Windows Kernel Exploitation – VM Setup
In this series about Windows kernel exploitation, we will explore various kernel exploit techniques & targets. This short first part will deal with the VM setup for the rest of the series.
In this series about Windows kernel exploitation, we will explore various kernel exploit techniques & targets. This short first part will deal with the VM setup for the rest of the series.
In the last post we explored how to exploit the rainbow2.exe binary from the vulnbins repository using WriteProcessMemory & the "skeleton" method. Now we are going to explore how to use VirtualProtect and instead of setting up the arguments on the stack with dummy values and then replacing them, we...
In this post I will show an example on how to bypass DEP with WriteProcessMemory. This is a bit more complicated than doing it with VirtualProtect but nonetheless an interesting technical challenge. For the target binary I will use rainbow2.exe from my vulnbins repository.
We are solving Anubis, a 50-point windows machine on HackTheBox which involves an ASP template injection, windows containers, and stealing hashes with Responder. Later we'll escalate privileges using noPAC.
Baby is an easy machine on Vulnlab that involves enumerating LDAP & spraying credentials. For SYSTEM we exploit SeBackup & SeRestore Privileges.
Rainbow is a medium difficulty machine that involves a SEH-based buffer overflow for user and a UAC bypass for root.
We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes. For root, we will abuse GPO Permissions and explore 2 unintended privilege escalations.
We are solving intelligence, a nice windows machine on HackTheBox, created by Micah. For user, we will enumerate pdfs on a webserver & will use both the content & metadata to find valid credentials of a domain user. For root, we update a DNS entry, steal a hash & dump...
We are solving Hutch from PG-Practice. For user, we will get credentials from LDAP & use them to upload a web shell via Webdav. For root, we will read a LAPS password for the intended way & then explore other methods.
We are solving Pivotapi, a 50-point Windows machine on HackTheBox. This one involves some Reverse Engineering, MSSQL, and Active Directory Attacks like Kerberoasting, ASREPRoasting, and various misconfigurations. In the end, we will explore some unintended ways to root this box.