Open in app

Sign in

Write

Sign in

TryHackMe — Jr Penetration Tester | Privilege Escalation | Windows Privesc | Part 1

Aditya Sharma
3 min readOct 26, 2021

--

This would be the thirteenth write-up for our series of TryHackMe learning Path- Jr Penetration Tester. This chapter is Privilege Escalation- Learn the fundamental techniques that will allow you to elevate account privileges in Linux and windows systems.

The chapter contains two rooms, this write-up will be the first of the two, Windows Privesc.

We will start with the room Windows Privesc- Learn the fundamentals of Windows privilege escalation. From enumeration to exploitation, get hands-on with privilege escalation techniques seen in the industry today.

Task-1 Introduction

Q. Read Only

Task-2 Information Gathering

Q. Launch the target machine.

A. Read Only

Q. List users on the target system. One of them resembles a flag.

A. THM-17213

Q. What is the OS version of the target machine?

A. 10.0.17763 N/A Build 17763

Q. When was security update KB4562562 installed?

A. 6/10/2020

Q. What is the state of Windows Defender?

A. STOPPED

Task-3 Tools of the trade

Q. Read Only

Task-4 Vulnerable Software

Q. What version of a Fitbit application can you see installed?

A. 2.0.1.6782

Q. What kind of vulnerability seems to affect the Fitbit application?

A. Unquoted Service Path

Q. What version of FoxitReader is installed on the target system?

A. 9.0.1.1049

Task-5 DLL Hijacking

Q. Replicate the example explained above on the target machine.

A. Read Only

Q. Modify the payload to change the password of the user jack

A. Read Only

Q. Login with Jack’s account (the new password you have set). What is the content of the flagdll.txt file?

A. THM-8377492093

Task-6 Unquoted Service Path

Q. What is the full unquoted path of unquotedsvc

A. C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Q. Go through subfolders in the unquotedsvc binary path. Which folder does the user have read and write privileges on? (Please write the whole path)

A. C:\Program Files\Unquoted Path Service\

Q. What would be the name of the executable you would place in that folder?

A. common.exe

Q. Obtain Administrator privileges on the target machine. What is the content of the flagUSP.txt file?

A. THM-636729273483

Task-7 Token Impersonation

Q. Read Only

Task-8 Quick Wins

Q. Read Only

Tryhackme
Tryhackme Walkthrough
Windows Privilege Esc
Privilege Escalation
Pentesting

--

--

Aditya Sharma

Written by Aditya Sharma

374 Followers

In an effort to protect the globe!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams