Windows Local Privilege Escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. – Wikipedia
The target machine i used for this tutorial is a lab which is available in pentestit.ru (Lab 11).
I was tunneling through ssh to get access into the port 3389 which is in DMZ.
After bruteforcing RDP (Remote Desktop Protocol) login using Patator, i was able to connect to the Windows Machine, but with limited permission (non administrator).
I was using CVE-2016-0099 to do Windows Local Privilege Escalation.
An elevation of privilege vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows manages request handles in memory. – Microsoft
After doing some “Googling”, i found a Local Exploit for windows 7 – Windows 10 (both 32/64bit).
Here is the exploit : cnhv.co/14ft3
Done, we got the system access..


Please Donate To Bitcoin Address: [[address]]