CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/local/nscp_pe.md
Views: 1904
Vulnerable Application
Description
This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell. For this module to work, both web interface of NSClient++ and ExternalScripts feature should be enabled. You must also know where is the NSClient config file as it is used to read the admin password which is stored in clear text.
Installation
A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with this installation guide to complete the installation. Don't forget to enable the web interface and the ExternalScripts feature to allow the exploit to work.
Verification Steps
List the steps needed to make sure this thing works
Start
msfconsoleuse exploit/windows/local/nscp_peset SESSION <session>set FILE <NSCP_config_file>if the NSCP config file is notC:\Program Files\NSClient++\nsclient.inicheckto check if the targeted NSClient++ is vulnerableset payload <choose_a_payload>to set a specific payload to sendrunthe module to exploit the vulnerability, gain admin access and start a shell
Options
FILE
Set the config file of NSClient++. If you don't know, try with the default value.
Scenarios
This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted). See the following output :