![]() So if you have a metasploit meterpreter session going you can run getsystem. Upload both files and execute vdmaillowed.exe. It never works on Windows 2003 for example. On some machines the at 20:20 trick does not work. ![]() You first need to upload PsExec.exe and then you run: psexec -i -s cmd.exe at 01:23 /interactive cmd.exeĪnd then the cmd with SYSTEM privs pops up. Now we set the time we want the system CMD to start. To do this we run:įirst we check what time it is on the local machine: time This will give you a cmd with Administrators rights.įrom here we want to become SYSTEM user. So instead you open up the cmd from c:\windows\system32\cmd.exe. And if you rightclick and do Run as Administrator you might need to know the Administrators password. If you open up the cmd that is in Accessories it will be opened up as a normal user. If you have a GUI with a user that is included in Administrators group you first need to open up cmd.exe for the administrator. If we find the file with a password in it, we can decrypt it like this in Kali gpp-decrypt encryptedpassword Now we mount it net use z: \\.x\SYSVOLĪnd enter it z: Now we search for the groups.xml file It will output something like this Address: .x Look for the following: LOGONSERVER=\\NAMEOFSERVER USERDNSDOMAIN=WHATEVER.LOCAL We can just look in the environment-variables In order to do that we need to know the IP-address of the domain controller. If the machine belongs to a domain and your user has access to System Volume Information there might be some sensitive files there.įirst we need to map/mount that drive. Reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated Reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated We need to know what users have privileges. – It’s just a compilation of other peoples work and I have used the links from which I made my notes.īefore we start looking for privilege escalation opportunities we need to understand a bit about the machine. – The following guide is based on the numerous resources I found from other OSCP reviews and just googling it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |