code16: Shared Windows - quick pentest notes

Today I tried to prepare a short list for few ‘quick paths’ to escalate in Windows - from low-privileged user to the Admin (or NT AUTHORITY\SYSTEM). Below you will find the details. Here we go...

This time I started from quick scan of Windows 7 VM:

As you can see there are few ports we can start from.

Because I wasn’t able to enumerate anything useful (without login in before) I used smb_login module from Metasploit to bruteforce usernames and/or passwords:

My configuration looks like this:

So... after a (real long;)) while we should be somewhere here:

As you can see it was a hard way but we obtained valid username as well as the password. Now we can try to (re)use it during next step(s) of our attack.

For example: we can now use those credentials with smbclient:

We found few shared resources. Good. Checking:

Great, so we are able to login in as normal (low-priv) user. Can we also find some writeable location(s)?

Sure. Any place our user is able to write – we are able to write as well (we are ‘the user’ ;))

So now my goal was to get a working shell. To do that I used another module from Metasploit, this time it was: admin/smb/ms17_010_command:

As we can see there is an interesting parameter, called COMAND (with pre-defined command to use on remote host). I changed COMMAND to something else (you’ll see the output below). Let’s try it:

Looks good. Let’s try to get an interactive shell. My first guess was to upload rottenpotato.exe ;)

At this stage I decided to:

· * Upload rottenpotato.exe

* Set up smb_delivery
* Start rundll32 command via admin/smb/ms17_010_command module

Let's see:

RottenPotato.exe is uploaded, we can now prepare smb_delivery module:

Let’s prepare another MSF windows with admin/smb/ms17_010_command module. Our new COMMAND value will be rundll32-command prepared by smb_delivery: