Privilege escalation [Worked]
In the C drive, I found one folder named "Log-Management". Inside that, I found that there is a file with the name "job.bat". When opened it, I found that there was a script. This batch script is designed to clear all Windows event logs, but only if it is run with administrator privileges.
In the script, I saw that there is a .exe binary that is being run. when I listed help for that binary file I got the below output.
Nothing seems interesting in this.
Checking permission of Current user on file.
We checked that Daniel is a member of the "Users" group and on this file, a member of the "Users" group has full access.
Getting Reverse shell [Try 1 - failed]
Making reverse shell for .bat file type.
We will set up things that will be needed for the reverse shell.
We will need smb server. I set it up and also tested that it is accessible.
Start the listener.
Adding content to the file.
Please note that this process is executed by another process that adds the content. Running it immediately might result in an error; however, running it again after the error should succeed.
Got the shell as the same user. 😢
Getting Reverse shell [Try 2 - worked]
I will try to send the nc.exe file to the victim machine.
Now run the below command to capture the reverse shell. Make sure you start the listener before doing that.
You will see the shell after some time.
Last updated
Was this helpful?