Privilege Escalation on Windows using CVE-2017-0213

SOURCE:
You can gain to admin privileges using this utility CVE-2017-0213 downloaded from
x86
x64

Affected Products

Product Version Update Tested
Windows 10
Windows 10 1511
Windows 10 1607
Windows 10 1703
Windows 7 SP1
Windows 8.1
Windows RT 8.1
Windows Server 2008 SP2
Windows Server 2008 R2 SP1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
STEPS
-login as standard user
-run cmd
> net user
here you have standard privileges
change local administrator password
> net user administrator 1qaz)OKM
Access is denied
Download CVE-2017-0213 utility above, unzip and run
The moment you double click on it, it will automatically open a new command prompt with administrator privileges
change local administrator password again
> net user administrator 1qaz)OKM
The command completed successfully
Tested by me on Windows 7SP1
Advertisements

Upgrade ESXi 6.0 to 6.5

METHOD1 via CLI Offline
SOURCE:
-download VMware-ESXi-6.5.0-4564106-depot.zip from https://my.vmware.com/group/vmware/get-download?downloadGroup=ESXI650
-enable ssh on ESXi
-scp VMware-ESXi-6.5.0-4564106-depot.zip into ESXi /tmp
-Shutdown all VMs running on your ESXi host machine, put your host into maintenance mode and then connect to your ESXi server via SSH
# cd /tmp
# esxcli software profile update -p ESXi-6.5.0-4564106-standard -d /tmp/VMware-ESXi-6.5.0-4564106-depot.zip

# reboot

METHOD2 via CLI Online
SOURCE:
https://www.vladan.fr/how-to-upgrade-esxi-6-0-to-6-5-via-cli-on-line/
-enable ssh on ESXi
-Shutdown all VMs running on your ESXi host machine, put your host into maintenance mode and then connect to your ESXi server via SSH
# cd /tmp
# esxcli network firewall ruleset set -e true -r httpClient
# esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.5
# esxcli software profile update -p ESXi-6.5.0-4564106-no-tools -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
# reboot

METHOD3 via ISO
SOURCE:
https://www.vladan.fr/how-to-upgrade-esxi-6-0-to-6-5-via-iso/
-download ESXi iso from https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5
-burn iso into cd
-set BIOS to boot from CD
-reboot ESXi
-on boot select “Upgrade ESXi, preserve VMFS datastore”

METHOD4 via USB media
SOURCE:
https://www.vladan.fr/how-to-create-a-usb-media-with-esxi-6-5-installation/
-download ESXi iso from https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5

-download and install YUMI Installer
YUMI
ALTERNATIVE1: Rufus
ALTERNATIVE2: UNetbootin


-run YUMI and burn iso into pen drive
-set BIOS to boot from USB
-reboot ESXi
-on boot select “Upgrade ESXi, preserve VMFS datastore”

METHOD5 via Update Manager
SOURCE:
https://www.vladan.fr/how-to-upgrade-a-esxi-6-0-to-esxi-6-5-via-vmware-update-manager/

 

-update ESXi to latest patches
METHOD1: CLI Offline
download ESXi latest patches from
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI650D&productId=646&rPId=15839
scp ESXi650-201704001.zip into ESXi /vmfs/volumes//
# esxcli software vib update -d /vmfs/volumes//ESXi650-201704001.zip

METHOD2: CLI Online
# esxcli network firewall ruleset set -e true -r httpClient
# esxcli software profile install -p ESXi-6.5.0-20170404001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
-enable nested hypervisor
# echo “vhv.enable = “TRUE”” >> /etc/vmware/config

-enable copy/paste between guest vm
# vi /etc/vmware/config
add these
vmx.fullpath = “/bin/vmx”
isolation.tools.copy.disable=”FALSE”
isolation.tools.paste.disable=”FALSE”

