• XSS.stack #1 – первый литературный журнал от юзеров форума

PrivEsc LPE , admin access

Отслеживать

TheExample

RAID-массив
Пользователь
Регистрация
28.05.2023
Сообщения
86
Реакции
5
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
 
TheExample сказал(а):
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
github -> UAC bypass
 
EnLopXf сказал(а):
для этого юзер должен быть в группе administrators
AutoElevate + hijack?
 
Последнее редактирование:
EnLopXf сказал(а):
for this the user must be in the administrators group


you can remove sysinfo and look through wesng

github.com

GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next Generation

Windows Exploit Suggester - Next Generation. Contribute to bitsadmin/wesng development by creating an account on GitHub.
github.com

Код: 
python3 wes.py sysinfo.txt

EnLopXf сказал(а):
для этого юзер должен быть в группе administrators


можешь sysinfo снять и через wesng посмотреть

github.com

GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next Generation

Windows Exploit Suggester - Next Generation. Contribute to bitsadmin/wesng development by creating an account on GitHub.
github.com

Код: 
python3 wes.py sysinfo.txt
We checked this
And we also tested some of them
But not working , idk why (
 
TheExample сказал(а):
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
github.com

GitHub - peass-ng/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - peass-ng/PEASS-ng
github.com
 
TheExample сказал(а):
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
we still waiting for another way,
 
TheExample сказал(а):
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
.
 
TheExample сказал(а):
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
You want to elevate privileges on the local machine or do you want to elevate privileges on the domain because both are different.

For LPE winpeas and other automated scripts can work, for domain, it is going to be different.


Have you tried to dump the sam or lsass to see if there are any cached user/pass saved for a user with higher privileges on the domain?
Also see if you can use mimikatz or incognito from msf to see if there is a token with higher privs that you can steal.
 
molotov477 сказал(а):
You want to elevate privileges on the local machine or do you want to elevate privileges on the domain because both are different.

For LPE winpeas and other automated scripts can work, for domain, it is going to be different.


Have you tried to dump the sam or lsass to see if there are any cached user/pass saved for a user with higher privileges on the domain?
Also see if you can use mimikatz or incognito from msf to see if there is a token with higher privs that you can steal.
hello , yes
we want elevate privileges on the local machine
we check winpeas but notworking
other automated lpe for this windows?
we can pay for this
 
TheExample сказал(а):
hello , yes
we want elevate privileges on the local machine
we check winpeas but notworking
other automated lpe for this windows?
we can pay for this
For local LPE, you need to have a local user, have you tried to see if any other user is logged in or if you can steal their token?
 
TheExample сказал(а):
hello , yes
we want elevate privileges on the local machine
we check winpeas but notworking
other automated lpe for this windows?
we can pay for this
Have you tried any of the Potato Exploits for priv escalation? Sweet potato or GodPotato?
 
molotov477 сказал(а):
Have you tried any of the Potato Exploits for priv escalation? Sweet potato or GodPotato?
yes we use many lpe , ms17 , nightmare , hhupd , not working in server 2012 , for 2003 we cant find any LPE for run this version windows , if you know about that , reply some LPE name for this windows , tnx
 
TheExample сказал(а):
yes we use many lpe , ms17 , nightmare , hhupd , not working in server 2012 , for 2003 we cant find any LPE for run this version windows , if you know about that , reply some LPE name for this windows , tnx
Have you ran peass?
 
TheExample сказал(а):
yes we use many lpe , ms17 , nightmare , hhupd , not working in server 2012 , for 2003 we cant find any LPE for run this version windows , if you know about that , reply some LPE name for this windows , tnx
is it vulnerable to ms17? Have you checked that? If it is, then the main repo on github for ms17, https://github.com/worawit/MS17-010, use the zzz_exploit.py, it has the basic function of writing a txt file on the target host, you can check if it succeeds by looking at the actual file that it created even if the output of the script gives any error, also you might need python2 to run it properly, it target is vulnerable and the script works, then you can modify the script in order to add a local user and add that user to admin local group.

I recently ran into a an Old Windows 2000 machine and no other eternal blue script worked, but this one did for me at least.
 
molotov477 сказал(а):
is it vulnerable to ms17? Have you checked that? If it is, then the main repo on github for ms17, https://github.com/worawit/MS17-010, use the zzz_exploit.py, it has the basic function of writing a txt file on the target host, you can check if it succeeds by looking at the actual file that it created even if the output of the script gives any error, also you might need python2 to run it properly, it target is vulnerable and the script works, then you can modify the script in order to add a local user and add that user to admin local group.

I recently ran into a an Old Windows 2000 machine and no other eternal blue script worked, but this one did for me at least.
tnx , but for installl python ,,, need administrator access (
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх