As discussed earlier, Exploit-db is a great place to get standalone tools for various vulnerabilities. The most important point to using Exploit-db is that it is a trusted source for these tools. Exploit-db is run by our friends at Offensive Security, who bring you Kali Linux. All exploits found here have been vetted to perform as expected and not do any damage that is not expected. The database is also included locally in Kali. All exploits can be found located in /usr/share/exploitdb. Kali also includes a search tool to find your locally-stored tool. There is also a built in link to the Exploit-db website in IceWeasel.
To use the information locally on Kali to find a local privilege escalation tool, run the following command:
searchsploit "local privilege escalation"
We get a list, as seen here:
In this demonstration, we are going to use an exploit that has been used as a zero-day attack against a nation state in the past. This tool was part of a package to exploit systems through an infected PDF file. The file was infected with an Adobe vulnerability, which then allowed this code to run and gain privilege escalation on the machine. This exploits the Windows vulnerability MS15-951, which allows local privilege escalation through the kernel mode drivers. To find this using searchsploit, run the following command:
searchsploit ms15-051
Let's look at the file:
cat /usr/share/exploitdb/platforms/windows/local/37049.txt
For this exploit, there is a pre-built executable to download. Note that there are two types; one for 32 bit, and one for 64 bit. Choose accordingly and download the file. For our use here, we are going to use the 32-bit file. Once downloaded, move the file to /var/www and start Apache with the following command:
service apache2 start
Be sure to shut down the service when you complete the transfer by using the following command:
service apache2 stop
Using the normal user account that we have compromised earlier, we login as rred. Then we connect to our attacker's machine's web service and download our file:
Once the file is downloaded, open a PowerShell window. When we run the command whoami, we see the user is lab1
red:
Move into the directory where the file was downloaded. Here it is in the downloads directory. Once in the directory, run the following command:
Taihou32.exe
When the exploit runs, we get a command-line window with a running prompt. By running the whoami command again in this window, we can see we are running as nt authority, the highest level of privilege – even higher than the Administrator account. From this window, we have full control over the system to do as we like.