Granny privesc (MS14-070) WITHOUT meterpreter
Hi,
I try to pwn Granny again, without meterpreter. I'm stuck with privesc (MS14-070 : https://www.exploit-db.com/exploits/37755/).
I modify the exploit like this :
BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
startupInformation->cb = sizeof (STARTUPINFO);
ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
// Start the child process.
return CreateProcess (
NULL, // No module name (use command line)
//"c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32", // Start cmd.exe
"c:\\Inetpub\\wwwroot\\revshell.exe", // Start reverse shell
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
TRUE, // Set handle inheritance to TRUE
0, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&startupInformation[0], // Pointer to STARTUPINFO structure
&processInformation[0] // Pointer to PROCESS_INFORMATION structure
);
}
When I execute this exploit from cmd.exe (or command shell from meterpreter), it spawns a reverse shell but dies just after. No matter what payload I use (meterpreter, windows_reverse_shell, ncat.exe, etc).
But, when I execute -f MS14-070.exe from meterpreter, it opens just fine.
How can I have the same behaviour than meterpreter's execute -f for cmd.exe ?
In this video, the user has the exact same problem (he finally managed to have reverse shell, but used meterpreter's execute -f command) :
Tagged:
Sign In to comment.
Quick Links
Categories
- 3.4K All Categories
- 2.4K Discussion
- 1.2K Machines
- 462 Challenges
- 20 RastaLabs
- 117 Exploits
- 34 Programming
- 547 Off-topic
- 996 Tutorials
- 553 Writeups
- 94 Video Tutorials
- 159 Tools
- 188 Other
- 27 Links
- 27 News
Comments
Hey man, I'm stucked at the same point. Did you find a way to solve it?
Message me with 1) Problem description 2) What did you try so far? 3) Your ideas about next steps
If you appreciate my help, please give me +1 respect
https://www.hackthebox.eu/home/users/profile/57582
Hi,
try this:
The issue is the /C, which closes the console as soon as the command has run, terminating any threads living in the background. /K will keep it open, along with any children it's started.
@scud78 I tried it now and it worked for me. The EoP was made in the same reverse shell.
@hackerintshell I just logged in to thank you, it works!
could you upload the binary ?
I've spent around 3 hours today fighting with this box without MSF. Like others, I'm heading toward the OSCP and am doing my best to avoid Metasploit.
It can be done. My experience was buggy, the reverse shell would time out each time in under a minute. You need the churrasco exploit. The forum keeps blocking me if I try to give any more detail.
If I've helped get you in the right direction, please give a little respect. Thanks!
Or, hodor hodor hodor hodor hodor hodor hodor hodor hodor, hodor hodor hodor hodor hodor. Hodor!
It would be really nice if you can explain the details of this change, why this is needed. It seams like it needs some kind of desktop env session?
I will give you my respect! Thanks