1. Enumeration
So we got http file server, with a login field on the top left, however, admin:admin does not work
On search sploit, we can find remote command execution exploits, just need to find out if the exploit requires the user to be authenticated
2. Exploitation
Edit the IP and port number
And now we need to have netcat in our web server
First we locate nc.exe. Well i know i have a lot, but we only need one, and we are using the one with windows-binaries since we are dealing with windows machine
Next we head into the directory and open a server at port 80
Then we run the script
And hooray!
Well, not an administrator, so we have to escalate privileges
3. Privilege Escalation
First we look at the systeminfo to understand our machine. I recently found that there is this script called Windows-Exploit-Suggester, that detect potential missing patches on the target in order for a user to exploit it. Here are the steps.
First through sysinfo, we found that we have a machine running on windows 2012, x64. (64-bit machine)
We copy the systeminfo into a txt file
Then, we get the xls file through the command after cloning the git.
Run the exploit script with the systeminfo and the updated xls file, and you can find several privilege escalation exploit script
The above are some of the exploits we can use to escalate privileges based on systeminfo
First up, we have MS16-135 privilege escalation, and the last exploit is a c script
So with the c script, we have to compile it to a executable file, since it is windows, and on the script there are links to the exe file under CVE-2016-7255
So we first download it
change permission to executable, before transferring files via smbserver
Hmm.. the exploit does not work. But we have a lot more to try, so we shall not waste time on this. The next one is MS16-098, an integer buffer overflow, again buffer overflow can allow us to get a root shell so this is not to be left out
So here we have 2 scripts, again, one being a C language script
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098
Here we have a github link with the executable MS16-098, again we transfer this file via smbserver and run it on our target machine
Here’s more information about MS16-098!
And we are root once we execute the exe file!
root.txt!
Alright, this machine is not difficult, however, it is important that we have the right enumeration tool for privilege escalation, or else a lot of time will be wasted! It would have been better if i could escalate privileges without kernel exploit though! I may try and play around and post if i could do so!
Till next box!