Category Archives: Privilege Escalation

Privilege Escalation in windows xp using metasploit
03 Jan

Privilege Escalation in windows xp using metasploit

Last post i explained how to get a admin privileges in windows 7 after successful hack,  comparing to that its even more easier in windows XP . This picture below taken when hacked successfully gain an access using  Payload create by me. For creating your own payload visit by previous post  create a payload in […]

read more »
30 Dec

linux下把普通用户权限改为管理员

怎么才能实现一个新建好的用户(例如aaa)把他的权限改为管理员的权限? 1、添加用户,首先用adduser命令添加一个普通用户,命令如下: #adduser tommy //添加一个名为tommy的用户 #passwd tommy //修改密码 Changing password for user tommy. New UNIX password: //在这里输入新密码 Retype new UNIX password: //再次输入新密码 passwd: all authentication tokens updated successfully. 2、修改 /etc/sudoers 文件,找到下面一行,在root下面添加一行,如下所示: ## Allow root to run any commands anywhere root ALL=(ALL) ALL tommy ALL=(ALL) ALL 修改完毕,现在可以用tommy帐号登录,然后用命令 su – ,即可获得root权限进行操作。 其他回答 把/etc/passwd 文件里的aaa用户的ID值改成0即可 例如0:0 Original Link

read more »
30 Dec

Windows Privilege Escalation

Automation windows-privesc-check – Windows Privilege Escalation Scanner Remote MS08-067/CVE-2008-4250 2K/XP/2K3 MS08-067 NetAPI bindshell MS15-134/CVE-2015-6131 Microsoft Windows Media Center Library Parsing RCE Vulnerability aka “self-executing” MCL File MS16-059/CVE-2016-0185 Microsoft Windows Media Center .MCL File Processing Remote Code Execution (MS16-059) Local MS10-015/CVE-2010-0232 Windows NT/2K/XP/2K3/VISTA/2K8/7 x32 ONLY – NtVdmControl()->KiTrap0d local ring0 exploit MS11-046/CVE-2011-1249 – Windows x86 (all versions) Afd.sys Privilege Escalation Exploit.MS11-046 – the SYSTEM shell will […]

read more »
MS11-080: Privilege Escalation (Windows)
30 Dec

MS11-080: Privilege Escalation (Windows)

So, I’ve been neglecting this blog lately, while attending the Pentesting with BackTrack course and now studying for my Offensive Security Certified Professional exam. In preparation for the exam, I figured I would start looking for some local privilege escalation exploits. So, I went to the old faithful exploit-db.com and found MS11-080 Afd.sys Privilege Escalation Exploit, which exploits MS11-080. […]

read more »
30 Dec

Windows Privilege Escalation – a cheatsheet

This is a work in progress. Additions, suggestions and constructive feedback are welcome. The purpose of these cheatsheets is to, essentially, save time during an attack and study session. Stored credentials Search for credentials within: c:\unattend.xml Unattend credentials are stored in base64 and can be decoded manually with base64: user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA= Metasploit Framework […]

read more »
30 Dec

Privilege Escalation – Metasploit

Frequently, especially with client side exploits, you will find that your session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc. Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt […]

read more »
30 Dec

Windows privilege escalation exploit

Hi, I’m having troubles with exploit/windows/local/ms14_058_track_popup_menu. Here is some info: meterpreter > sysinfo Computer : WORKSTATION1 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : en_US Meterpreter : x64/win64 meterpreter > getuid Server username: CONTOSO\allenbrewer meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: The environment is incorrect. msf > use […]

read more »
29 Dec

LinEnum.sh

#!/bin/bash #A script to enumerate local information from a Linux host v=”version 0.6″ #@rebootuser #help function usage () { echo -e “\n\e[00;31m#########################################################\e[00m” echo -e “\e[00;31m#\e[00m” “\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m” “\e[00;31m#\e[00m” echo -e “\e[00;31m#########################################################\e[00m” echo -e “\e[00;33m# www.rebootuser.com | @rebootuser \e[00m” echo -e “\e[00;33m# $v\e[00m\n” echo -e “\e[00;33m# Example: ./LinEnum.sh -k keyword -r […]

read more »
29 Dec

MS11-080 AfdJoinLeaf Privilege Escalation

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring its […]

read more »