There doesn’t seem to be a Topic for the [ACADEMY] Windows Privilege Escalation Skills Assessment - Part II. I just finished part I, so I’m starting this page for part II, which I plan on starting tomorrow.
If you run winPEAS you will notice that it is vulnerable to CVE-2020-0668. In the section “Kernel exploits” of module HTB Academy it is explained how to exploit this vulnerability.
Hello,
Would you have clues on how to escalate privileges? I have tried to exploit the vulnerability “CVE-2020-0668.” but i have no success.
Hello,
Would you have clues on how to escalate privileges? I have tried to exploit the vulnerability “CVE-2020-0668.” but i have no success.
I followed the steps explained inside the “Kernel Explois - CVE-2020-0668 Example” section. I used the exploit inside the machines provided during the module (C:\Tools\CVE-2020-0668). I passed that exploit to my Kali virtual machine and then to the target I wanted to attack.
1 Like
Hi Ezi0,
Could you give me a help in this skill?
As you said I have followed the steps explained in “Kernel Exploits” to get privilege escalation using CVE-2020-068 like this:
C:\Users\htb-student\Desktop\maintenanceservice.exe “C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe”
[+] Moving C:\Users\htb-student\Desktop\maintenanceservice.exe to C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
[+] Mounting \RPC Control onto C:\Users\htb-student\AppData\Local\Temp\jcdcq4zw.123
[+] Creating symbol links
[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.
[+] Sleeping for 5 seconds so the changes take effect
[+] Writing phonebook file to C:\Users\htb-student\AppData\Local\Temp\805f9e56-5fb5-4916-80bb-d4e7e11b3b17.pbk
[+] Cleaning up
[+] Done!
Everything looks good, but after running the msf handler:
sudo msfconsole -r handler.rc
and in the target station:
net start MozillaMaintenance
Nothing happens!
I have tried other ways without results.
Have you some hints please?
@jamestar I have retested the exploit and the steps listed in the “Kernel Exploits > CVE-2020-0668 Example” section and it works perfectly. You are skipping some step.
1 Like
Thanks. This is way easier than trying to compile with a specific .NET version package.
Got stuck on finding the account password for some time…winpeas is all you need to find what you’re looking for this module. Look through all output…or just CTRL+F.
2 Likes
Is the anyone who can give me a hand with this one? For question #2 I can get everything to work, but using metasploit I can only run a single command and then it disconnects me… It will just give me an error that says Rex::TimeoutError Send Time out
1 Like
someone can give me a hint where I can find the “iamtheadministrator” credentials because I search in every directory and I cant find it also I search it with system access and cant yet
hx1 try running winpeas
1 Like
thanks dont know how I missed it
did you figure this out? i’m having same issue.
Wow! What a cool exercise!
If it’s of any help to others - my Meterpreter session (established after running the service executable we replaced to take advantage of the CVE) kept dying after some seconds, so to open a stable connection I ran hashdump and just logged in as the admin using impacket-psexec and the admin’s hash.
You can consult the Passsword Attacks module > Pass the Hash (PtH) > Pass the Hash with Impacket (Linux) section for more information. Login To HTB Academy & Continue Learning | HTB Academy
This is also convenient, because you need to get the hash of one other user to answer the last question anyways.
Hi, did you get the iamtheadministrator password with winpeas? I have launched both the exe and the bat while being administrator but I can’t find any password for this
I managed to escalate via NON-CVE vector. Certainly more than 1 way to dominate this machine.
Try WinP…exe
type Ctrl “r” and search for what you are looking for
I also had this one, I think it’s a bag or something
But when you get your reverse shell you have like 10 seconds, till you loose the connections, but it’s enoth, you just need to read the flag and do hashdump 
Can you tell how?