Wednesday is here and we are back at it again on THM not Krispy Kreme!
Today we continue with the Windows Privilege Escalation on Task 6.
“The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges. Having this power, an attacker can trivially escalate privileges on the system by using many techniques. The one we will look at consists of copying the SAM and SYSTEM registry hives to extract the local Administrator’s password hash.”
“To backup the SAM and SYSTEM hashes, we can use the following commands”
“This will create a share named public pointing to the share directory, which requires the username and password of our current windows session. After this, we can use the copy command in our windows machine to transfer both files to our AttackBox”
“We use impacket to retrieve the users’ password hashes”
“We can finally use the Administrator’s hash to perform a Pass-the-Hash attack and gain access to the target machine with SYSTEM privileges”
Flag -THM{SEFLAGPRIVILEGE}
“The target server is running Druva inSync 6.6.3, which is vulnerable to privilege escalation as reported by Matteo Malvica. The vulnerability results from a bad patch applied over another vulnerability reported initially for version 6.5.0 by Chris Lyne.”
“In the case of Druva inSync, one of the procedures exposed (specifically procedure number 5) on port 6064 allowed anyone to request the execution of any command. Since the RPC server runs as SYSTEM, any command gets executed with SYSTEM privileges.”
“We pop a Powershell console and paste the exploit directly to execute it.The payload, specified in the $cmd variable, will create a user named pwnd in the system, but won’t assign him administrative privileges, so we will probably want to change the payload for something more useful. For this room, we will change the payload to run the following command”
net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add“This will create user pwnd with a password of SimplePass123 and add it to the administrators’ group. If the exploit was successful, you should be able to run the following command to verify that the user pwnd exists and is part of the administrators’ group”
“As a last step, you can run a command prompt as administrator”
Flag – THM{EZ_DLL_PROXY_4ME}
Overall, a very good path and would recommend for anyone wanting to brush up on their skills or learn some new cyber security topics, the Priv Exec rooms were also very good and I feel that I have learnt alot from this!
THM Update –
THM Yearly Activity To Date –
THM Stats –
THM Rank –
Until next time & don’t sleepwalk through life!
Adiaŭ