🕵 HTB-Writeup : DEVEL

Recon
nmap
|
|
Windows machine with Microsoft IIS webserver v7.5.
Dirbuster
Dirbuster scan don’t find any directories or files.
Tested extensions:
- php
- txt
- xml
- sh
- asp
- html
ftp server
As the ftp-anon
script from nmap show, we can connect into the ftp server with the anonymous user.
|
|
But we can’t find any interesting files.
Since we can’t find any directories or files, I manage to try to find vulnerabilities on the FTP server.
Firstly I download all files I can from anonymous connection. No interesting files.
|
|
I try to bruteforce accounts from nmap nse scripts. No results.
|
|
Re-checking downloaded files, I realize that I have missed an important information. The IIS webserver use this FTP server. When trying to navigate to http://10.10.10.5/aspnet_client/
we get an access denied, so the FTP server is using a IIS server.
Vulnerabilities
Knowing that, we can try to upload file to get a reverse shell.
I upload an aspx
webshell on the ftp to try to execute powershell commands. The webshell can be found at /usr/share/webshells/aspx/cmdasp.aspx
on a Kali Linux.
Then, I prepare the nishang reverse powershell script that can be found at this link.
Adding the following line to the bottom of the script with our IP and port.
|
|
Then, I up a python http server with our powershell script. On the webshell, we download and execute our script
|
|

Command injection on the form

Response on our host
It works! We get a reverse shell!
|
|
We can get the user flag. Let’s go to the privesc!
privesc
I first get the content of systeminfo
and pass it into the Windows-Exploit-Suggester tool.
|
|
It gaves me 3 potentials vulnerabilities. I found this github that list multiple Windows exploit, I try the third one listed by our tool (MS10-059).
The MS10-059 vulnerability allow an attacker to run code with elevated privileges. It exploit incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services.
I download the program on the machine with a smb share, then I executed it.

Commands executed on the target
We get another reverse shell ! This time with system privileges!

Reverse shell gain on the host
Tags
Easy, External, Network, IIS, ASP, Penetration Tester Level 2, Remote Code Execution, Unrestricted File Upload