Optimum Video by IppSec

Fun box, do it both with and without Metasploit. Doing it without Metasploit I use Nishang to get a Powershell Reverse Shell, Sherlock to find suitable exploits, then steal a module from Empire to privesc.

Most people were having issue's on this box with the PrivEsc. The issue is with Meterpreter not being started as 64bit. If you use a 32 bit meterpreter, migrate to switch to x64, then launch MS16-032 you will have issues. This is shown in the video.

1:38 - Go to HTTPFileServer
2:56 - Explanation of Vulnerability
4:49 - Testing the Exploit
6:25 - Getting rev tcp shell with Nishang
11:54 - Shell returned
13:15 - Finding exploits with Sherlock
15:15 - Using Empire Module without Empire for Privesc
21:00 - Start of doing the box with Metasploit
22:36 - Reverse Shell Returned (x32)
24:45 - MSF Error during PrivEsc
25:35 - Reverse Shell Returned (x64)
26:19 - Same PrivEsc as earlier, different result
28:47 - Examining how Rejetto MSF Module works with Burp

Comments

  • edited October 2017

    I think the error "Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: Access is denied" is due to not having writing privileges in the current working directory. One possibility is that the migration changed the working directory to c:\windows\system32. If you cd to another folder that error will probably go away.

  • I just used a 64 bit meterpreter payload for my initial Rejetto exploit, and that seemed to have been enough to solve the architecture problems.. Either that, or mess with injecting a different payload into an already running session. That works too, just more steps.

    likwidsec

  • Thanks @alamot that makes total sense. Didn't realize the CWD changed upon migrating.

  • edited May 2018

    I am really confused on this one.. I exploited using the 64 bit meterpreter payload but I can't seem to escalate priv with ms16_032. This one really has me scratching my head... The box has been reset over 30 times in the last couple days so maybe others are having the same issues I am.

  • Saw this at the top of the thread and thought it was new, didn't realize it was from last year. Still a great video as always, the Nishang repository was a good find I hadn't seen before (yes I live under a rock). FYI, the reason your first ping attempts appeared to work even without url-encoding was because your tcpdump command was missing ICMP, all of the messages I saw in there (feel free to correct me if I am wrong) were http messages from your burp session....just In case that was keeping you up at night :)

    Feel free to follow me on Twitter @BenGrewell for tutorials, videos and other infosec related posts.

  • I ran the both x64 and default payload type but it fails, also i tried to migrate in many process has x64 arch, its still i can't ran the module of priv. esc,
    at the final step i modified the manual exploit but also can't run it and the power Shell doesn't invoke the system.

  • Type your comment> @alamot said:

    I think the error "Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: Access is denied" is due to not having writing privileges in the current working directory. One possibility is that the migration changed the working directory to c:\windows\system32. If you cd to another folder that error will probably go away.

    thanks

    Hack The Box

Sign In to comment.