The kernel, being the core of any operating system and the layer between hardware and software, when exploited, results in everything being executed by the SYSTEM user (the user with the highest privileges in Windows systems).
The process to find and exploit kernel vulnerabilities is approximately as follows:
- We enumerate the Windows version and patches —>
systeminfo - We search for exploits associated with that version or patches
- We compile and execute —> Compilation is not necessary if we download an already compiled exploit
We must be careful with kernel exploits, as they tend to be unstable, single-use, or cause a system crash. That’s why this should be one of the last options for privilege escalation.
There are different tools that can help us identify this type of vulnerabilities:
- Windows Exploit Suggester Next Generation
- Watson
- In metasploit:
windows/gather/enum_patches - Internet
Once we have enumerated what types of patches are missing or what vulnerabilities are affected, we can make use of SecWiki, which is a resource that contains a large number of already compiled kernel exploits.
That said, let’s go with a practical case using “Windows Exploit Suggester Next Generation”:
First of all, we need to obtain the systeminfo, which includes transferring it to our Kali machine. This part is simple, as we can do it in a single step. On our Linux (in my case, Kali) we run a Samba server:
The argument pwned is the name of the shared resource, and the second argument $(pwd) is the way we indicate the path where the server will run, in this case, the current path (we could also indicate it with just a dot).
Having the server mounted, we go to Windows and simply redirect the command output to our server and shared resource:
We can confirm that there has been a connection if we go to Kali:
This way, we now have the systeminfo output:
Having this, we are going to use “WESNG”, first we need to update its database. It’s very simple, we just run the following command:
With this, the CVE list will be updated.
The most basic command would simply be to specify the systeminfo file:
Its output is too large to show
But that’s fine, we’re going to use some arguments to only see what interests us. The structure that WESNG follows to display each CVE to which the Windows machine may be vulnerable is as follows:
The field that interests us is the Impact. We can see the possible values of Impact using grep and sort:
In this way, if we look closely, there is a value of this field that may be the one we are interested in filtering by. I’m talking about “Elevation of Privilege”, as that is what we want to achieve.
Knowing this, we can specify to “WESNG” to only show us the CVEs whose impact is a privilege escalation:
This way, we have just gone from 31883 lines to:
Which is still a lot, but now it’s our job to find the exploit to use. There is another filter that may interest us, since “WESNG” shows some CVEs without “Exploits” (which, be careful, doesn’t mean there aren’t any, but at least it doesn’t have any associated):
If we are not interested in seeing CVEs that don’t have any associated exploit, we can filter the search by adding the --exploits-only argument:
If we now see the number of lines, we have gone down much more:
So far, possible filters that may interest us when searching for CVEs in “WESNG”. Even so, the tool has a fairly complete help panel with many more options.
At this point, the exploit to choose will depend on us, with experience there will be CVEs that ring a bell and we’ll get straight to the point to test those according to the operating system. This is achieved with time and effort.
In my case, I’m going to use “CVE-2019-1458”, which, be careful, Windows 7 is vulnerable to, and we can find exploits, however, “WESNG” indicates that it doesn’t have any associated, so if we had used the --exploits-only argument, it would have discarded it, despite being vulnerable:
Having located the CVE, we are going to go to SecWiki to see if it has the compiled exploit:
In this case, SecWiki doesn’t have any exploit in the repository. However, in the README.md it indicates another repository which does contain an exploit for this CVE:
It is typical that in privilege escalation exploit repositories we are given a PoC (Proof of Concept) of the exploit:
In this case, we see two things:
- The exploit can only be executed once per system boot (this can indicate the resulting instability of the exploit in the system).
- The exploit follows the structure of:
cve-2019-1458.exe <command to execute>
Knowing this and having downloaded the exploit binary on Windows 7:
We are going to escalate privileges.
We set up a Samba server on our Kali, in addition to listening:
Note: the directory where we are running the Samba server contains the binary “nc.exe” (netcat for Windows)
Now, we return to Windows 7, and we will execute the following command using the exploit:
This way, returning to Kali:
We get a shell as “nt authority\system”.
In the repository it was indicated that it was only a single-use exploit per boot, we can confirm it:
Such is the instability of, in this case, this exploit (and in general, of exploits that take advantage of the kernel), that when we shut down the machine we get the following:
This clearly doesn’t happen with all exploits, but we can observe the delicacy of dealing with the kernel.
Going back to the tools mentioned at the beginning:
- Windows Exploit Suggester Next Generation
- Watson
- In metasploit:
windows/gather/enum_patches - Internet
We can use whichever we like best, Watson for example in this case doesn’t give us anything:
The metasploit module also helps us in this task:
In this case it doesn’t give us any significant output. If it detected any possible vulnerability it would indicate it as follows:
Reference: https://pentestlab.blog/2017/04/24/windows-kernel-exploits/
Last but not least, another tool to keep in mind is the internet itself.
When we run systeminfo we obtain enough information to search on Google for any vulnerability that affects the Operating System and Version:
In this way, although we can rely on different tools, in the end manual work and our own research will be what results in a successful privilege escalation.