Start the recon process by running Nmap against our target (on 10.10.10.5) which reveals an FTP server open for anonymous connections on TCP port 21.

We can log in there and, at first glance, there’s nothing interesting:

The Nmap scan also reveals there’s an HTTP server running on port 80. By opening our browser on http://10.10.10.3:80 we can clearly see an IIS7 default screen:

Looking for IIS exploits using searchsploit we found this:

let’s try uploading a file as anon in the FTP server and executing it using this vulnerability. In order to do so we need to :

  • Get a web-shell (on Kali Linux they are at user/shared/webshells/php/)
  • Change port and IP to serve our needs
  • Start a local server on the previously specified port (you can do this with python3 -m http.server XXXX being ‘XXXX’ the port number)
  • Log into the FTP, upload the shell and execute it using the method we just found
Uploading the web-shell: Use the PUT command on the FTP. Then check it was uploaded on the browser

Executing the web-shell:

Nice!!

You can type ‘help’ to get a list of available commands and then start playing around with them. Using SYSTEMINFO we can gather basic system information and find out this is running on a Windows 7 enterprise v 6.1.7600 Build 7600. Now that we have the exact OS version we know this is a really old and outdated one so we can go Metasploit-ish now. Let’s create a meterpreter payload:

Uploading the new payload:

Setting up a listener in MSF (remember to use the same payload and proper host and port settings):

After having received a session we can use the multi/recon/local_exploit_suggester exploit to find candidates for out privilege escalation phase:

Using the kitrap0d exploit we managed to get admin privileges:

Done!

I hope you enjoyed this one! Until next time


syscall59

Shellcode for the masses

Syscall59 — by Alan Vivona

Written by

Twitter: @syscall59 | medium.syscall59.com | syscall59@protonmail.com

syscall59

syscall59

Shellcode for the masses

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade