🕵 HTB-Writeup : DEVEL
Windows machine with Microsoft IIS webserver v7.5.
Dirbuster scan don’t find any directories or files.
ftp-anon script from nmap show, we can connect into the ftp server with the anonymous user.
But we can’t find any interesting files.
Since we can’t find any directories or files, I manage to try to find vulnerabilities on the FTP server.
Firstly I download all files I can from anonymous connection. No interesting files.
I try to bruteforce accounts from nmap nse scripts. No results.
Re-checking downloaded files, I realize that I have missed an important information. The IIS webserver use this FTP server. When trying to navigate to
http://10.10.10.5/aspnet_client/ we get an access denied, so the FTP server is using a IIS server.
Knowing that, we can try to upload file to get a reverse shell.
I upload an
aspx webshell on the ftp to try to execute powershell commands. The webshell can be found at
/usr/share/webshells/aspx/cmdasp.aspx on a Kali Linux.
Then, I prepare the nishang reverse powershell script that can be found at this link.
Adding the following line to the bottom of the script with our IP and port.
Then, I up a python http server with our powershell script. On the webshell, we download and execute our script
Command injection on the form
Response on our host
It works! We get a reverse shell!
We can get the user flag. Let’s go to the privesc!
I first get the content of
systeminfo and pass it into the Windows-Exploit-Suggester tool.
It gaves me 3 potentials vulnerabilities. I found this github that list multiple Windows exploit, I try the third one listed by our tool (MS10-059).
The MS10-059 vulnerability allow an attacker to run code with elevated privileges. It exploit incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services.
I download the program on the machine with a smb share, then I executed it.
Commands executed on the target
We get another reverse shell ! This time with system privileges!
Reverse shell gain on the host
Easy, External, Network, IIS, ASP, Penetration Tester Level 2, Remote Code Execution, Unrestricted File Upload