SeRestorePrivilege
It has been identified that the compromised svc_apache$ account has SeRestorePrivilege ENABLED on the dc01.heist.offsec(192.168.198.165) host.
SeRestorePrivilege grants privilege write access to all objects.
utilman.exe Trick
One common method to escalate privilege is to
- replacing the cmd.exe binary to the utilman.exe binary
- Launching the modified utilman.exe by pressing the
Windowskey withU- This will launch cmd.exe instead
- as
SYSTEM
/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{1BA7D3BE-A166-497F-92D4-D979FC2C48A8}.png)
utilman.exe is present in the C:\Windows\System32 directory, which is a restricted directory.
/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{7445F757-189C-420C-AB01-20A67CCFBB66}.png)
/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{48947B7B-BC57-4927-8457-E42C1DDC681C}.png)
However, SeRestorePrivilege grants the access to modify the utilman.exe binary here.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ rdesktop dc01.heist.offsec/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{8BB2B381-D71C-49EB-BD24-1B973668A594}.png)
I can then launch the GUI session over RDP.
/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{5BBB240F-B57A-42FD-A781-749A09D36804}.png)
This button right here launches utilman.exe, which was replaced by cmd.exe
/Practice/Heist_OffSec/5-Privilege_Escalation/attachments/{A5273653-EC39-4BC8-B2D7-686A62366162}.png)
System level compromise
Dumping credentials..