In this guide, I’ll walk you through essential Windows privilege escalation techniques, covering various methods from kernel exploits to application misconfigurations. We’ll start by setting up our lab environment and tools, then dive into specific methods for escalation.
Table of Contents
- Registry
- Insecure GUI Applications
- Scheduled Tasks
- Installed Applications
- Port Forwarding
- Startup Applications
- Conclusion
Lab Setup
For this guide, I’m using a virtual environment with Kali Linux as the attack machine and Windows 10 as the target machine. environment is configured with default security settings and Windows defender was disabled to focus on learning the techniques.
![Image Placeholder: Lab Setup]
List of tools used:
Read More
| INFO |
|
| CTF NAME |
SolarLab |
| Operating System |
Windows |
| Diffculty |
Medium |
| Retire date |
21 Sep 2024 |
| Points |
35 |
Description
SolarLab begins with an SMB share containing a spreadsheet of usernames and passwords. By exploiting a website that displays distinct error messages for incorrect usernames versus wrong passwords, combined with analyzing the username format, I was able to identify valid credentials.
Once logged in, I leveraged CVE-2023-33733 in the reportlab PDF generation process to achieve Remote Code Execution (RCE) and obtain a shell.
For lateral movement, to escalate privileges to the openfire user, method takes advantage of CVE-2023-32315 in OpenFire to create a user and upload a malicious plugin for RCE.
With this access, I decrypted a password from the OpenFire configuration, which served as the administrator’s password.
Read More