We see that port 80 and 21 are open. lets begin by going to the website 10.10.10.5
seems to be a default page with no more info to go off of. so we will use dirbuster to enumerate hidden directories
use extensions that are relatable to the webserver that is running. i.e would be Apache then you would use php
we found some hits but this also seems to be a dead end.
so if we go back to the scan we see anonymous login is allowed and ftp port is open.
we logged in with the username anonymous and any password. FTP is usually used for transferring files so we can upload or download files. The goal would be to put malware onto the server and then we would have to execute it. lets attempt to prove this concept
we will prove this concept by putting a dog in the ftp server
once we saved the image, log back into teh ftp server and upload the file with the “put” command
this is proof of concept. we can confirm that we are able to upload files to the server and execute those files by going to the directory on the ftp server. Now lets configure some code that will give us a shell instead of this corrupted image.
google msfvenom cheat sheet and copy the aspx payload because IIS is compatible with it
NOW THAT WE GENERATED THE SHELL CODE INTO A SHELL.ASP FILE WE HAVE TO CREATE A LISTENER ON METASPLOIT. SO WHEN WE EXECUTE IT IN THE BROWSER WE CAN GENERATE A SHELL. WE ALSO HAVE TO INSERT THIS FILE ON THE FTP SERVER
go to the payload 10.10.10.5/exx.aspx while listening on meterpreter
admin access is denied so we have to do privilege escalation
THis module will find exploits for us to use once we set the session
a list of exploits we can run for privilege escalation
attempted one both the exploit didn’t work
so naturally you would want to go through every payload choice until we have an exploit that works. (windows/local/ms10_015_kitrap0d) worked
we were able to obtain root
root and user flags can now be obtained.
In this box we learned about finding hidden directories, proof of concept with the ftp file upload, configuring a malicious code to execute on the server and privilege escalation.
eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.
