InfoSec LAB

University_Vulnerable_OS

Created: 2 min read

Vulnerable OS

Checking for the OS-level vulnerabilities on the ws-3.university.htb host, after making the Lateral Movement to the martin.t user

meterpreter > run post/multi/recon/local_exploit_suggester
 
[*] fe80::349:6988:18c6:65c6 - Collecting local exploits for x64/windows...
[*] fe80::349:6988:18c6:65c6 - 198 exploit checks are being tried...
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] fe80::349:6988:18c6:65c6 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2016+ Build 17763
[*] Running check method for exploit 47 / 47
[*] fe80::349:6988:18c6:65c6 - Valid modules for session 2:
============================
[...REDACTED...]

Given that a meterpreter session is established, I can check for vulnerabilities using the Metasploit’s local exploit suggester reveals a handful of exploits Unfortunately, none of them turned out to be valid

Updates

meterpreter > cat /Users/martin.t/Desktop/README.txt
Hello Professors.
We have created this note for all the users on the domain computers: WS-1, WS-2 and WS-3.
These computers have not been updated since 10/29/2023.
Since these devices are used for content evaluation purposes, they should always have the latest security updates.
So please be sure to complete your current assessments and move on to the computers "WS-4" and "WS-5".
The security team will begin working on the updates and applying new security policies early next month.
Best regards.
Help Desk team - Rose Lanosta.

There is the same README.txt file present in the Desktop directory of the martin.t user with a mention of the current system not being updated since 10/29/2023

PS C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe get Caption,Description,HotFixID,InstalledOn
Caption                                     Description      HotFixID   InstalledOn  
http://support.microsoft.com/?kbid=5020627  Update           KB5020627  11/5/2022    
https://support.microsoft.com/help/5019966  Security Update  KB5019966  11/5/2022    
                                            Security Update  KB5020374  11/5/2022

Contrary to the claim above in the README.txt file, checking the Hotfixes via wmic reveals that the ws-3.university.htb host has not been updated since 11/5/2022 This gives many options to escalate privileges on the ws-3.university.htb host as the system is 2 years late from the latest update

Interactive Graph View

Backlinks