Thought I would do another write up for one of the boxes that recently retired. This was a really good Windows box to learn from. There were many ways to get a reverse shell (I found 2). Whats interesting about this machine is that there is Windows Defender which blocks executables.
The first intial foothold was a tricky one. I was able to inject sql commands from everywhere. Further to this, I was able to obtain the password by dumping NTLM hashes through the use of xp_dirtree vulnerability. I had to firstly set up a fake smb share by using an impacket module, then used the xp_dirtree to connect to the share, thus dumping the hashes.
There are many ways to evade Windows Defender, I chose a metasploit module. The Priv Esc was the method of starting and stopping a service called unifivideoservice. There is an application called taskkill.exe within unifivideo which kills the task of starting and stopping the service.
Firstly, I could see that I was able to write in the directory with the tool icacls. This is where I uploaded an executable which was able evaded Windows Defender. You could use things like Phantom Evasion as well which is in the link below.. I hope you guys like the video (No sound and I blazed right through it)
Click here to view my walkthrough