Hack your way in, the way you want. Easy machine. Exploit covered is exploit/windows/local/ms10_015_kitrap0d.

Nmap scan for ports services and OS

We can see here we have port 21 with anonymous login allowed and a Microsoft IIS 7.5 web server at port 80

FTP Enumeration

So we observe here

— We have one Html file uploaded.

— a png file

— aspnet_client directory : containing nothing gradually

PORT 80 Enumeration

Port 80 shows us a welcome page with IIS7 logo and have nothing juicy in source code of page

  1. Enumerating IIS 7.5 exploits

We see a remote DoS which we won’t do. On looking at multiple vulnerabilities text file. Microsoft IIS 7.5 has Client Authentication Bypass and .NET source code disclosure vulnerabilities

Getting back to FTP where we have found iisstart.htm, let us open this on browser and capture on burp

Send this to repeater to analyze the request. We see if we change request method from GET to PUT it says it requires length. Also we observe that whatever file is in FTP is getting opened in browser. Time to exploit…

EXPLOITATION

You can do the same using msfconsole

  1. Let’s try to put a malicious ASP file on machine
First create a file using msfvenom
Now let’s put this on server using FTP

On opening this on browser I found cannot be displayed. So I realized we added wrong format. We added asp instead of aspx

Difference in ASP and ASPX

  • ASP runs on IIS while ASPX runs on .NET framework.
  • ASP.NET offers the ability to build pages
  • ASP.NET — — — ability to develop applications using an event-driven GUI model,
  • ASP — — — — ability for conventional Web-scripting environments.
Now we will make our new payload using aspx format
Putting it back to FTP so that it can run on browser

And run netcat listener on our machine at port 4444 , along with requesting page 10.10.10.4/offs3cg33k.aspx on browser

So you see we get a reverse connection from server. You can do the same using msfconsole

use exploit/multi/handler

Enumerating all folders , I could not get any interesting file. It ‘s time for priv escalation.

  1. Checking for privileges we have
We have SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege

We can try to exploit them in many ways. Here is what methodology I followed.

  1. Using meterpreter Incognito
Background the process and use incognito

Now since we are already IIS APPPOOL\web. Let’s impersonate NT AUTHORITY\IUSR

Enumerating privileges

We belong to NT AUTHORITY/SERVICE and have SeImpersonatePrivilege , same as earlier. Nothing new. So this method was of no use to us.

Method 2: Easiest of all go for exploit suggester and use the exploit

Using exploit/windows/local/bypassuac_eventvwr
Exploit did not work. So we will go down the list and use next one.
exploit/windows/local/ms10_015_kitrap0d
Getting root flag
getting user flag

Way 3: JUICY POTATO

Here we will try JuicyPotato to get to NT AUTHORITY/SYSTEM

First lets enumerate our system info

So finding the CLSID from http://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise/

{03ca98d6-ff5d-49b8-abc6–03dd84127020}

Now we will transfer JuicyPotato.exe (x86 versions) to our machine and run it; Refer : https://github.com/ivanitlearning/Juicy-Potato-x86

For this we need to compile it on Visual Studio. Just open .sln file and Terminal — -> Run build task. And it will create JuicyPotato.exe

I renamed it to JP.exe and transferred using FTP.

And copy C:\inetpub\wwwroot\JP.exe C:\Windows\Temp

Open listener on 1234 on different shell, to see process spawn.

This gives you a shell and you see you are NT AUTHORITY/SYSTEM. ROOTED!!!

Solution

Refer : https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015

1. Click **Start**, click **Run**, type **gpedit.msc** in the **Open** box, and then click **OK**. This opens the Group Policy console. 2. Expand the **Administrative Templates** folder, and then click **Windows Components**. 3. Click the **Application Compatibility** folder. 4. In the details pane, double click the **Prevent access to 16-bit applications** policy setting. By default, this is set to **Not Configured**. 5. Change the policy setting to **Enabled**, and then click **OK**. **Impact of workaround.** Users will not be able to run 16-bit applications.

OSCP | CEH | Cyber Security Enthusiast.