-install VMware Host Client
go to https://labs.vmware.com/flings/esxi-embedded-host-client#instructions
download and scp into /tmp
esxui-signed-5214684.vib
# esxcli software vib install -v /tmp/esxui-signed-5214684.vib

Install VMware Remote Console
go to https://labs.vmware.com/flings/esxi-embedded-host-client#instructions
download and scp into /tmp
VMware-Remote-Console-9.0.0-Linux.vib
VMware-Remote-Console-9.0.0-MacOS.vib
VMware-Remote-Console-9.0.0-Windows.vib

# esxcli software vib update -v /tmp/VMware-Remote-Console-9.0.0-Linux.vib
# esxcli software vib install -v /tmp/VMware-Remote-Console-9.0.0-MacOS.vib

# esxcli software vib update -v /tmp/VMware-Remote-Console-9.0.0-Windows.vib

VMware Remote Console 9.0 for Linux
VMware Remote Console 9.0 for Mac

VMware Remote Console 9.0 for Windows

Now you can access ESXi using browser at https://esxserverip/ui

Merge splitted disk into a single disk

SOURCE: https://vmexpo.wordpress.com/2014/04/15/how-to-merge-multiple-vmdks-into-single-vmdk/comment-page-1/

Sometime you got OVA with multiple splitted disk. But I still prefer one big disk because easier to backup.

Here how to do that with VMware Workstation

-cd to your target vm disk location
c:\>cd C:\Users\user1\Documents\Virtual Machines\OWASP
>dir
07-Apr-17  11:28 AM    <DIR>          .
07-Apr-17  11:28 AM    <DIR>          ..
03-Aug-15  10:58 AM     1,774,780,416 OWASP Broken Web Apps-cl1-s001.vmdk
03-Aug-15  10:58 AM     1,603,600,384 OWASP Broken Web Apps-cl1-s002.vmdk
03-Aug-15  10:58 AM     1,806,696,448 OWASP Broken Web Apps-cl1-s003.vmdk
03-Aug-15  10:58 AM     1,135,149,056 OWASP Broken Web Apps-cl1-s004.vmdk
03-Aug-15  10:58 AM            65,536 OWASP Broken Web Apps-cl1-s005.vmdk
03-Aug-15  08:47 AM               780 OWASP Broken Web Apps-cl1.vmdk
03-Aug-15  10:54 AM             8,684 OWASP Broken Web Apps.nvram
31-Jul-15  10:25 AM                79 OWASP Broken Web Apps.vmsd
03-Aug-15  10:54 AM             1,582 OWASP Broken Web Apps.vmx
06-May-15  09:30 AM               276 OWASP Broken Web Apps.vmxf
03-Aug-15  10:44 AM             8,306 owaspbwa-release-notes.txt
              11 File(s)  6,320,311,547 bytes
               2 Dir(s)  385,078,714,368 bytes free

>”C:\Program Files (x86)\VMware\VMware Workstation\vmware-vdiskmanager.exe” -r “OWASP Broken Web Apps-cl1.vmdk” -t 0 OWASP.vmdk
Creating disk ‘OWASP.vmdk’

Proxmox Import/Export OVA

Import from OVA
NOTE:
-disk must be single file not splitted

-scp ova into /tmp. In my case I am using dsl-4-4-10.ova
# cd /tmp
# tar xf dsl-4-4-10.ova
# qemu-img convert -f vmdk DSL-4.4.10-disk1.vmdk -O qcow2 DSL-4.4.10.qcow2
-check dsl-4-4-10.ova configuration
# cat DSL-4.4.10.ovf | grep -e “Memory RAMSize” -e “CPU count” -e “Netw” -e “Disk”
What I found only disk size and nic quantity. The rest should be default
-create empty vm with 1 nic. Disk size could be any smallest size because I will overwrite later. Disk type could be vmdk or qcow2
# cp DSL-4.4.10.qcow2 /var/lib/vz/images/100/vm-100-disk-1.qcow2
-start the vm in proxmox

