is running on. As can be seen from the above screenshot, the initial shell was for a low level user. My mission was to elevate the privileges to system by finding and exploiting unquoted service paths. I started by opening an interactive shell so that I could use a wmic command to search for unquoted service paths which also contained blank spaces wmic service get name,displayname,pathname,start...

  For this lab, I was given a meterpreter bind shell on a remote machine with low lever user privileges. I discovered a little more about it using run post/windows/gather/win_privs which showed me that the user eLS was in the local admin group but did not have admin or system lever privileges. I also saw that UAC was enabled. This meant that I would need to try to bypass this feature before trying to use the getsystem meterpreter command. In order to bypass User Account Control, we can try downloading code and manually compiling and running it, but msfconsole has a built in script which we can also work with. I first of all backgrounded the session and then tried use exploit/windows/local/bypassuac Once I executed this script, a new meterpreter session was created. eLS now had admin rights but still was not system. I could now try the getsystem command from within meterpreter. This worked, and I had successfully managed to elevate privileges from a low level user to system. This i...