Quotient
https://tryhackme.com/room/quotient
Nmap
RDP Login
Starting out we connect via RDP with the credentials provided by the room.
Powerup
Now connected to the target system as the user sage we execute Invoke-AllChecks with Powerup and identify a binary service with an unquoted path that executes in the context of SYSTEM.
Unquoted Service Path
Viewing the file permissions in the path C:\Program Files\Development Files\Devservice Files\Service.exe we see that we do not have permission over service.exe, but the Users principal does have the ability to create files within C:\Program Files\Development Files.
This is enough for us to perform the unquoted service path privilege escalation vector.
Due to the way Windows searches for binaries that are not wrapped in quotes with spaces, the system will search for an executable in the following order when the service is started.
C:\Program.exe
C:\Program Files\Development.exe
C:\Program Files\Development Files\Devservice.exe
C:\Program Files\Development Files\Devservice Files\Service.exe
As we have write access to C:\Program Files\Development Files we will be targeting option number 3.
Building the attack
Firstly to perform the attack we create a meterpreter reverse shell called Devservice.exe
After the payload is built we then upload it to the target system and place the executable in C:\Program Files\Development Files\Devservice.exe . We do not have permission to restart the service, we do however have the ability to restart the target system.
Start a listener with Metasploit.
Triggering the payload
Then reboot the target system. After a minute or two we should receive a shell back.
For some reason my meterpreter shell would soon die after connecting. As such I migrated to an alternative process (lsass.exe).
Root flag
With confirmed SYSTEM level access I was then able to retrieve the administrator's flag.
Last updated
