Weak
https://www.cyberseclabs.co.uk/labs/info/Weak/
Scanning and Enumeration
Nmap
Running a basic nmap scan with the -sV switch to scan service version against the target machines open ports we get the following:
We can use the smb-os-discovery script to confirm the Operating system as port 445 is open.
As from the above script we are dealing with Windows 7 Ultimate.
Port 445 (SMB)
As Port 455 is open we can start looking here. I firstly run generic commands to check for null authentication. Unfortunately I was unable to proceed with this.
I was however, able to log in with rpcclient. No interesting commands was available to me so I will shelf this possible avenue until later.
Port 80 (HTTP)
We have HTTP on port and the default root page takes us to the II7 welcome page.
I proceeded to run nikto and feroxbuster against this to determine if we can find any other directories.
Port 21 (FTP)
We use nmap to check if we have anonymous access to the FTP server.
nmap has confirmed we can log into the FTP with anonymous credentials and has even shows us the available contents. We can now manually log in so we can browse the FTP server.
When trying to run the dir command to list contents we are given the error '501 Server cannot accept Argument'.
We can attempt to login to the FTP again this time with the -p switch for passive mode.
We have now logged in and can run the dir command to list directory contents. Browsing through the aspnet_client directory we get version information we can possibly use later. The directories shown below did not hold any files or folders.
Going back to the root of the FTP directory we can test for file upload with the put command.
As we have confirmed upload on the directory we can then attempt to confirm if we can read the file with the curl command.
The contents of the uploaded file has been read by curl. We could also browse to this text file in the web browser.
Low Privilege User Access
From this point I tried upload multiple ASP and ASPX reverse shells and could not get a hit. I tried a PHP web shell and could not get anything.
I then come across a CMD web shell which after uploading with the put command in FTP worked really well for me.
Download the file and upload it to the FTP. When you browse to it you should see the following:
Remember the /c tells cmd.exe to execute the following command. This shell will not work correctly without that switch.
We can now check who we are running as.
From here I tried downloading a reverse shell directly onto the machine with certutil.exe but was given access denied.
I decided to look around the file system at this point and come across a README inside a non default directory called 'Development'.
Ignore the .exe file. This image was taken post compromise and the .exe is not actually part of the machine.
We can then read the contents of the README.txt file.
We have a password but we need to identify the account. We can check local accounts on the machine with net user.
The user 'Web Admin' is of interest. We can take the gathered credentials and try using these against the machine.
We can confirm if the credentials work with crackmapexec.
Access as High Value Target
Now that we have confirmed credentials I tried throwing them against Impacket's smbexec.py and wmiexec.py to see if we can gain shell.
I then tried against psexec.py and was able to gain shell as 'NT Authority\System'.
From here we can grab the hashes from both the Administrator desktop and the user desktop.
Last updated
