Skip to content

AoC3 Day 13: Windows Privilege Escalation

    If you are new to TryHackMe, I recommend checking out their Tutorial room to see how the platform works and how you can access the target machine(s). I also highly recommend using your own “attack box”, be it a Kali, Parrot, or some other pentesting oriented Linux distro (in the form of a VM), as opposed to the browser based solution TryHackMe provides. I’ve found that the browser based VM is a lot slower, though others seem to have no issues with it. The only thing using your own attack VM entails is connecting it to THM’s network through VPN, but this is incredibly easy as TryHackMe will supply you with your own OpenVPN configuration file and is outlined below.

    Types of Challenges

    The TryHackMe platform has multiple types of challenges, each potentially having its own requirements for accessing and completing it. You can identify the type of challenge by looking at the icon on the right-hand side of the collapsible bar for that particular challenge:

    Challenges using the “server rack” icon include the use of a deployable machine, and are the most common. Pressing the “Start Machine” button will launch a virtual machine that you have two ways of accessing: using THM’s “attack box”, found at the top of your browser window:

    Or, you can instead opt to use your own virtual machine connected to the THM network, which is done (on Linux) by clicking your user icon, “Access”, and then “Download My Configuration File”.

    Clicking “Save File”

    And by running the following command in a terminal (I might suggest you move the download to another folder, such as “Documents”):

    Once you see “Initialization Sequence Completed”, you’ll know you’ve successfully connected to THM’s network. Keep this terminal window open (you can minimize it, however). Return to it and press “Ctrl” + “C” twice once you are ready to disconnect.

    After you’ve chosen between THM’s attack box or your own virtual machine, you’ll need the IP address of the target machine, which is what was deployed earlier with the green “Start Machine” button. That information can be seen in a banner at the top of your browser window, or in more detail at the top of the page:

    In many cases you’ll be copying that IP address into your attack box/VM’s browser’s address bar, but in other cases you might be accessing it through SSH, RDP, etc. You’ll notice that you can add time to it if needed, or terminate it if you finish early – opening up more resources for other THM users.

    Challenges using the “browser” icon will require interaction with a simulated website that can be accessed by pressing the “View Site” seen after expanding the challenge. These challenges will need to be completed from within your browser, and cannot be accessed through a VPN on your own machine due to the fact that they are not true websites.

    Challenges with the “download” icon include files – in many cases packet captures (pcaps) or log files to be parsed through using a specific type of software. Where you would like to do this examining is up to you, but you will not be able to use one of TryHackMe’s machines. For examining something like a .pcap file, you will want to install Wireshark on one of your own computers or VMs.

    Challenges without an icon focus on either reading material and answering questions, or will include a link to a publicly accessible website that doesn’t require connection to THM’s network, and therefore can be completed from any computer you choose.

    TryHackMe; Advent of Cyber 3; Day 12 Walkthrough

    Day 12’s challenge follows the exploitation of backup software and its inherent privileges in order to gain remote code execution (RCE) on a Windows machine.

    Due to occasional difficulties accessing TryHackMe’s target machine through RDP, I recommend using the in-browser access for this particular challenge. This can be done by starting the target machine, and then launching the “AttackBox” near the top of the TryHackMe page:

    And then switching over to the “AOC_WinPriv…” instance. You can then click the icon in the bottom-left corner to expand the machine into its own window.

    Start off by launching “Iperius Backup” from the Windows search bar.

    Click “Create new backup” to begin creation of a backup job.

    Click the new folder icon on the left-hand side, and choose an arbitrary folder to backup. In my case, I went with C:\Users\McSkidy\Documents. Click “OK”.

    Switch over to the “Destinations” tab to determine where our backup will be stored. This is also arbitrary for the purposes of this challenge, so a location like C:\Users\McSkidy\Desktop is just fine. Click “OK”.

    We’re then going to create a Windows batch file to be executed when our backup process runs. Open a Notepad window and type in the pictured text:

    Choose “All Files” from the dropdown so that it can be saved with the “.bat” file extension.

    Return to Iperius and switch to the “Other processes” tab. Check “Run a program or open external file:” and select our newly created batch file. Click “OK”.

    You may be given an error message stating that the backup job first needs to be named, where you can choose any name you’d like. After doing so, click “OK”.

    Start a Netcat listener on your attack box by running the following terminal command:

    nc -nlvp 1337

    Return to Iperius once more, and run our new backup job “as service”:

    Click “Yes” if presented with the following prompt:

    Switch over to your attack box, where you should see a interactive shell has been opened with the target machine.

    Run the “net users” command to find the username beginning with the letter “p”.

    Run “system info” to find the OS version of the target machine.

    To find a list of services running on the system, we can use a Windows Management Instrumentation command. This will reveal a backup service running on the system.

    wmic service list brief

    We can also use a “where” statement to limit the output of a WMI command, which will help us find the path of the executable for our backup service.

    Running the “whoami” command will reveal which user we are currently issuing commands as.

    Based off of the tasks of Day 12, we can assume the “flag.txt” mentioned for our next task is stored in our user’s Documents folder. We can navigate there and print the contents of flag.txt using the “type” command once again.

    Using the same method will reveal where the “Grinch” can be found at 5:30.