Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Devel Windows

Published on 13 Mar 2019

Easy windows box, good enumeration is enough for root

Recon

Nmap scan

Nmap scan report for 10.10.10.5
Host is up (0.047s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Nikto scan

Port 80 reveals the IIS version running

Exploitation

Since we have access to the ftp as anonymous user and we are allow to upload files. We can simple drop a .ASPX backdoor and nectact and call for a reverse shell.

locate nc.exe ::: dir c:\ /s *nc.exe*

Privilege Escalation

Systeminfo reveals the OS running and the potential attack vector

OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
Exploit Title: Windows x86 (all versions) AFD privilege escalation (MS11-046)
CVE:2011-1249
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS11-046

FLAGS

USER
"9ecdd6a3aedf24b41562fea70f4cb3e8"
ROOT
"e621a0b5041708797c4fc4728bc72b4b"

HTB Devel Windows

Recon

Exploitation

Privilege Escalation

FLAGS

Related posts

Threat Intelligence Resources

Theat Hunting Tools

Threat Hunting Report