📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Privilege escalation
  • KiTrap0D
  • afd.sys exploit
  • Client Copy Image (MS15-51)
  • MS16-032
  • PrintSpoofer
  • Remote code execution
  • Net Api exploit
  • Eternal Blue
  1. Windows PrivEsc

Common Exploits

Privilege escalation

KiTrap0D

Allows escalation of privileges on Windows NT/2000/2003/2008/XP/Vista/7

msf modules

exploit/windows/local/ms10_015_kitrap0d

Source code

https://www.exploit-db.com/exploits/11199

afd.sys exploit

Allows escalation of privilege on Microsoft Windows XP/2003

msf module

exploit/windows/local/ms11_080_afdjoinleaf

Source code

https://www.exploit-db.com/exploits/18176

Client Copy Image (MS15-51)

Source code

https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip

Compiled executables

 #x86 exec
 https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-32.exe
 #x64 exec
 https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-64.exe

MS16-032

msf modules

 exploit/windows/local/ms16_032_secondary_logon_handle_privesc

Source code

https://www.exploit-db.com/exploits/39574/
#powershell
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

Compiled exe

https://github.com/Meatballs1/ms16-032

PrintSpoofer

Can escalate privileges on Windows Server 2016, Windows Server 2019 and Windows 10. SeImpersonate user token is required for this exploit. Can be executed remotely by downloading the executable from here:

https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd

Remote code execution

Net Api exploit

Allows remote code execution on Windows 2000 to XP SP3. Requires an open share

msf modules

exploit/windows/smb/ms08_067_netapi

Source code

https://www.exploit-db.com/exploits/40279
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py

Eternal Blue

Grants remote code execution on almost any Windows version older than 2000. Requires an open share

msf modules

auxiliary/admin/smb/ms17_010_command          MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010            MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue      MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec           MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Source code

Edit the smb_pwn function in the exploit's source code to alter its execution. By default creates a file named pwned.txt in C:\ folder

https://www.exploit-db.com/exploits/42315
#mysmb.py library
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
PreviousUAC bypassNextIntroduction

Last updated 3 years ago