Devel
Last updated
Was this helpful?
Last updated
Was this helpful?
HTB - 4. Devel
nmap -T4 -p- -A 10.10.10.5
shows 22 (FTP) with anonymous login (to webroot directory?), 80 (HTTP) with Microsoft IIS httpd 7.5
Go to 10.10.10.5
which is a default web page
dirbuster
(dirb
and gobuster
popular as well) with http://10.10.10.5:80
, wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
, and change file-extension to asm, asmx, asp, aspx, txt
because server is IIS
FTP: upload file to server
Go to 10.10.10.5/dog.jpg
and it executes.
msfvenom
Create reverse_tcp
payload:
Open up port to listen on:
Back to FTP
Go to 10.10.10.5/ex.aspx
and shell popped
Hacked
Result: We are IIS APPPOOL\Web
not authority system. getsystem
failed.
Check to see which privilege escalation exploits might work:
Run privilege escalation
Result: Shell popped with authority system