Breaking News

As this sequence used to be devoted to Home windows Privilege escalation thus I’m penning this Put up to give an explanation for command observe for kernel-mode exploitation.

Desk of Content material

  • What’s a kernel?
  • Prerequisite
  • Searching Susceptible Kernel
  • Kernel Privilege Escalation Tactics
    • Kernel Exploit The use of Metasploit
    • Kernel Exploit The use of ExploitDB

 What’s a kernel?

A kernel is a pc program that serves because the core or center of an running gadget. It manages reminiscence control, process control, and disk control. 

An running gadget has the next separated areas:

  • Kernel Area: A kernel is most often maintained and loaded into a definite reminiscence area known as safe Kernel area. It’s secured towards get admission to through software techniques or much less vital elements of the running gadget.
  • Person Area: The running gadget (OS) is the instrument that acts as a bridge between {hardware} elements and the end-user. Person-space reminiscence is utilized by software techniques reminiscent of a browser, phrase processor, and audio and video participant.

Kernel Privilege Escalation Tactics

A privilege escalation vulnerability exists within the Home windows kernel at the far off host. If exploited effectively, a in the community licensed attacker may execute a specifically constructed kernel-mode program and take keep an eye on of the device.
Privilege Escalation

Platforms: Home windows


Goal Gadget: Home windows 10

Attacker Gadget: Kali Linux

Situation: Compromise the objective device with low privilege get admission to both the use of Metasploit or Netcat, and so forth.

Goal: Escalate the NT Authority /SYSTEM privileges for an extremely low privileged person through exploiting the kernel.

Searching Susceptible Kernel

An attacker will all the time search for privilege escalation if enumerate susceptible kernel is constructed. This is able to imaginable through injecting python or PowerShell script. It enumerates in response to construct quantity and will go back the CVE ID to simply exploit the device and get Administrator. Get right of entry to.

Learn extra about this from Window-Privilege-Escalation-Computerized-Script

Kernel Exploit The use of ExploitDB

As soon as the attacker has a opposite connection, he might enumerate kernel constructed as highlighted within the under symbol.

This may occasionally lend a hand him to determine a similar exploit whether it is susceptible.

For the similar kernel model, we discovered it used to be susceptible from MS11-046 (CVE: 2011-1249).

The similar is also enumerated the use of searchsploit, which may be regarded as an offline model of ExploitDB. As illustrated under, we will be able to obtain the similar exploit from its offline model.

searchsploit 40564
i686-w64-mingw32-gcc 40564.c –o 40564.exe –lws2_32

Let’s get started SMB Percentage provider in a brand new terminal with the assistance of impacket python script as given under:

impacket-smbserver proportion $(pwd)

This may occasionally lend a hand us to import exploit inside of compromised shells with the assistance of the replica command:


As soon as the exploit shall be downloaded we will be able to execute this program to procure a privilege shell as NT Authority/gadget.

Kernel Exploit The use of Metasploit

After you have enumerated kernel constructed you’ll be able to use Google to get to be had exploit while you’ll be able to obtain Home windows Exploit Suggester – Subsequent Technology (WES-NG) for your kali Linux that can hunt to be had exploit for susceptible kernel constructed. You’ll obtain this script from the Github library.

git clone
cd wesng

Notice: There are two choices to test for lacking patches: a. Release missingkbs.vbs at the host to have Home windows resolve which patches are lacking b. Use Home windows’ integrated systeminfo.exe software to procure the gadget knowledge of the native gadget, or from a far off gadget the use of systeminfo /S MyRemoteHost, and redirect this to a record: systeminfo > systeminfo.txt

Since we now have stored the output systeminfo in a textual content record and named it systeminfo.txt. Additional, we used this data for working the script

python /root/systeminfo.txt

As outcome, it is going to attempt to resolve lacking patches and document to be had vulnerability and Possibility Have an effect on. From the given under symbol, you’ll be able to practice it has a pointed hyperlink for exploit to be had on exploit db.

This time we will be able to use Metasploit for post-exploitation and search for privilege shell with NT Authority Privileges.

use exploit/home windows/native/ms16_014_wmi_rec_notif
set consultation 1

On a hit execution, it is going to give shell for Administrative Privileges.

Writer: Aarti Singh is a Researcher and Technical Author at Hacking Articles an Data Safety Advisor Social Media Lover and Devices. Touch right here

Leave a Reply

Your email address will not be published.

Donate Us