Export to OVA
-let say I already have vm with qcow disk
# cd /var/lib/vz/images/101
# qemu-img convert -f vm-101-disk-1.qcow2 -O /tmp/DSL-4.4.10-disk1.vmdk
-create an empty vm with the same OS, RAM, disk size, nic
NOTE:
-disk must be single file not splitted
-scp DSL-4.4.10-disk1.vmdk into your vm directory in vmware and rename disk name to vmname.vmdk
-click vm Settings
-click Hard Disk, click Remove
-click Hard Disk, click Add
I must choose same disk type as source vm disk. For example IDE or SCSI
Attach vmname.vmdk that we copied before
-click File/Export to OVF menu
name it vmname.ova click Save

TeamViewer installation on Kali

-install sddm as default X windows because default X windows in Kali didn’t allow remote TeamViewer without login GUI first

# apt-get install sddm

# dpkg –add-architecture i386
# apt-get update
# dpkg -i –force-depends teamviewer_i386.deb
# apt-get install -f

# teamviewer –daemon start

-get current TeamViewer id either from GUI or CLI
# teamviewer –info print version, status, id
 TeamViewer                           12.0.71510  (DEB)
 teamviewerd status                   ● teamviewerd.service – TeamViewer remote control daemon
   Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2017-03-19 09:02:02 PDT; 9min ago
  Process: 1140 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
 Main PID: 1162 (teamviewerd)
    Tasks: 12 (limit: 4915)
   CGroup: /system.slice/teamviewerd.service
           └─1162 /opt/teamviewer/tv_bin/teamviewerd -d
Mar 19 09:02:00 kali2 systemd[1]: Starting TeamViewer remote control daemon…
Mar 19 09:02:02 kali2 systemd[1]: Started TeamViewer remote control daemon.

 TeamViewer ID:                        798024234

-run teamviewer gui
# teamviewer
click Connection/Setup Unattended Access
click Next
Image.png
Image.png

click Finish

Now you can remotely connect to your Linux TeamViewer
NOTE:
-every time you adding device or login to new device while login to your TeamViewer a/c. TeamViewer will ask your permission by sending an email with title “Device authorization needed”
Just click a link in that email to add your device into your TV a/c

Installing Wifi Jammer on Kali

Continuously jam all wifi clients and access points within range.

-connect your Atheros or Ralink card
-check wlan0 is on
# ifconfig wlan0
# cd /root
# cd wifijammer/
# ./wifijammer.py
This will find the most powerful wireless interface and turn on monitor mode. If a monitor mode interface is already up it will use the first one it finds instead. It will then start sequentially hopping channels 1 per second from channel 1 to 11 identifying all access points and clients connected to those access points. On the first pass through all the wireless channels it is only identifying targets. After that the 1sec per channel time limit is eliminated and channels are hopped as soon as the deauth packets finish sending. Note that it will still add clients and APs as it finds them after the first pass through.
Upon hopping to a new channel it will identify targets that are on that channel and send 1 deauth packet to the client from the AP, 1 deauth to the AP from the client, and 1 deauth to the AP destined for the broadcast address to deauth all clients connected to the AP. Many APs ignore deauths to broadcast addresses.
# ./wifijammer.py -a 00:0E:DA:DE:24:8E -c 2
Deauthenticate all devices with which 00:0E:DA:DE:24:8E communicates and skips channel hopping by setting the channel to the target AP’s channel (2 in this case)

# ./wifijammer.py -c 1 -p 5 -t .00001 -s DL:3D:8D:JJ:39:52 -d –world
-c, Set the monitor mode interface to only listen and deauth clients or APs on channel 1
-p, Send 5 packets to the client from the AP and 5 packets to the AP from the client along with 5 packets to the broadcast address of the AP
-t, Set a time interval of .00001 seconds between sending each deauth (try this if you get a scapy error like ‘no buffer space’)
-s, Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a certain MAC address is handy in case you want to tempt people to join your access point in cases of wanting to use LANs.py or a Pineapple on them.
-d, Do not send deauths to access points’ broadcast address; this will speed up the deauths to the clients that are found
–world, Set the max channel to 13. In N. America the max channel standard is 11, but the rest of the world uses 13 channels so use this option if you’re not in N. America

# ./wifijammer.py -m 10
The -m option sets a max number of client/AP combos that the script will attempt to deauth. When the max number is reached, it clears and repopulates its list based on what traffic it sniffs in the area

Installing Websploit on Kali

WebSploit Advanced MITM Framework
[+]Autopwn – Used From Metasploit For Scan and Exploit Target Service
[+]wmap – Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector – inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]CloudFlare resolver
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
[+]MITM – Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack
[+]Wifi Honeypot
[+]Wifi Jammer
[+]Wifi Dos
[+]Wifi Mass De-Authentication Attack
[+]Bluetooth POD Attack

# cd /root
# cd websploit
# ./wsf-update.py
# ./websploit
         (  (               )             (             )
         )\))(   ‘   (   ( /(             )\     (   ( /(
        ((_)()\ )   ))\  )\()) (   `  )  ((_) (  )\  )\())
        _(())\_)() /((_)((_)\  )\  /(/(   _   )\((_)(_))/
        \ \((_)/ /(_))  | |(_)((_)((_)_\ | | ((_)(_)| |_
         \ \/\/ / / -_) | ‘_ \(_-<| ‘_ \)| |/ _ \| ||  _|
          \_/\_/  \___| |_.__//__/| .__/ |_|\___/|_| \__|
                                  |_|
                –=[WebSploit Advanced MITM Framework
        +—**—==[Version :3.0.0
        +—**—==[Codename :Katana
        +—**—==[Available Modules : 20
                –=[Update Date : [r3.0.0-000 20.9.2014]
wsf > help
Commands                Description
—————         —————-
set                     Set Value Of Options To Modules
scan                    Scan Wifi (Wireless Modules)
stop                    Stop Attack & Scan (Wireless Modules)
run                     Execute Module
use                     Select Module For Use
os                      Run Linux Commands(ex : os ifconfig)
back                    Exit Current Module
show modules            Show Modules of Current Database
show options            Show Current Options Of Selected Module
upgrade                 Get New Version
update                  Update Websploit Framework
about                   About US

wsf > upgrade
[*]Checking For New Version, Please Wait …
[*]New Version Not Available, This Is Latest Version Of The WebSploit Framework.

wsf > show modules
Web Modules                     Description
——————-             ———————
web/apache_users                Scan Directory Of Apache Users
web/dir_scanner                 Directory Scanner
web/wmap                        Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                         PHPMyAdmin Login Page Scanner
web/cloudflare_resolver         CloudFlare Resolver

Network Modules                 Description
——————-             ———————
network/arp_dos                 ARP Cache Denial Of Service Attack
network/mfod                    Middle Finger Of Doom Attack
network/mitm                    Man In The Middle Attack
network/mlitm                   Man Left In The Middle Attack
network/webkiller               TCP Kill Attack
network/fakeupdate              Fake Update Attack Using DNS Spoof
network/arp_poisoner            Arp Poisoner

Exploit Modules                 Description
——————-             ———————
exploit/autopwn                 Metasploit Autopwn Service
exploit/browser_autopwn         Metasploit Browser Autopwn Service
exploit/java_applet             Java Applet Attack (Using HTML)

Wireless / Bluetooth Modules    Description
——————-             ———————
wifi/wifi_jammer                Wifi Jammer
wifi/wifi_dos                   Wifi Dos Attack
wifi/wifi_honeypot              Wireless Honeypot(Fake AP)
wifi/mass_deauth                Mass Deauthentication Attack
bluetooth/bluetooth_pod         Bluetooth Ping Of Death Attack