[ACADEMY] Windows Privilege Escalation Skills Assessment - Part II

Would you have clues on how to escalate privileges? I have tried to exploit the vulnerability “CVE-2020-0668.” but i have no success.

I followed the steps explained inside the “Kernel Explois - CVE-2020-0668 Example” section. I used the exploit inside the machines provided during the module (C:\Tools\CVE-2020-0668). I passed that exploit to my Kali virtual machine and then to the target I wanted to attack.

1 Like

Hi Ezi0,

Could you give me a help in this skill?
As you said I have followed the steps explained in “Kernel Exploits” to get privilege escalation using CVE-2020-068 like this:

C:\Users\htb-student\Desktop\maintenanceservice.exe “C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe”

[+] Moving C:\Users\htb-student\Desktop\maintenanceservice.exe to C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

[+] Mounting \RPC Control onto C:\Users\htb-student\AppData\Local\Temp\jcdcq4zw.123

[+] Creating symbol links

[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.

[+] Sleeping for 5 seconds so the changes take effect

[+] Writing phonebook file to C:\Users\htb-student\AppData\Local\Temp\805f9e56-5fb5-4916-80bb-d4e7e11b3b17.pbk

[+] Cleaning up

[+] Done!

Everything looks good, but after running the msf handler:
sudo msfconsole -r handler.rc

and in the target station:
net start MozillaMaintenance

Nothing happens!

I have tried other ways without results.

Have you some hints please?

@jamestar I have retested the exploit and the steps listed in the “Kernel Exploits > CVE-2020-0668 Example” section and it works perfectly. You are skipping some step.

1 Like

Thanks. This is way easier than trying to compile with a specific .NET version package.

Got stuck on finding the account password for some time…winpeas is all you need to find what you’re looking for this module. Look through all output…or just CTRL+F.


Is the anyone who can give me a hand with this one? For question #2 I can get everything to work, but using metasploit I can only run a single command and then it disconnects me… It will just give me an error that says Rex::TimeoutError Send Time out

1 Like

someone can give me a hint where I can find the “iamtheadministrator” credentials because I search in every directory and I cant find it also I search it with system access and cant yet

hx1 try running winpeas

1 Like

thanks dont know how I missed it

did you figure this out? i’m having same issue.

Wow! What a cool exercise!

If it’s of any help to others - my Meterpreter session (established after running the service executable we replaced to take advantage of the CVE) kept dying after some seconds, so to open a stable connection I ran hashdump and just logged in as the admin using impacket-psexec and the admin’s hash.

You can consult the Passsword Attacks module > Pass the Hash (PtH) > Pass the Hash with Impacket (Linux) section for more information. Login To HTB Academy & Continue Learning | HTB Academy

This is also convenient, because you need to get the hash of one other user to answer the last question anyways.

Hi, did you get the iamtheadministrator password with winpeas? I have launched both the exe and the bat while being administrator but I can’t find any password for this

I managed to escalate via NON-CVE vector. Certainly more than 1 way to dominate this machine.

Try WinP…exe
type Ctrl “r” and search for what you are looking for

I also had this one, I think it’s a bag or something
But when you get your reverse shell you have like 10 seconds, till you loose the connections, but it’s enoth, you just need to read the flag and do hashdump :slight_smile:

Can you tell how?

the password will give you a hint xD

Actually, going through the WinPEAS detailed report is pretty exhausting! :crazy_face:

Fortunately, I started with a smaller automatic tool which helps enumerating things:
SharpUp.exe audit and I got all it needs to find 2 first answers at once…

The most impactful to me was that these 2 discoveries just rely on one contextual fact about the pentest itself: we are actually auditing a Gold Image, which means there probably are administrative shortcuts in order to do things faster… tehy forgot to get rid of! :upside_down_face:

First one is the ‘Unattend.xml’ file which contains sensitive info (a basic search with the pattern ‘iamtheadministrator’ yields teh same results: it’s teh only readable file with mention of this ppowerful user! :sweat_smile:).

Second, some registry keys useful to install things in some “high privs” way! :stuck_out_tongue_winking_eye: